[ { "techID": "T1001", "techName": "Data Obfuscation", "technique": "T1001: Data Obfuscation", "tactics": "Command and Control", "url": "https://attack.mitre.org/techniques/T1001", "lowestLevel": "n", "mitigations": 1, "nist": 7, "cis": 1, "d3fend": 9, "engage": 3, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": 2, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1001.001", "techName": "Junk Data", "technique": "T1001.001: Junk Data", "tactics": "Command and Control", "url": "https://attack.mitre.org/techniques/T1001/001", "lowestLevel": "y", "mitigations": 1, "nist": 7, "cis": null, "d3fend": 9, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1001.002", "techName": "Steganography", "technique": "T1001.002: Steganography", "tactics": "Command and Control", "url": "https://attack.mitre.org/techniques/T1001/002", "lowestLevel": "y", "mitigations": 1, "nist": 7, "cis": null, "d3fend": 9, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1001.003", "techName": "Protocol Impersonation", "technique": "T1001.003: Protocol Impersonation", "tactics": "Command and Control", "url": "https://attack.mitre.org/techniques/T1001/003", "lowestLevel": "y", "mitigations": 1, "nist": 7, "cis": null, "d3fend": 9, "engage": null, "splunk": 1, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 3, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1003", "techName": "OS Credential Dumping", "technique": "T1003: OS Credential Dumping", "tactics": "Credential Access", "url": "https://attack.mitre.org/techniques/T1003", "lowestLevel": "n", "mitigations": 8, "nist": 21, "cis": 24, "d3fend": 26, "engage": 7, "splunk": 31, "splunk_threatHunting": 5, "elastic": 9, "eql_analytics": 6, "azure_fullStack": 6, "sentinel_defender": 7, "azure_sentinel": 5, "logpoint": 48, "proofpoint_emergingThreats": 11, "tanium_threatResponse": 2, "aws": 1, "gcp": null, "car": null, "atc": 44, "sigma": 15, "th_playbook": 5, "art": 3, "car_red": null, "rta": null, "prelude": 1, "stockpile": 1, "scythe": 2, "policy_process_volume": 3, "detect_volume": 3, "test_volume": 2, "validate_potential": 3 }, { "techID": "T1003.001", "techName": "LSASS Memory", "technique": "T1003.001: LSASS Memory", "tactics": "Credential Access", "url": "https://attack.mitre.org/techniques/T1003/001", "lowestLevel": "y", "mitigations": 6, "nist": 16, "cis": null, "d3fend": 12, "engage": null, "splunk": 13, "splunk_threatHunting": null, "elastic": 14, "eql_analytics": null, "azure_fullStack": 3, "sentinel_defender": 3, "azure_sentinel": null, "logpoint": 7, "proofpoint_emergingThreats": null, "tanium_threatResponse": 7, "aws": null, "gcp": null, "car": 5, "atc": null, "sigma": 65, "th_playbook": null, "art": 12, "car_red": 6, "rta": null, "prelude": 4, "stockpile": 3, "scythe": 11, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 3, "validate_potential": 3 }, { "techID": "T1003.002", "techName": "Security Account Manager", "technique": "T1003.002: Security Account Manager", "tactics": "Credential Access", "url": "https://attack.mitre.org/techniques/T1003/002", "lowestLevel": "y", "mitigations": 4, "nist": 15, "cis": null, "d3fend": 12, "engage": null, "splunk": 10, "splunk_threatHunting": null, "elastic": 5, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 2, "proofpoint_emergingThreats": null, "tanium_threatResponse": 4, "aws": null, "gcp": null, "car": 1, "atc": null, "sigma": 27, "th_playbook": null, "art": 7, "car_red": 1, "rta": null, "prelude": 1, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 2, "validate_potential": 2 }, { "techID": "T1003.003", "techName": "NTDS", "technique": "T1003.003: NTDS", "tactics": "Credential Access", "url": "https://attack.mitre.org/techniques/T1003/003", "lowestLevel": "y", "mitigations": 4, "nist": 18, "cis": null, "d3fend": 4, "engage": null, "splunk": 7, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 2, "proofpoint_emergingThreats": null, "tanium_threatResponse": 2, "aws": null, "gcp": null, "car": 2, "atc": null, "sigma": 18, "th_playbook": null, "art": 8, "car_red": 1, "rta": null, "prelude": 1, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 3, "validate_potential": 3 }, { "techID": "T1003.004", "techName": "LSA Secrets", "technique": "T1003.004: LSA Secrets", "tactics": "Credential Access", "url": "https://attack.mitre.org/techniques/T1003/004", "lowestLevel": "y", "mitigations": 3, "nist": 14, "cis": null, "d3fend": 10, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": 2, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 12, "th_playbook": null, "art": 1, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": 1, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1003.005", "techName": "Cached Domain Credentials", "technique": "T1003.005: Cached Domain Credentials", "tactics": "Credential Access", "url": "https://attack.mitre.org/techniques/T1003/005", "lowestLevel": "y", "mitigations": 5, "nist": 17, "cis": null, "d3fend": 4, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": 2, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 8, "th_playbook": null, "art": 1, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1003.006", "techName": "DCSync", "technique": "T1003.006: DCSync", "tactics": "Credential Access", "url": "https://attack.mitre.org/techniques/T1003/006", "lowestLevel": "y", "mitigations": 3, "nist": 16, "cis": null, "d3fend": 14, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 8, "th_playbook": null, "art": 2, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1003.007", "techName": "Proc Filesystem", "technique": "T1003.007: Proc Filesystem", "tactics": "Credential Access", "url": "https://attack.mitre.org/techniques/T1003/007", "lowestLevel": "y", "mitigations": 2, "nist": 14, "cis": null, "d3fend": 8, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": 3, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1003.008", "techName": "/etc/passwd and /etc/shadow", "technique": "T1003.008: /etc/passwd and /etc/shadow", "tactics": "Credential Access", "url": "https://attack.mitre.org/techniques/T1003/008", "lowestLevel": "y", "mitigations": 2, "nist": 14, "cis": null, "d3fend": 7, "engage": null, "splunk": 1, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": 4, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1005", "techName": "Data from Local System", "technique": "T1005: Data from Local System", "tactics": "Collection", "url": "https://attack.mitre.org/techniques/T1005", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": 8, "splunk": 1, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": 7, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": 1, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 7, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": 2, "stockpile": 6, "scythe": 8, "policy_process_volume": 2, "detect_volume": 2, "test_volume": 2, "validate_potential": 2 }, { "techID": "T1006", "techName": "Direct Volume Access", "technique": "T1006: Direct Volume Access", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1006", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": 1, "splunk": null, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": 1, "sigma": 1, "th_playbook": null, "art": 1, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1007", "techName": "System Service Discovery", "technique": "T1007: System Service Discovery", "tactics": "Discovery", "url": "https://attack.mitre.org/techniques/T1007", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": 9, "splunk": null, "splunk_threatHunting": 1, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": 1, "logpoint": 3, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": 2, "atc": 1, "sigma": 3, "th_playbook": 1, "art": 3, "car_red": 1, "rta": 1, "prelude": 1, "stockpile": 1, "scythe": 11, "policy_process_volume": 2, "detect_volume": 2, "test_volume": 3, "validate_potential": 3 }, { "techID": "T1008", "techName": "Fallback Channels", "technique": "T1008: Fallback Channels", "tactics": "Command and Control", "url": "https://attack.mitre.org/techniques/T1008", "lowestLevel": "y", "mitigations": 1, "nist": 8, "cis": 1, "d3fend": 9, "engage": 5, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": 4, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": 48, "aws": 2, "gcp": null, "car": null, "atc": null, "sigma": 2, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1010", "techName": "Application Window Discovery", "technique": "T1010: Application Window Discovery", "tactics": "Discovery", "url": "https://attack.mitre.org/techniques/T1010", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": 3, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": 1, "atc": null, "sigma": 1, "th_playbook": null, "art": 1, "car_red": 1, "rta": null, "prelude": 1, "stockpile": 1, "scythe": 3, "policy_process_volume": 1, "detect_volume": 1, "test_volume": 2, "validate_potential": 1 }, { "techID": "T1011", "techName": "Exfiltration Over Other Network Medium", "technique": "T1011: Exfiltration Over Other Network Medium", "tactics": "Exfiltration", "url": "https://attack.mitre.org/techniques/T1011", "lowestLevel": "n", "mitigations": 1, "nist": 4, "cis": 2, "d3fend": 8, "engage": 9, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": 1, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1011.001", "techName": "Exfiltration Over Bluetooth", "technique": "T1011.001: Exfiltration Over Bluetooth", "tactics": "Exfiltration", "url": "https://attack.mitre.org/techniques/T1011/001", "lowestLevel": "y", "mitigations": 2, "nist": 8, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1012", "techName": "Query Registry", "technique": "T1012: Query Registry", "tactics": "Discovery", "url": "https://attack.mitre.org/techniques/T1012", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": 5, "splunk": null, "splunk_threatHunting": 2, "elastic": 1, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": 1, "azure_sentinel": 2, "logpoint": 8, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": 3, "atc": 5, "sigma": 11, "th_playbook": 2, "art": 1, "car_red": 2, "rta": null, "prelude": 1, "stockpile": 1, "scythe": 35, "policy_process_volume": 1, "detect_volume": 3, "test_volume": 3, "validate_potential": 3 }, { "techID": "T1014", "techName": "Rootkit", "technique": "T1014: Rootkit", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1014", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": 7, "engage": 3, "splunk": 3, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": 4, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 0, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1016", "techName": "System Network Configuration Discovery", "technique": "T1016: System Network Configuration Discovery", "tactics": "Discovery", "url": "https://attack.mitre.org/techniques/T1016", "lowestLevel": "n", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": 8, "splunk": 3, "splunk_threatHunting": 1, "elastic": 2, "eql_analytics": 2, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": 1, "logpoint": 2, "proofpoint_emergingThreats": null, "tanium_threatResponse": 3, "aws": null, "gcp": null, "car": 2, "atc": null, "sigma": 8, "th_playbook": null, "art": 8, "car_red": 1, "rta": 1, "prelude": 2, "stockpile": 7, "scythe": 39, "policy_process_volume": 2, "detect_volume": 3, "test_volume": 3, "validate_potential": 3 }, { "techID": "T1016.001", "techName": "Internet Connection Discovery", "technique": "T1016.001: Internet Connection Discovery", "tactics": "Discovery", "url": "https://attack.mitre.org/techniques/T1016/001", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": 1, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 0, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1018", "techName": "Remote System Discovery", "technique": "T1018: Remote System Discovery", "tactics": "Discovery", "url": "https://attack.mitre.org/techniques/T1018", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": 7, "splunk": 18, "splunk_threatHunting": 2, "elastic": 4, "eql_analytics": 2, "azure_fullStack": 2, "sentinel_defender": 2, "azure_sentinel": 2, "logpoint": 4, "proofpoint_emergingThreats": null, "tanium_threatResponse": 3, "aws": 2, "gcp": 1, "car": 1, "atc": 1, "sigma": 14, "th_playbook": null, "art": 19, "car_red": 1, "rta": 1, "prelude": 3, "stockpile": 8, "scythe": 8, "policy_process_volume": 2, "detect_volume": 3, "test_volume": 3, "validate_potential": 3 }, { "techID": "T1020", "techName": "Automated Exfiltration", "technique": "T1020: Automated Exfiltration", "tactics": "Exfiltration", "url": "https://attack.mitre.org/techniques/T1020", "lowestLevel": "n", "mitigations": null, "nist": null, "cis": null, "d3fend": 8, "engage": 10, "splunk": 6, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": 4, "azure_sentinel": null, "logpoint": 6, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 3, "gcp": null, "car": null, "atc": 2, "sigma": 5, "th_playbook": null, "art": 1, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": 3, "policy_process_volume": 2, "detect_volume": 2, "test_volume": 1, "validate_potential": 2 }, { "techID": "T1020.001", "techName": "Traffic Duplication", "technique": "T1020.001: Traffic Duplication", "tactics": "Exfiltration", "url": "https://attack.mitre.org/techniques/T1020/001", "lowestLevel": "y", "mitigations": 1, "nist": 12, "cis": null, "d3fend": null, "engage": null, "splunk": 1, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 2, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1021", "techName": "Remote Services", "technique": "T1021: Remote Services", "tactics": "Lateral Movement", "url": "https://attack.mitre.org/techniques/T1021", "lowestLevel": "n", "mitigations": 3, "nist": 12, "cis": 15, "d3fend": 9, "engage": 5, "splunk": 24, "splunk_threatHunting": null, "elastic": 17, "eql_analytics": 1, "azure_fullStack": 7, "sentinel_defender": 3, "azure_sentinel": null, "logpoint": 23, "proofpoint_emergingThreats": null, "tanium_threatResponse": 8, "aws": 3, "gcp": null, "car": 1, "atc": 2, "sigma": 1, "th_playbook": 4, "art": null, "car_red": 2, "rta": 1, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 3, "test_volume": 2, "validate_potential": 3 }, { "techID": "T1021.001", "techName": "Remote Desktop Protocol", "technique": "T1021.001: Remote Desktop Protocol", "tactics": "Lateral Movement", "url": "https://attack.mitre.org/techniques/T1021/001", "lowestLevel": "y", "mitigations": 8, "nist": 24, "cis": null, "d3fend": 9, "engage": null, "splunk": 9, "splunk_threatHunting": null, "elastic": 2, "eql_analytics": null, "azure_fullStack": 4, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 7, "proofpoint_emergingThreats": null, "tanium_threatResponse": 6, "aws": 2, "gcp": null, "car": 3, "atc": null, "sigma": 12, "th_playbook": null, "art": 4, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": 1, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 2, "validate_potential": 2 }, { "techID": "T1021.002", "techName": "SMB/Windows Admin Shares", "technique": "T1021.002: SMB/Windows Admin Shares", "tactics": "Lateral Movement", "url": "https://attack.mitre.org/techniques/T1021/002", "lowestLevel": "y", "mitigations": 4, "nist": 16, "cis": null, "d3fend": 9, "engage": null, "splunk": 5, "splunk_threatHunting": null, "elastic": 8, "eql_analytics": null, "azure_fullStack": 4, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 2, "gcp": null, "car": 4, "atc": null, "sigma": 30, "th_playbook": null, "art": 4, "car_red": 1, "rta": null, "prelude": null, "stockpile": 3, "scythe": 1, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 2, "validate_potential": 2 }, { "techID": "T1021.003", "techName": "Distributed Component Object Model", "technique": "T1021.003: Distributed Component Object Model", "tactics": "Lateral Movement", "url": "https://attack.mitre.org/techniques/T1021/003", "lowestLevel": "y", "mitigations": 4, "nist": 19, "cis": null, "d3fend": 9, "engage": null, "splunk": 5, "splunk_threatHunting": null, "elastic": 3, "eql_analytics": null, "azure_fullStack": 3, "sentinel_defender": 2, "azure_sentinel": null, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": 8, "th_playbook": null, "art": 1, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 1, "validate_potential": 2 }, { "techID": "T1021.004", "techName": "SSH", "technique": "T1021.004: SSH", "tactics": "Lateral Movement", "url": "https://attack.mitre.org/techniques/T1021/004", "lowestLevel": "y", "mitigations": 3, "nist": 15, "cis": null, "d3fend": 9, "engage": null, "splunk": 1, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": null, "azure_fullStack": 6, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 3, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": 1, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 1, "validate_potential": 2 }, { "techID": "T1021.005", "techName": "VNC", "technique": "T1021.005: VNC", "tactics": "Lateral Movement", "url": "https://attack.mitre.org/techniques/T1021/005", "lowestLevel": "y", "mitigations": 4, "nist": 23, "cis": null, "d3fend": 9, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 2, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1021.006", "techName": "Windows Remote Management", "technique": "T1021.006: Windows Remote Management", "tactics": "Lateral Movement", "url": "https://attack.mitre.org/techniques/T1021/006", "lowestLevel": "y", "mitigations": 3, "nist": 16, "cis": null, "d3fend": 9, "engage": null, "splunk": 6, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 2, "gcp": null, "car": 3, "atc": null, "sigma": 9, "th_playbook": null, "art": 3, "car_red": null, "rta": null, "prelude": null, "stockpile": 2, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 2, "validate_potential": 2 }, { "techID": "T1025", "techName": "Data from Removable Media", "technique": "T1025: Data from Removable Media", "tactics": "Collection", "url": "https://attack.mitre.org/techniques/T1025", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": 1, "engage": 5, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": 1, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 0, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1026", "techName": "Multiband Communication", "technique": "T1026: Multiband Communication", "tactics": "Command and Control", "url": "https://attack.mitre.org/techniques/T1026", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 0, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1027", "techName": "Obfuscated Files or Information", "technique": "T1027: Obfuscated Files or Information", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1027", "lowestLevel": "n", "mitigations": 1, "nist": 4, "cis": 4, "d3fend": 7, "engage": 4, "splunk": 8, "splunk_threatHunting": 1, "elastic": 4, "eql_analytics": null, "azure_fullStack": 5, "sentinel_defender": 5, "azure_sentinel": 1, "logpoint": 7, "proofpoint_emergingThreats": null, "tanium_threatResponse": 9, "aws": null, "gcp": null, "car": null, "atc": 5, "sigma": 81, "th_playbook": null, "art": 8, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 3, "test_volume": 3, "validate_potential": 3 }, { "techID": "T1027.001", "techName": "Binary Padding", "technique": "T1027.001: Binary Padding", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1027/001", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": 7, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 3, "th_playbook": null, "art": 1, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1027.002", "techName": "Software Packing", "technique": "T1027.002: Software Packing", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1027/002", "lowestLevel": "y", "mitigations": null, "nist": 4, "cis": null, "d3fend": 7, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": 4, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1027.003", "techName": "Steganography", "technique": "T1027.003: Steganography", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1027/003", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 5, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 0, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1027.004", "techName": "Compile After Delivery", "technique": "T1027.004: Compile After Delivery", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1027/004", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": 7, "engage": null, "splunk": 1, "splunk_threatHunting": null, "elastic": 2, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 2, "proofpoint_emergingThreats": null, "tanium_threatResponse": 7, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 5, "th_playbook": null, "art": 5, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1027.005", "techName": "Indicator Removal from Tools", "technique": "T1027.005: Indicator Removal from Tools", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1027/005", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": 2, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 2, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 2, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 0, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1027.006", "techName": "HTML Smuggling", "technique": "T1027.006: HTML Smuggling", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1027/006", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 0, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1029", "techName": "Scheduled Transfer", "technique": "T1029: Scheduled Transfer", "tactics": "Exfiltration", "url": "https://attack.mitre.org/techniques/T1029", "lowestLevel": "y", "mitigations": 1, "nist": 7, "cis": 1, "d3fend": 8, "engage": 9, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": 1, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": 1, "rta": null, "prelude": null, "stockpile": 1, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1030", "techName": "Data Transfer Size Limits", "technique": "T1030: Data Transfer Size Limits", "tactics": "Exfiltration", "url": "https://attack.mitre.org/techniques/T1030", "lowestLevel": "y", "mitigations": 1, "nist": 7, "cis": 1, "d3fend": 8, "engage": 8, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": 5, "azure_sentinel": null, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 2, "th_playbook": null, "art": 1, "car_red": null, "rta": null, "prelude": null, "stockpile": 1, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 2, "validate_potential": 1 }, { "techID": "T1033", "techName": "System Owner/User Discovery", "technique": "T1033: System Owner/User Discovery", "tactics": "Discovery", "url": "https://attack.mitre.org/techniques/T1033", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": 7, "splunk": 7, "splunk_threatHunting": 2, "elastic": 4, "eql_analytics": 2, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": 1, "logpoint": 4, "proofpoint_emergingThreats": null, "tanium_threatResponse": 4, "aws": null, "gcp": null, "car": 2, "atc": 3, "sigma": 18, "th_playbook": null, "art": 5, "car_red": 1, "rta": null, "prelude": 1, "stockpile": 4, "scythe": 26, "policy_process_volume": 2, "detect_volume": 3, "test_volume": 3, "validate_potential": 3 }, { "techID": "T1034", "techName": "Path Interception", "technique": "T1034: Path Interception", "tactics": "Persistence, Privilege Escalation", "url": "https://attack.mitre.org/techniques/T1034", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 0, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1036", "techName": "Masquerading", "technique": "T1036: Masquerading", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1036", "lowestLevel": "n", "mitigations": 3, "nist": 12, "cis": 10, "d3fend": 11, "engage": 1, "splunk": 18, "splunk_threatHunting": 5, "elastic": 8, "eql_analytics": 1, "azure_fullStack": 3, "sentinel_defender": 2, "azure_sentinel": 2, "logpoint": 26, "proofpoint_emergingThreats": null, "tanium_threatResponse": 28, "aws": null, "gcp": null, "car": 1, "atc": 23, "sigma": 26, "th_playbook": null, "art": 2, "car_red": 1, "rta": 2, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 3, "test_volume": 2, "validate_potential": 3 }, { "techID": "T1036.001", "techName": "Invalid Code Signature", "technique": "T1036.001: Invalid Code Signature", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1036/001", "lowestLevel": "y", "mitigations": 1, "nist": 5, "cis": null, "d3fend": 7, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": 5, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1036.002", "techName": "Right-to-Left Override", "technique": "T1036.002: Right-to-Left Override", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1036/002", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": 1, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 0, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1036.003", "techName": "Rename System Utilities", "technique": "T1036.003: Rename System Utilities", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1036/003", "lowestLevel": "y", "mitigations": 1, "nist": 8, "cis": null, "d3fend": 8, "engage": null, "splunk": 13, "splunk_threatHunting": null, "elastic": 3, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": 1, "atc": null, "sigma": 20, "th_playbook": null, "art": 9, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": 1, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 3, "validate_potential": 1 }, { "techID": "T1036.004", "techName": "Masquerade Task or Service", "technique": "T1036.004: Masquerade Task or Service", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1036/004", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": 1, "engage": null, "splunk": 1, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 2, "th_playbook": null, "art": 2, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": 1, "policy_process_volume": 1, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1036.005", "techName": "Match Legitimate Name or Location", "technique": "T1036.005: Match Legitimate Name or Location", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1036/005", "lowestLevel": "y", "mitigations": 3, "nist": 12, "cis": null, "d3fend": 5, "engage": null, "splunk": 1, "splunk_threatHunting": null, "elastic": 3, "eql_analytics": null, "azure_fullStack": 3, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 2, "proofpoint_emergingThreats": null, "tanium_threatResponse": 21, "aws": null, "gcp": null, "car": 1, "atc": null, "sigma": 9, "th_playbook": null, "art": 2, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 1, "validate_potential": 2 }, { "techID": "T1036.006", "techName": "Space after Filename", "technique": "T1036.006: Space after Filename", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1036/006", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": 3, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": 2, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1036.007", "techName": "Double File Extension", "technique": "T1036.007: Double File Extension", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1036/007", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 0, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1037", "techName": "Boot or Logon Initialization Scripts", "technique": "T1037: Boot or Logon Initialization Scripts", "tactics": "Persistence, Privilege Escalation", "url": "https://attack.mitre.org/techniques/T1037", "lowestLevel": "n", "mitigations": 1, "nist": 9, "cis": 4, "d3fend": 9, "engage": 1, "splunk": 2, "splunk_threatHunting": 1, "elastic": 3, "eql_analytics": 2, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": 1, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": 8, "aws": 1, "gcp": null, "car": null, "atc": 1, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": 1, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 3, "test_volume": 1, "validate_potential": 2 }, { "techID": "T1037.001", "techName": "Logon Script (Windows)", "technique": "T1037.001: Logon Script (Windows)", "tactics": "Persistence, Privilege Escalation", "url": "https://attack.mitre.org/techniques/T1037/001", "lowestLevel": "y", "mitigations": null, "nist": 2, "cis": null, "d3fend": 7, "engage": null, "splunk": 1, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": 2, "atc": null, "sigma": 2, "th_playbook": null, "art": 2, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 2, "test_volume": 1, "validate_potential": 2 }, { "techID": "T1037.002", "techName": "Logon Script (Mac)", "technique": "T1037.002: Logon Script (Mac)", "tactics": "Persistence, Privilege Escalation", "url": "https://attack.mitre.org/techniques/T1037/002", "lowestLevel": "y", "mitigations": 1, "nist": 7, "cis": null, "d3fend": 7, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": 2, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 0, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1037.003", "techName": "Network Logon Script", "technique": "T1037.003: Network Logon Script", "tactics": "Persistence, Privilege Escalation", "url": "https://attack.mitre.org/techniques/T1037/003", "lowestLevel": "y", "mitigations": 1, "nist": 7, "cis": null, "d3fend": 8, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": 8, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1037.004", "techName": "RC Scripts", "technique": "T1037.004: RC Scripts", "tactics": "Persistence, Privilege Escalation", "url": "https://attack.mitre.org/techniques/T1037/004", "lowestLevel": "y", "mitigations": 1, "nist": 7, "cis": null, "d3fend": 8, "engage": null, "splunk": 1, "splunk_threatHunting": null, "elastic": 2, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": 6, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1037.005", "techName": "Startup Items", "technique": "T1037.005: Startup Items", "tactics": "Persistence, Privilege Escalation", "url": "https://attack.mitre.org/techniques/T1037/005", "lowestLevel": "y", "mitigations": 1, "nist": 7, "cis": null, "d3fend": 2, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": 2, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1039", "techName": "Data from Network Shared Drive", "technique": "T1039: Data from Network Shared Drive", "tactics": "Collection", "url": "https://attack.mitre.org/techniques/T1039", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": 1, "engage": 7, "splunk": 1, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": 1, "atc": null, "sigma": 2, "th_playbook": null, "art": 2, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1040", "techName": "Network Sniffing", "technique": "T1040: Network Sniffing", "tactics": "Credential Access, Discovery", "url": "https://attack.mitre.org/techniques/T1040", "lowestLevel": "y", "mitigations": 2, "nist": 11, "cis": 11, "d3fend": 1, "engage": 12, "splunk": 1, "splunk_threatHunting": 3, "elastic": 2, "eql_analytics": null, "azure_fullStack": 8, "sentinel_defender": 1, "azure_sentinel": 1, "logpoint": 3, "proofpoint_emergingThreats": null, "tanium_threatResponse": 5, "aws": 5, "gcp": null, "car": 1, "atc": 2, "sigma": 8, "th_playbook": null, "art": 12, "car_red": null, "rta": null, "prelude": 1, "stockpile": 1, "scythe": null, "policy_process_volume": 3, "detect_volume": 3, "test_volume": 3, "validate_potential": 3 }, { "techID": "T1041", "techName": "Exfiltration Over C2 Channel", "technique": "T1041: Exfiltration Over C2 Channel", "tactics": "Exfiltration", "url": "https://attack.mitre.org/techniques/T1041", "lowestLevel": "y", "mitigations": 1, "nist": 5, "cis": 1, "d3fend": 12, "engage": 9, "splunk": 1, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": 3, "azure_sentinel": null, "logpoint": 8, "proofpoint_emergingThreats": null, "tanium_threatResponse": 22, "aws": 3, "gcp": null, "car": null, "atc": 2, "sigma": 3, "th_playbook": null, "art": 1, "car_red": null, "rta": null, "prelude": 3, "stockpile": 1, "scythe": 19, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 3, "validate_potential": 3 }, { "techID": "T1043", "techName": "Commonly Used Port", "technique": "T1043: Commonly Used Port", "tactics": "Command and Control", "url": "https://attack.mitre.org/techniques/T1043", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": 1, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": 2, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 0, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1046", "techName": "Network Service Scanning", "technique": "T1046: Network Service Scanning", "tactics": "Discovery", "url": "https://attack.mitre.org/techniques/T1046", "lowestLevel": "y", "mitigations": 3, "nist": 11, "cis": 13, "d3fend": null, "engage": 11, "splunk": null, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": 1, "azure_fullStack": 5, "sentinel_defender": 7, "azure_sentinel": null, "logpoint": 28, "proofpoint_emergingThreats": 2, "tanium_threatResponse": null, "aws": 6, "gcp": 1, "car": 2, "atc": 1, "sigma": 10, "th_playbook": null, "art": 8, "car_red": 1, "rta": null, "prelude": null, "stockpile": 3, "scythe": 6, "policy_process_volume": 3, "detect_volume": 3, "test_volume": 2, "validate_potential": 3 }, { "techID": "T1047", "techName": "Windows Management Instrumentation", "technique": "T1047: Windows Management Instrumentation", "tactics": "Execution", "url": "https://attack.mitre.org/techniques/T1047", "lowestLevel": "y", "mitigations": 2, "nist": 8, "cis": 17, "d3fend": null, "engage": 8, "splunk": 12, "splunk_threatHunting": 5, "elastic": 5, "eql_analytics": 2, "azure_fullStack": 3, "sentinel_defender": null, "azure_sentinel": 5, "logpoint": 9, "proofpoint_emergingThreats": 1, "tanium_threatResponse": 9, "aws": null, "gcp": null, "car": 3, "atc": 1, "sigma": 37, "th_playbook": 3, "art": 10, "car_red": null, "rta": 2, "prelude": null, "stockpile": 2, "scythe": 11, "policy_process_volume": 3, "detect_volume": 3, "test_volume": 3, "validate_potential": 3 }, { "techID": "T1048", "techName": "Exfiltration Over Alternative Protocol", "technique": "T1048: Exfiltration Over Alternative Protocol", "tactics": "Exfiltration", "url": "https://attack.mitre.org/techniques/T1048", "lowestLevel": "n", "mitigations": 3, "nist": 12, "cis": 8, "d3fend": 13, "engage": 9, "splunk": 9, "splunk_threatHunting": null, "elastic": 6, "eql_analytics": null, "azure_fullStack": 8, "sentinel_defender": 2, "azure_sentinel": null, "logpoint": 5, "proofpoint_emergingThreats": null, "tanium_threatResponse": 2, "aws": 4, "gcp": null, "car": null, "atc": 4, "sigma": 7, "th_playbook": null, "art": 3, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 1, "validate_potential": 2 }, { "techID": "T1048.001", "techName": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "technique": "T1048.001: Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "tactics": "Exfiltration", "url": "https://attack.mitre.org/techniques/T1048/001", "lowestLevel": "y", "mitigations": 3, "nist": 12, "cis": null, "d3fend": 9, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 4, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 3, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1048.002", "techName": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "technique": "T1048.002: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "tactics": "Exfiltration", "url": "https://attack.mitre.org/techniques/T1048/002", "lowestLevel": "y", "mitigations": 3, "nist": 12, "cis": null, "d3fend": 13, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 3, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 3, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": 2, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1048.003", "techName": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "technique": "T1048.003: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "tactics": "Exfiltration", "url": "https://attack.mitre.org/techniques/T1048/003", "lowestLevel": "y", "mitigations": 3, "nist": 12, "cis": null, "d3fend": 9, "engage": null, "splunk": 9, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 6, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": 1, "aws": 4, "gcp": null, "car": null, "atc": null, "sigma": 14, "th_playbook": null, "art": 6, "car_red": null, "rta": null, "prelude": null, "stockpile": 1, "scythe": 1, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 2, "validate_potential": 2 }, { "techID": "T1049", "techName": "System Network Connections Discovery", "technique": "T1049: System Network Connections Discovery", "tactics": "Discovery", "url": "https://attack.mitre.org/techniques/T1049", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": 8, "splunk": 5, "splunk_threatHunting": 1, "elastic": 1, "eql_analytics": 2, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": 1, "logpoint": 2, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": 1, "atc": 1, "sigma": 8, "th_playbook": null, "art": 4, "car_red": 1, "rta": 1, "prelude": 4, "stockpile": 1, "scythe": 10, "policy_process_volume": 2, "detect_volume": 3, "test_volume": 3, "validate_potential": 3 }, { "techID": "T1051", "techName": "Shared Webroot", "technique": "T1051: Shared Webroot", "tactics": "Lateral Movement", "url": "https://attack.mitre.org/techniques/T1051", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 0, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1052", "techName": "Exfiltration Over Physical Medium", "technique": "T1052: Exfiltration Over Physical Medium", "tactics": "Exfiltration", "url": "https://attack.mitre.org/techniques/T1052", "lowestLevel": "n", "mitigations": 2, "nist": 10, "cis": 8, "d3fend": 1, "engage": 11, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": 1, "azure_sentinel": null, "logpoint": 2, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1052.001", "techName": "Exfiltration over USB", "technique": "T1052.001: Exfiltration over USB", "tactics": "Exfiltration", "url": "https://attack.mitre.org/techniques/T1052/001", "lowestLevel": "y", "mitigations": 2, "nist": 10, "cis": null, "d3fend": 1, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 2, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1053", "techName": "Scheduled Task/Job", "technique": "T1053: Scheduled Task/Job", "tactics": "Execution, Persistence, Privilege Escalation", "url": "https://attack.mitre.org/techniques/T1053", "lowestLevel": "n", "mitigations": 4, "nist": 15, "cis": 38, "d3fend": 7, "engage": 3, "splunk": 28, "splunk_threatHunting": 2, "elastic": 1, "eql_analytics": 3, "azure_fullStack": 4, "sentinel_defender": 2, "azure_sentinel": 2, "logpoint": 10, "proofpoint_emergingThreats": null, "tanium_threatResponse": 3, "aws": 2, "gcp": null, "car": null, "atc": 1, "sigma": 12, "th_playbook": null, "art": null, "car_red": null, "rta": 2, "prelude": null, "stockpile": null, "scythe": 16, "policy_process_volume": 3, "detect_volume": 3, "test_volume": 3, "validate_potential": 3 }, { "techID": "T1053.001", "techName": "At (Linux)", "technique": "T1053.001: At (Linux)", "tactics": "Execution, Persistence, Privilege Escalation", "url": "https://attack.mitre.org/techniques/T1053/001", "lowestLevel": "y", "mitigations": 2, "nist": 9, "cis": null, "d3fend": 4, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1053.002", "techName": "At (Windows)", "technique": "T1053.002: At (Windows)", "tactics": "Execution, Persistence, Privilege Escalation", "url": "https://attack.mitre.org/techniques/T1053/002", "lowestLevel": "y", "mitigations": 4, "nist": 14, "cis": null, "d3fend": 4, "engage": null, "splunk": 3, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": 1, "aws": null, "gcp": null, "car": 2, "atc": null, "sigma": 8, "th_playbook": null, "art": 6, "car_red": 1, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 2, "validate_potential": 2 }, { "techID": "T1053.003", "techName": "Cron", "technique": "T1053.003: Cron", "tactics": "Execution, Persistence, Privilege Escalation", "url": "https://attack.mitre.org/techniques/T1053/003", "lowestLevel": "y", "mitigations": 2, "nist": 9, "cis": null, "d3fend": 4, "engage": null, "splunk": 6, "splunk_threatHunting": null, "elastic": 5, "eql_analytics": null, "azure_fullStack": 3, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": 6, "th_playbook": null, "art": 9, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 2, "test_volume": 3, "validate_potential": 3 }, { "techID": "T1053.004", "techName": "Launchd", "technique": "T1053.004: Launchd", "tactics": "Execution, Persistence, Privilege Escalation", "url": "https://attack.mitre.org/techniques/T1053/004", "lowestLevel": "y", "mitigations": 2, "nist": 9, "cis": null, "d3fend": 7, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 0, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1053.005", "techName": "Scheduled Task", "technique": "T1053.005: Scheduled Task", "tactics": "Execution, Persistence, Privilege Escalation", "url": "https://attack.mitre.org/techniques/T1053/005", "lowestLevel": "y", "mitigations": 4, "nist": 14, "cis": null, "d3fend": 4, "engage": null, "splunk": 15, "splunk_threatHunting": null, "elastic": 8, "eql_analytics": null, "azure_fullStack": 3, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 11, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": 6, "atc": null, "sigma": 30, "th_playbook": null, "art": 24, "car_red": 4, "rta": null, "prelude": null, "stockpile": null, "scythe": 32, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 3, "validate_potential": 3 }, { "techID": "T1053.006", "techName": "Systemd Timers", "technique": "T1053.006: Systemd Timers", "tactics": "Execution, Persistence, Privilege Escalation", "url": "https://attack.mitre.org/techniques/T1053/006", "lowestLevel": "y", "mitigations": 3, "nist": 9, "cis": null, "d3fend": null, "engage": null, "splunk": 3, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": 9, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 3, "validate_potential": 1 }, { "techID": "T1053.007", "techName": "Container Orchestration Job", "technique": "T1053.007: Container Orchestration Job", "tactics": "Execution, Persistence, Privilege Escalation", "url": "https://attack.mitre.org/techniques/T1053/007", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": 6, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 0, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1055", "techName": "Process Injection", "technique": "T1055: Process Injection", "tactics": "Defense Evasion, Privilege Escalation", "url": "https://attack.mitre.org/techniques/T1055", "lowestLevel": "n", "mitigations": 2, "nist": 12, "cis": 7, "d3fend": 15, "engage": 1, "splunk": 21, "splunk_threatHunting": 3, "elastic": 11, "eql_analytics": 2, "azure_fullStack": 3, "sentinel_defender": 1, "azure_sentinel": 1, "logpoint": 25, "proofpoint_emergingThreats": null, "tanium_threatResponse": 34, "aws": null, "gcp": null, "car": null, "atc": 13, "sigma": 22, "th_playbook": 1, "art": 4, "car_red": null, "rta": null, "prelude": null, "stockpile": 1, "scythe": null, "policy_process_volume": 3, "detect_volume": 3, "test_volume": 2, "validate_potential": 3 }, { "techID": "T1055.001", "techName": "Dynamic-link Library Injection", "technique": "T1055.001: Dynamic-link Library Injection", "tactics": "Defense Evasion, Privilege Escalation", "url": "https://attack.mitre.org/techniques/T1055/001", "lowestLevel": "y", "mitigations": null, "nist": 6, "cis": null, "d3fend": 5, "engage": null, "splunk": 3, "splunk_threatHunting": null, "elastic": 2, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": 1, "aws": null, "gcp": null, "car": 2, "atc": null, "sigma": 8, "th_playbook": null, "art": 4, "car_red": null, "rta": null, "prelude": null, "stockpile": 1, "scythe": null, "policy_process_volume": 2, "detect_volume": 2, "test_volume": 2, "validate_potential": 2 }, { "techID": "T1055.002", "techName": "Portable Executable Injection", "technique": "T1055.002: Portable Executable Injection", "tactics": "Defense Evasion, Privilege Escalation", "url": "https://attack.mitre.org/techniques/T1055/002", "lowestLevel": "y", "mitigations": null, "nist": 6, "cis": null, "d3fend": 3, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": 2, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": 3, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 2, "validate_potential": 1 }, { "techID": "T1055.003", "techName": "Thread Execution Hijacking", "technique": "T1055.003: Thread Execution Hijacking", "tactics": "Defense Evasion, Privilege Escalation", "url": "https://attack.mitre.org/techniques/T1055/003", "lowestLevel": "y", "mitigations": null, "nist": 6, "cis": null, "d3fend": 9, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 2, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1055.004", "techName": "Asynchronous Procedure Call", "technique": "T1055.004: Asynchronous Procedure Call", "tactics": "Defense Evasion, Privilege Escalation", "url": "https://attack.mitre.org/techniques/T1055/004", "lowestLevel": "y", "mitigations": null, "nist": 6, "cis": null, "d3fend": 3, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": 2, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1055.005", "techName": "Thread Local Storage", "technique": "T1055.005: Thread Local Storage", "tactics": "Defense Evasion, Privilege Escalation", "url": "https://attack.mitre.org/techniques/T1055/005", "lowestLevel": "y", "mitigations": null, "nist": 6, "cis": null, "d3fend": 2, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1055.008", "techName": "Ptrace System Calls", "technique": "T1055.008: Ptrace System Calls", "tactics": "Defense Evasion, Privilege Escalation", "url": "https://attack.mitre.org/techniques/T1055/008", "lowestLevel": "y", "mitigations": 1, "nist": 12, "cis": null, "d3fend": 2, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1055.009", "techName": "Proc Memory", "technique": "T1055.009: Proc Memory", "tactics": "Defense Evasion, Privilege Escalation", "url": "https://attack.mitre.org/techniques/T1055/009", "lowestLevel": "y", "mitigations": 1, "nist": 9, "cis": null, "d3fend": 4, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1055.011", "techName": "Extra Window Memory Injection", "technique": "T1055.011: Extra Window Memory Injection", "tactics": "Defense Evasion, Privilege Escalation", "url": "https://attack.mitre.org/techniques/T1055/011", "lowestLevel": "y", "mitigations": null, "nist": 6, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1055.012", "techName": "Process Hollowing", "technique": "T1055.012: Process Hollowing", "tactics": "Defense Evasion, Privilege Escalation", "url": "https://attack.mitre.org/techniques/T1055/012", "lowestLevel": "y", "mitigations": null, "nist": 6, "cis": null, "d3fend": 4, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": 2, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 3, "proofpoint_emergingThreats": null, "tanium_threatResponse": 1, "aws": null, "gcp": null, "car": 1, "atc": null, "sigma": 2, "th_playbook": null, "art": 4, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": 3, "policy_process_volume": 2, "detect_volume": 2, "test_volume": 2, "validate_potential": 2 }, { "techID": "T1055.013", "techName": "Process Doppelgänging", "technique": "T1055.013: Process Doppelgänging", "tactics": "Defense Evasion, Privilege Escalation", "url": "https://attack.mitre.org/techniques/T1055/013", "lowestLevel": "y", "mitigations": null, "nist": 6, "cis": null, "d3fend": 3, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1055.014", "techName": "VDSO Hijacking", "technique": "T1055.014: VDSO Hijacking", "tactics": "Defense Evasion, Privilege Escalation", "url": "https://attack.mitre.org/techniques/T1055/014", "lowestLevel": "y", "mitigations": null, "nist": 6, "cis": null, "d3fend": 5, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1056", "techName": "Input Capture", "technique": "T1056: Input Capture", "tactics": "Collection, Credential Access", "url": "https://attack.mitre.org/techniques/T1056", "lowestLevel": "n", "mitigations": null, "nist": null, "cis": null, "d3fend": 8, "engage": 4, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 5, "proofpoint_emergingThreats": null, "tanium_threatResponse": 1, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": 9, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 3, "validate_potential": 1 }, { "techID": "T1056.001", "techName": "Keylogging", "technique": "T1056.001: Keylogging", "tactics": "Collection, Credential Access", "url": "https://attack.mitre.org/techniques/T1056/001", "lowestLevel": "y", "mitigations": 1, "nist": null, "cis": null, "d3fend": 2, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 2, "th_playbook": null, "art": 14, "car_red": null, "rta": null, "prelude": 1, "stockpile": null, "scythe": 3, "policy_process_volume": 1, "detect_volume": 1, "test_volume": 3, "validate_potential": 1 }, { "techID": "T1056.002", "techName": "GUI Input Capture", "technique": "T1056.002: GUI Input Capture", "tactics": "Collection, Credential Access", "url": "https://attack.mitre.org/techniques/T1056/002", "lowestLevel": "y", "mitigations": 1, "nist": 4, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 3, "th_playbook": null, "art": 4, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1056.003", "techName": "Web Portal Capture", "technique": "T1056.003: Web Portal Capture", "tactics": "Collection, Credential Access", "url": "https://attack.mitre.org/techniques/T1056/003", "lowestLevel": "y", "mitigations": 1, "nist": 7, "cis": null, "d3fend": 2, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1056.004", "techName": "Credential API Hooking", "technique": "T1056.004: Credential API Hooking", "tactics": "Collection, Credential Access", "url": "https://attack.mitre.org/techniques/T1056/004", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": 4, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": 2, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1057", "techName": "Process Discovery", "technique": "T1057: Process Discovery", "tactics": "Discovery", "url": "https://attack.mitre.org/techniques/T1057", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": 6, "splunk": null, "splunk_threatHunting": 1, "elastic": 2, "eql_analytics": 2, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": 1, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": 2, "atc": null, "sigma": 6, "th_playbook": null, "art": 5, "car_red": 1, "rta": 1, "prelude": 3, "stockpile": 9, "scythe": 19, "policy_process_volume": 2, "detect_volume": 2, "test_volume": 3, "validate_potential": 3 }, { "techID": "T1059", "techName": "Command and Scripting Interpreter", "technique": "T1059: Command and Scripting Interpreter", "tactics": "Execution", "url": "https://attack.mitre.org/techniques/T1059", "lowestLevel": "n", "mitigations": 6, "nist": 21, "cis": 3, "d3fend": 7, "engage": 5, "splunk": 52, "splunk_threatHunting": 1, "elastic": 19, "eql_analytics": null, "azure_fullStack": 5, "sentinel_defender": 12, "azure_sentinel": 1, "logpoint": 55, "proofpoint_emergingThreats": null, "tanium_threatResponse": 273, "aws": 1, "gcp": 1, "car": 1, "atc": 12, "sigma": 38, "th_playbook": 3, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": 30, "policy_process_volume": 3, "detect_volume": 3, "test_volume": 3, "validate_potential": 3 }, { "techID": "T1059.001", "techName": "PowerShell", "technique": "T1059.001: PowerShell", "tactics": "Execution", "url": "https://attack.mitre.org/techniques/T1059/001", "lowestLevel": "y", "mitigations": 5, "nist": 16, "cis": null, "d3fend": 7, "engage": null, "splunk": 28, "splunk_threatHunting": null, "elastic": 17, "eql_analytics": null, "azure_fullStack": 4, "sentinel_defender": 1, "azure_sentinel": null, "logpoint": 31, "proofpoint_emergingThreats": null, "tanium_threatResponse": 46, "aws": 1, "gcp": null, "car": 3, "atc": null, "sigma": 173, "th_playbook": null, "art": 21, "car_red": null, "rta": null, "prelude": 2, "stockpile": 8, "scythe": 29, "policy_process_volume": 3, "detect_volume": 3, "test_volume": 3, "validate_potential": 3 }, { "techID": "T1059.002", "techName": "AppleScript", "technique": "T1059.002: AppleScript", "tactics": "Execution", "url": "https://attack.mitre.org/techniques/T1059/002", "lowestLevel": "y", "mitigations": 3, "nist": 11, "cis": null, "d3fend": 7, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": 2, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": 1, "car_red": null, "rta": null, "prelude": null, "stockpile": 1, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 2, "validate_potential": 1 }, { "techID": "T1059.003", "techName": "Windows Command Shell", "technique": "T1059.003: Windows Command Shell", "tactics": "Execution", "url": "https://attack.mitre.org/techniques/T1059/003", "lowestLevel": "y", "mitigations": 3, "nist": 4, "cis": null, "d3fend": 7, "engage": null, "splunk": 9, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 5, "proofpoint_emergingThreats": null, "tanium_threatResponse": 152, "aws": null, "gcp": null, "car": 2, "atc": null, "sigma": 20, "th_playbook": null, "art": 5, "car_red": 1, "rta": null, "prelude": null, "stockpile": null, "scythe": 32, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 3, "validate_potential": 3 }, { "techID": "T1059.004", "techName": "Unix Shell", "technique": "T1059.004: Unix Shell", "tactics": "Execution", "url": "https://attack.mitre.org/techniques/T1059/004", "lowestLevel": "y", "mitigations": 1, "nist": 4, "cis": null, "d3fend": 7, "engage": null, "splunk": 3, "splunk_threatHunting": null, "elastic": 16, "eql_analytics": null, "azure_fullStack": 3, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": 68, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": 8, "th_playbook": null, "art": 4, "car_red": null, "rta": null, "prelude": null, "stockpile": 1, "scythe": 1, "policy_process_volume": 2, "detect_volume": 2, "test_volume": 2, "validate_potential": 2 }, { "techID": "T1059.005", "techName": "Visual Basic", "technique": "T1059.005: Visual Basic", "tactics": "Execution", "url": "https://attack.mitre.org/techniques/T1059/005", "lowestLevel": "y", "mitigations": 4, "nist": 11, "cis": null, "d3fend": 7, "engage": null, "splunk": 4, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 3, "proofpoint_emergingThreats": null, "tanium_threatResponse": 8, "aws": null, "gcp": null, "car": 1, "atc": null, "sigma": 18, "th_playbook": null, "art": 3, "car_red": 1, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 1, "validate_potential": 2 }, { "techID": "T1059.006", "techName": "Python", "technique": "T1059.006: Python", "tactics": "Execution", "url": "https://attack.mitre.org/techniques/T1059/006", "lowestLevel": "y", "mitigations": 4, "nist": 10, "cis": null, "d3fend": 7, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": 2, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": 8, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 2, "th_playbook": null, "art": 4, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1059.007", "techName": "JavaScript", "technique": "T1059.007: JavaScript", "tactics": "Execution", "url": "https://attack.mitre.org/techniques/T1059/007", "lowestLevel": "y", "mitigations": 3, "nist": 10, "cis": null, "d3fend": 7, "engage": null, "splunk": 4, "splunk_threatHunting": null, "elastic": 3, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": 1, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": 13, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1059.008", "techName": "Network Device CLI", "technique": "T1059.008: Network Device CLI", "tactics": "Execution", "url": "https://attack.mitre.org/techniques/T1059/008", "lowestLevel": "y", "mitigations": 3, "nist": 11, "cis": null, "d3fend": 7, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1061", "techName": "Graphical User Interface", "technique": "T1061: Graphical User Interface", "tactics": "Execution", "url": "https://attack.mitre.org/techniques/T1061", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 0, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1062", "techName": "Hypervisor", "technique": "T1062: Hypervisor", "tactics": "Persistence", "url": "https://attack.mitre.org/techniques/T1062", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 0, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1064", "techName": "Scripting", "technique": "T1064: Scripting", "tactics": "Defense Evasion, Execution", "url": "https://attack.mitre.org/techniques/T1064", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": 1, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": 3, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 0, "detect_volume": 1, "test_volume": 2, "validate_potential": 1 }, { "techID": "T1068", "techName": "Exploitation for Privilege Escalation", "technique": "T1068: Exploitation for Privilege Escalation", "tactics": "Privilege Escalation", "url": "https://attack.mitre.org/techniques/T1068", "lowestLevel": "y", "mitigations": 4, "nist": 25, "cis": 6, "d3fend": 6, "engage": 8, "splunk": 10, "splunk_threatHunting": null, "elastic": 15, "eql_analytics": null, "azure_fullStack": 13, "sentinel_defender": 2, "azure_sentinel": null, "logpoint": 12, "proofpoint_emergingThreats": null, "tanium_threatResponse": 3, "aws": 3, "gcp": null, "car": 1, "atc": 3, "sigma": 21, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": 2, "policy_process_volume": 3, "detect_volume": 3, "test_volume": 1, "validate_potential": 2 }, { "techID": "T1069", "techName": "Permission Groups Discovery", "technique": "T1069: Permission Groups Discovery", "tactics": "Discovery", "url": "https://attack.mitre.org/techniques/T1069", "lowestLevel": "n", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": 5, "splunk": 25, "splunk_threatHunting": 2, "elastic": 1, "eql_analytics": 1, "azure_fullStack": 3, "sentinel_defender": null, "azure_sentinel": 2, "logpoint": 2, "proofpoint_emergingThreats": null, "tanium_threatResponse": 7, "aws": null, "gcp": null, "car": null, "atc": 1, "sigma": 1, "th_playbook": null, "art": null, "car_red": null, "rta": 1, "prelude": 1, "stockpile": null, "scythe": 7, "policy_process_volume": 1, "detect_volume": 3, "test_volume": 2, "validate_potential": 3 }, { "techID": "T1069.001", "techName": "Local Groups", "technique": "T1069.001: Local Groups", "tactics": "Discovery", "url": "https://attack.mitre.org/techniques/T1069/001", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": 11, "splunk_threatHunting": null, "elastic": 2, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": 5, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 13, "th_playbook": null, "art": 6, "car_red": null, "rta": null, "prelude": 2, "stockpile": 1, "scythe": 4, "policy_process_volume": 0, "detect_volume": 2, "test_volume": 2, "validate_potential": 2 }, { "techID": "T1069.002", "techName": "Domain Groups", "technique": "T1069.002: Domain Groups", "tactics": "Discovery", "url": "https://attack.mitre.org/techniques/T1069/002", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": 18, "splunk_threatHunting": null, "elastic": 2, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": 7, "aws": null, "gcp": null, "car": 3, "atc": null, "sigma": 8, "th_playbook": null, "art": 13, "car_red": 1, "rta": null, "prelude": null, "stockpile": 1, "scythe": 6, "policy_process_volume": 0, "detect_volume": 2, "test_volume": 3, "validate_potential": 3 }, { "techID": "T1069.003", "techName": "Cloud Groups", "technique": "T1069.003: Cloud Groups", "tactics": "Discovery", "url": "https://attack.mitre.org/techniques/T1069/003", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": 1, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 0, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1070", "techName": "Indicator Removal on Host", "technique": "T1070: Indicator Removal on Host", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1070", "lowestLevel": "n", "mitigations": 3, "nist": 21, "cis": 12, "d3fend": 5, "engage": 4, "splunk": 23, "splunk_threatHunting": 1, "elastic": 2, "eql_analytics": 3, "azure_fullStack": 4, "sentinel_defender": 2, "azure_sentinel": 1, "logpoint": 15, "proofpoint_emergingThreats": null, "tanium_threatResponse": 6, "aws": 1, "gcp": null, "car": null, "atc": 8, "sigma": 11, "th_playbook": null, "art": 1, "car_red": null, "rta": 1, "prelude": null, "stockpile": null, "scythe": 1, "policy_process_volume": 3, "detect_volume": 3, "test_volume": 2, "validate_potential": 3 }, { "techID": "T1070.001", "techName": "Clear Windows Event Logs", "technique": "T1070.001: Clear Windows Event Logs", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1070/001", "lowestLevel": "y", "mitigations": 3, "nist": 21, "cis": null, "d3fend": null, "engage": null, "splunk": 6, "splunk_threatHunting": null, "elastic": 3, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": 2, "atc": null, "sigma": 8, "th_playbook": null, "art": 3, "car_red": 1, "rta": null, "prelude": null, "stockpile": 1, "scythe": 8, "policy_process_volume": 2, "detect_volume": 2, "test_volume": 2, "validate_potential": 2 }, { "techID": "T1070.002", "techName": "Clear Linux or Mac System Logs", "technique": "T1070.002: Clear Linux or Mac System Logs", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1070/002", "lowestLevel": "y", "mitigations": 3, "nist": 21, "cis": null, "d3fend": 4, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": 3, "th_playbook": null, "art": 3, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1070.003", "techName": "Clear Command History", "technique": "T1070.003: Clear Command History", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1070/003", "lowestLevel": "y", "mitigations": 2, "nist": 10, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": 2, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": 1, "atc": null, "sigma": 6, "th_playbook": null, "art": 11, "car_red": null, "rta": null, "prelude": null, "stockpile": 1, "scythe": null, "policy_process_volume": 2, "detect_volume": 2, "test_volume": 3, "validate_potential": 3 }, { "techID": "T1070.004", "techName": "File Deletion", "technique": "T1070.004: File Deletion", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1070/004", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": 3, "engage": null, "splunk": 12, "splunk_threatHunting": null, "elastic": 4, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 3, "proofpoint_emergingThreats": null, "tanium_threatResponse": 2, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": 11, "th_playbook": null, "art": 10, "car_red": null, "rta": null, "prelude": null, "stockpile": 2, "scythe": null, "policy_process_volume": 1, "detect_volume": 2, "test_volume": 2, "validate_potential": 2 }, { "techID": "T1070.005", "techName": "Network Share Connection Removal", "technique": "T1070.005: Network Share Connection Removal", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1070/005", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": 1, "engage": null, "splunk": 1, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": 1, "atc": null, "sigma": 3, "th_playbook": null, "art": 5, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 2, "test_volume": 1, "validate_potential": 2 }, { "techID": "T1070.006", "techName": "Timestomp", "technique": "T1070.006: Timestomp", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1070/006", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": 4, "th_playbook": null, "art": 8, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 0, "detect_volume": 1, "test_volume": 3, "validate_potential": 1 }, { "techID": "T1071", "techName": "Application Layer Protocol", "technique": "T1071: Application Layer Protocol", "tactics": "Command and Control", "url": "https://attack.mitre.org/techniques/T1071", "lowestLevel": "n", "mitigations": 1, "nist": 15, "cis": 1, "d3fend": 19, "engage": 2, "splunk": 5, "splunk_threatHunting": 1, "elastic": 4, "eql_analytics": 1, "azure_fullStack": 9, "sentinel_defender": 13, "azure_sentinel": null, "logpoint": 14, "proofpoint_emergingThreats": null, "tanium_threatResponse": 3, "aws": 4, "gcp": 2, "car": null, "atc": null, "sigma": 6, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": 6, "policy_process_volume": 3, "detect_volume": 3, "test_volume": 1, "validate_potential": 2 }, { "techID": "T1071.001", "techName": "Web Protocols", "technique": "T1071.001: Web Protocols", "tactics": "Command and Control", "url": "https://attack.mitre.org/techniques/T1071/001", "lowestLevel": "y", "mitigations": 1, "nist": 15, "cis": null, "d3fend": 13, "engage": null, "splunk": 2, "splunk_threatHunting": null, "elastic": 5, "eql_analytics": null, "azure_fullStack": 3, "sentinel_defender": 6, "azure_sentinel": null, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": 2, "aws": 3, "gcp": null, "car": null, "atc": null, "sigma": 28, "th_playbook": null, "art": 3, "car_red": null, "rta": null, "prelude": null, "stockpile": 1, "scythe": 7, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 2, "validate_potential": 2 }, { "techID": "T1071.002", "techName": "File Transfer Protocols", "technique": "T1071.002: File Transfer Protocols", "tactics": "Command and Control", "url": "https://attack.mitre.org/techniques/T1071/002", "lowestLevel": "y", "mitigations": 1, "nist": 15, "cis": null, "d3fend": 14, "engage": null, "splunk": 1, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 2, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1071.003", "techName": "Mail Protocols", "technique": "T1071.003: Mail Protocols", "tactics": "Command and Control", "url": "https://attack.mitre.org/techniques/T1071/003", "lowestLevel": "y", "mitigations": 1, "nist": 15, "cis": null, "d3fend": 13, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 3, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 2, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1071.004", "techName": "DNS", "technique": "T1071.004: DNS", "tactics": "Command and Control", "url": "https://attack.mitre.org/techniques/T1071/004", "lowestLevel": "y", "mitigations": 2, "nist": 18, "cis": null, "d3fend": 18, "engage": null, "splunk": 4, "splunk_threatHunting": null, "elastic": 2, "eql_analytics": null, "azure_fullStack": 7, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 5, "proofpoint_emergingThreats": null, "tanium_threatResponse": 1, "aws": 2, "gcp": 1, "car": null, "atc": null, "sigma": 17, "th_playbook": null, "art": 4, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 1, "validate_potential": 2 }, { "techID": "T1072", "techName": "Software Deployment Tools", "technique": "T1072: Software Deployment Tools", "tactics": "Execution, Lateral Movement", "url": "https://attack.mitre.org/techniques/T1072", "lowestLevel": "y", "mitigations": 9, "nist": 24, "cis": 42, "d3fend": 5, "engage": 9, "splunk": 2, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 3, "sentinel_defender": 3, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": 2, "th_playbook": null, "art": 2, "car_red": null, "rta": null, "prelude": 2, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 1, "validate_potential": 2 }, { "techID": "T1074", "techName": "Data Staged", "technique": "T1074: Data Staged", "tactics": "Collection", "url": "https://attack.mitre.org/techniques/T1074", "lowestLevel": "n", "mitigations": null, "nist": null, "cis": null, "d3fend": 1, "engage": 2, "splunk": 1, "splunk_threatHunting": 1, "elastic": null, "eql_analytics": 2, "azure_fullStack": 3, "sentinel_defender": null, "azure_sentinel": 1, "logpoint": 2, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 2, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": 2, "stockpile": null, "scythe": 4, "policy_process_volume": 1, "detect_volume": 2, "test_volume": 1, "validate_potential": 2 }, { "techID": "T1074.001", "techName": "Local Data Staging", "technique": "T1074.001: Local Data Staging", "tactics": "Collection", "url": "https://attack.mitre.org/techniques/T1074/001", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 3, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 4, "th_playbook": null, "art": 3, "car_red": null, "rta": null, "prelude": null, "stockpile": 2, "scythe": 17, "policy_process_volume": 0, "detect_volume": 1, "test_volume": 3, "validate_potential": 1 }, { "techID": "T1074.002", "techName": "Remote Data Staging", "technique": "T1074.002: Remote Data Staging", "tactics": "Collection", "url": "https://attack.mitre.org/techniques/T1074/002", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": 1, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1078", "techName": "Valid Accounts", "technique": "T1078: Valid Accounts", "tactics": "Defense Evasion, Persistence, Privilege Escalation, Initial Access", "url": "https://attack.mitre.org/techniques/T1078", "lowestLevel": "n", "mitigations": 3, "nist": 24, "cis": 46, "d3fend": 12, "engage": 11, "splunk": 39, "splunk_threatHunting": null, "elastic": 16, "eql_analytics": null, "azure_fullStack": 16, "sentinel_defender": 42, "azure_sentinel": null, "logpoint": 24, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 8, "gcp": null, "car": null, "atc": 6, "sigma": 35, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": 1, "stockpile": null, "scythe": 15, "policy_process_volume": 3, "detect_volume": 3, "test_volume": 3, "validate_potential": 3 }, { "techID": "T1078.001", "techName": "Default Accounts", "technique": "T1078.001: Default Accounts", "tactics": "Defense Evasion, Persistence, Privilege Escalation, Initial Access", "url": "https://attack.mitre.org/techniques/T1078/001", "lowestLevel": "y", "mitigations": 1, "nist": 14, "cis": null, "d3fend": 10, "engage": null, "splunk": 4, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 5, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 2, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": 8, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 3, "validate_potential": 3 }, { "techID": "T1078.002", "techName": "Domain Accounts", "technique": "T1078.002: Domain Accounts", "tactics": "Defense Evasion, Persistence, Privilege Escalation, Initial Access", "url": "https://attack.mitre.org/techniques/T1078/002", "lowestLevel": "y", "mitigations": 2, "nist": 12, "cis": null, "d3fend": 11, "engage": null, "splunk": 6, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": null, "azure_fullStack": 4, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": 1, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 1, "validate_potential": 2 }, { "techID": "T1078.003", "techName": "Local Accounts", "technique": "T1078.003: Local Accounts", "tactics": "Defense Evasion, Persistence, Privilege Escalation, Initial Access", "url": "https://attack.mitre.org/techniques/T1078/003", "lowestLevel": "y", "mitigations": 2, "nist": 19, "cis": null, "d3fend": 11, "engage": null, "splunk": 2, "splunk_threatHunting": null, "elastic": 3, "eql_analytics": null, "azure_fullStack": 3, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": 5, "atc": null, "sigma": 1, "th_playbook": null, "art": 16, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": 6, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 1, "validate_potential": 2 }, { "techID": "T1078.004", "techName": "Cloud Accounts", "technique": "T1078.004: Cloud Accounts", "tactics": "Defense Evasion, Persistence, Privilege Escalation, Initial Access", "url": "https://attack.mitre.org/techniques/T1078/004", "lowestLevel": "y", "mitigations": 4, "nist": 22, "cis": null, "d3fend": 10, "engage": null, "splunk": 21, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 14, "sentinel_defender": 36, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 8, "gcp": 5, "car": null, "atc": null, "sigma": 3, "th_playbook": null, "art": 4, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1080", "techName": "Taint Shared Content", "technique": "T1080: Taint Shared Content", "tactics": "Lateral Movement", "url": "https://attack.mitre.org/techniques/T1080", "lowestLevel": "y", "mitigations": 3, "nist": 10, "cis": 8, "d3fend": 1, "engage": 7, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 3, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1082", "techName": "System Information Discovery", "technique": "T1082: System Information Discovery", "tactics": "Discovery", "url": "https://attack.mitre.org/techniques/T1082", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": 6, "splunk": 4, "splunk_threatHunting": 1, "elastic": 5, "eql_analytics": 3, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": 1, "logpoint": 4, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": 2, "atc": 1, "sigma": 12, "th_playbook": null, "art": 23, "car_red": 1, "rta": 1, "prelude": 22, "stockpile": 4, "scythe": 45, "policy_process_volume": 2, "detect_volume": 3, "test_volume": 3, "validate_potential": 3 }, { "techID": "T1083", "techName": "File and Directory Discovery", "technique": "T1083: File and Directory Discovery", "tactics": "Discovery", "url": "https://attack.mitre.org/techniques/T1083", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": 11, "splunk": 1, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 5, "proofpoint_emergingThreats": null, "tanium_threatResponse": 2, "aws": null, "gcp": null, "car": null, "atc": 1, "sigma": 9, "th_playbook": null, "art": 6, "car_red": null, "rta": null, "prelude": null, "stockpile": 4, "scythe": 33, "policy_process_volume": 2, "detect_volume": 2, "test_volume": 3, "validate_potential": 3 }, { "techID": "T1087", "techName": "Account Discovery", "technique": "T1087: Account Discovery", "tactics": "Discovery", "url": "https://attack.mitre.org/techniques/T1087", "lowestLevel": "n", "mitigations": 1, "nist": 3, "cis": 2, "d3fend": null, "engage": 7, "splunk": 26, "splunk_threatHunting": 1, "elastic": 3, "eql_analytics": 2, "azure_fullStack": 6, "sentinel_defender": 1, "azure_sentinel": 1, "logpoint": 8, "proofpoint_emergingThreats": null, "tanium_threatResponse": 7, "aws": 1, "gcp": null, "car": null, "atc": 8, "sigma": 9, "th_playbook": null, "art": null, "car_red": null, "rta": 1, "prelude": null, "stockpile": null, "scythe": 9, "policy_process_volume": 2, "detect_volume": 3, "test_volume": 3, "validate_potential": 3 }, { "techID": "T1087.001", "techName": "Local Account", "technique": "T1087.001: Local Account", "tactics": "Discovery", "url": "https://attack.mitre.org/techniques/T1087/001", "lowestLevel": "y", "mitigations": 1, "nist": 3, "cis": null, "d3fend": 6, "engage": null, "splunk": 11, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 3, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 3, "proofpoint_emergingThreats": null, "tanium_threatResponse": 5, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 9, "th_playbook": null, "art": 10, "car_red": null, "rta": null, "prelude": 1, "stockpile": 2, "scythe": 1, "policy_process_volume": 2, "detect_volume": 2, "test_volume": 2, "validate_potential": 2 }, { "techID": "T1087.002", "techName": "Domain Account", "technique": "T1087.002: Domain Account", "tactics": "Discovery", "url": "https://attack.mitre.org/techniques/T1087/002", "lowestLevel": "y", "mitigations": 1, "nist": 3, "cis": null, "d3fend": 6, "engage": null, "splunk": 19, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": null, "azure_fullStack": 3, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 3, "proofpoint_emergingThreats": null, "tanium_threatResponse": 7, "aws": null, "gcp": null, "car": 2, "atc": null, "sigma": 13, "th_playbook": null, "art": 15, "car_red": 1, "rta": null, "prelude": 1, "stockpile": 2, "scythe": 10, "policy_process_volume": 2, "detect_volume": 2, "test_volume": 3, "validate_potential": 3 }, { "techID": "T1087.003", "techName": "Email Account", "technique": "T1087.003: Email Account", "tactics": "Discovery", "url": "https://attack.mitre.org/techniques/T1087/003", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": 5, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 0, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1087.004", "techName": "Cloud Account", "technique": "T1087.004: Cloud Account", "tactics": "Discovery", "url": "https://attack.mitre.org/techniques/T1087/004", "lowestLevel": "y", "mitigations": 2, "nist": 6, "cis": null, "d3fend": 5, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": 1, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1090", "techName": "Proxy", "technique": "T1090: Proxy", "tactics": "Command and Control", "url": "https://attack.mitre.org/techniques/T1090", "lowestLevel": "n", "mitigations": 3, "nist": 12, "cis": 1, "d3fend": 10, "engage": 2, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 4, "sentinel_defender": 1, "azure_sentinel": null, "logpoint": 44, "proofpoint_emergingThreats": null, "tanium_threatResponse": 2, "aws": 4, "gcp": null, "car": null, "atc": 3, "sigma": 5, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1090.001", "techName": "Internal Proxy", "technique": "T1090.001: Internal Proxy", "tactics": "Command and Control", "url": "https://attack.mitre.org/techniques/T1090/001", "lowestLevel": "y", "mitigations": 1, "nist": 8, "cis": null, "d3fend": 9, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": 1, "aws": 2, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": 3, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 1, "validate_potential": 2 }, { "techID": "T1090.002", "techName": "External Proxy", "technique": "T1090.002: External Proxy", "tactics": "Command and Control", "url": "https://attack.mitre.org/techniques/T1090/002", "lowestLevel": "y", "mitigations": 1, "nist": 8, "cis": null, "d3fend": 9, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 4, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1090.003", "techName": "Multi-hop Proxy", "technique": "T1090.003: Multi-hop Proxy", "tactics": "Command and Control", "url": "https://attack.mitre.org/techniques/T1090/003", "lowestLevel": "y", "mitigations": 1, "nist": 8, "cis": null, "d3fend": 9, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": null, "azure_fullStack": 3, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": 1, "aws": 4, "gcp": null, "car": null, "atc": null, "sigma": 2, "th_playbook": null, "art": 4, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1090.004", "techName": "Domain Fronting", "technique": "T1090.004: Domain Fronting", "tactics": "Command and Control", "url": "https://attack.mitre.org/techniques/T1090/004", "lowestLevel": "y", "mitigations": 1, "nist": 1, "cis": null, "d3fend": 9, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 3, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1091", "techName": "Replication Through Removable Media", "technique": "T1091: Replication Through Removable Media", "tactics": "Lateral Movement, Initial Access", "url": "https://attack.mitre.org/techniques/T1091", "lowestLevel": "y", "mitigations": 2, "nist": 10, "cis": 11, "d3fend": 1, "engage": 8, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": 2, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1092", "techName": "Communication Through Removable Media", "technique": "T1092: Communication Through Removable Media", "tactics": "Command and Control", "url": "https://attack.mitre.org/techniques/T1092", "lowestLevel": "y", "mitigations": 2, "nist": 8, "cis": 10, "d3fend": 1, "engage": 8, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1095", "techName": "Non-Application Layer Protocol", "technique": "T1095: Non-Application Layer Protocol", "tactics": "Command and Control", "url": "https://attack.mitre.org/techniques/T1095", "lowestLevel": "y", "mitigations": 3, "nist": 11, "cis": 8, "d3fend": 9, "engage": 2, "splunk": 1, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 3, "gcp": null, "car": null, "atc": null, "sigma": 4, "th_playbook": null, "art": 3, "car_red": null, "rta": null, "prelude": 1, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 1, "validate_potential": 2 }, { "techID": "T1098", "techName": "Account Manipulation", "technique": "T1098: Account Manipulation", "tactics": "Persistence", "url": "https://attack.mitre.org/techniques/T1098", "lowestLevel": "n", "mitigations": 4, "nist": 12, "cis": 18, "d3fend": 20, "engage": 5, "splunk": 5, "splunk_threatHunting": null, "elastic": 5, "eql_analytics": null, "azure_fullStack": 9, "sentinel_defender": 35, "azure_sentinel": null, "logpoint": 16, "proofpoint_emergingThreats": null, "tanium_threatResponse": 1, "aws": 4, "gcp": null, "car": 1, "atc": 3, "sigma": 21, "th_playbook": null, "art": 9, "car_red": 1, "rta": null, "prelude": null, "stockpile": null, "scythe": 1, "policy_process_volume": 3, "detect_volume": 3, "test_volume": 1, "validate_potential": 2 }, { "techID": "T1098.001", "techName": "Additional Cloud Credentials", "technique": "T1098.001: Additional Cloud Credentials", "tactics": "Persistence", "url": "https://attack.mitre.org/techniques/T1098/001", "lowestLevel": "y", "mitigations": 3, "nist": 15, "cis": null, "d3fend": 19, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 5, "sentinel_defender": 1, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 4, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": 3, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 1, "validate_potential": 2 }, { "techID": "T1098.002", "techName": "Exchange Email Delegate Permissions", "technique": "T1098.002: Exchange Email Delegate Permissions", "tactics": "Persistence", "url": "https://attack.mitre.org/techniques/T1098/002", "lowestLevel": "y", "mitigations": 2, "nist": 11, "cis": null, "d3fend": 6, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1098.003", "techName": "Add Office 365 Global Administrator Role", "technique": "T1098.003: Add Office 365 Global Administrator Role", "tactics": "Persistence", "url": "https://attack.mitre.org/techniques/T1098/003", "lowestLevel": "y", "mitigations": 2, "nist": 11, "cis": null, "d3fend": 6, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 3, "sentinel_defender": 2, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1098.004", "techName": "SSH Authorized Keys", "technique": "T1098.004: SSH Authorized Keys", "tactics": "Persistence", "url": "https://attack.mitre.org/techniques/T1098/004", "lowestLevel": "y", "mitigations": 2, "nist": 9, "cis": null, "d3fend": 5, "engage": null, "splunk": 3, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": null, "azure_fullStack": 3, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": 1, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1102", "techName": "Web Service", "technique": "T1102: Web Service", "tactics": "Command and Control", "url": "https://attack.mitre.org/techniques/T1102", "lowestLevel": "n", "mitigations": 2, "nist": 8, "cis": 6, "d3fend": 9, "engage": 6, "splunk": null, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": 5, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1102.001", "techName": "Dead Drop Resolver", "technique": "T1102.001: Dead Drop Resolver", "tactics": "Command and Control", "url": "https://attack.mitre.org/techniques/T1102/001", "lowestLevel": "y", "mitigations": 2, "nist": 8, "cis": null, "d3fend": 9, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 2, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1102.002", "techName": "Bidirectional Communication", "technique": "T1102.002: Bidirectional Communication", "tactics": "Command and Control", "url": "https://attack.mitre.org/techniques/T1102/002", "lowestLevel": "y", "mitigations": 2, "nist": 8, "cis": null, "d3fend": 9, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": 3, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 2, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1102.003", "techName": "One-Way Communication", "technique": "T1102.003: One-Way Communication", "tactics": "Command and Control", "url": "https://attack.mitre.org/techniques/T1102/003", "lowestLevel": "y", "mitigations": 2, "nist": 8, "cis": null, "d3fend": 9, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 2, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1104", "techName": "Multi-Stage Channels", "technique": "T1104: Multi-Stage Channels", "tactics": "Command and Control", "url": "https://attack.mitre.org/techniques/T1104", "lowestLevel": "y", "mitigations": 1, "nist": 8, "cis": 1, "d3fend": 9, "engage": 3, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1105", "techName": "Ingress Tool Transfer", "technique": "T1105: Ingress Tool Transfer", "tactics": "Command and Control", "url": "https://attack.mitre.org/techniques/T1105", "lowestLevel": "y", "mitigations": 1, "nist": 8, "cis": 1, "d3fend": 9, "engage": 3, "splunk": 18, "splunk_threatHunting": null, "elastic": 9, "eql_analytics": null, "azure_fullStack": 5, "sentinel_defender": 1, "azure_sentinel": null, "logpoint": 6, "proofpoint_emergingThreats": 1, "tanium_threatResponse": 32, "aws": null, "gcp": null, "car": 4, "atc": 6, "sigma": 38, "th_playbook": null, "art": 26, "car_red": 8, "rta": 3, "prelude": null, "stockpile": 2, "scythe": 37, "policy_process_volume": 3, "detect_volume": 3, "test_volume": 3, "validate_potential": 3 }, { "techID": "T1106", "techName": "Native API", "technique": "T1106: Native API", "tactics": "Execution", "url": "https://attack.mitre.org/techniques/T1106", "lowestLevel": "y", "mitigations": 1, "nist": 1, "cis": 3, "d3fend": 2, "engage": 2, "splunk": null, "splunk_threatHunting": null, "elastic": 4, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": 1, "car": null, "atc": null, "sigma": 10, "th_playbook": null, "art": 4, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1108", "techName": "Redundant Access", "technique": "T1108: Redundant Access", "tactics": "Defense Evasion, Persistence", "url": "https://attack.mitre.org/techniques/T1108", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 0, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1110", "techName": "Brute Force", "technique": "T1110: Brute Force", "tactics": "Credential Access", "url": "https://attack.mitre.org/techniques/T1110", "lowestLevel": "n", "mitigations": 4, "nist": 14, "cis": 13, "d3fend": 17, "engage": 5, "splunk": 14, "splunk_threatHunting": null, "elastic": 5, "eql_analytics": null, "azure_fullStack": 17, "sentinel_defender": 29, "azure_sentinel": null, "logpoint": 12, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 7, "gcp": 1, "car": null, "atc": null, "sigma": 10, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1110.001", "techName": "Password Guessing", "technique": "T1110.001: Password Guessing", "tactics": "Credential Access", "url": "https://attack.mitre.org/techniques/T1110/001", "lowestLevel": "y", "mitigations": 3, "nist": 14, "cis": null, "d3fend": 3, "engage": null, "splunk": 1, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 16, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 7, "gcp": null, "car": null, "atc": null, "sigma": 3, "th_playbook": null, "art": 5, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 1, "validate_potential": 2 }, { "techID": "T1110.002", "techName": "Password Cracking", "technique": "T1110.002: Password Cracking", "tactics": "Credential Access", "url": "https://attack.mitre.org/techniques/T1110/002", "lowestLevel": "y", "mitigations": 2, "nist": 14, "cis": null, "d3fend": 4, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 5, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 3, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": 1, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 2, "test_volume": 1, "validate_potential": 2 }, { "techID": "T1110.003", "techName": "Password Spraying", "technique": "T1110.003: Password Spraying", "tactics": "Credential Access", "url": "https://attack.mitre.org/techniques/T1110/003", "lowestLevel": "y", "mitigations": 3, "nist": 14, "cis": null, "d3fend": 13, "engage": null, "splunk": 11, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 16, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 7, "gcp": null, "car": null, "atc": null, "sigma": 8, "th_playbook": null, "art": 7, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 1, "validate_potential": 2 }, { "techID": "T1110.004", "techName": "Credential Stuffing", "technique": "T1110.004: Credential Stuffing", "tactics": "Credential Access", "url": "https://attack.mitre.org/techniques/T1110/004", "lowestLevel": "y", "mitigations": 4, "nist": 14, "cis": null, "d3fend": 13, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 15, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 7, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": 2, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 1, "validate_potential": 2 }, { "techID": "T1111", "techName": "Two-Factor Authentication Interception", "technique": "T1111: Two-Factor Authentication Interception", "tactics": "Credential Access", "url": "https://attack.mitre.org/techniques/T1111", "lowestLevel": "y", "mitigations": 1, "nist": 7, "cis": 9, "d3fend": null, "engage": 3, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1112", "techName": "Modify Registry", "technique": "T1112: Modify Registry", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1112", "lowestLevel": "y", "mitigations": null, "nist": 2, "cis": 2, "d3fend": null, "engage": 3, "splunk": 24, "splunk_threatHunting": 1, "elastic": 3, "eql_analytics": 1, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": 1, "logpoint": 9, "proofpoint_emergingThreats": null, "tanium_threatResponse": 45, "aws": null, "gcp": null, "car": 8, "atc": 6, "sigma": 56, "th_playbook": 3, "art": 43, "car_red": 8, "rta": null, "prelude": null, "stockpile": null, "scythe": 9, "policy_process_volume": 2, "detect_volume": 3, "test_volume": 3, "validate_potential": 3 }, { "techID": "T1113", "techName": "Screen Capture", "technique": "T1113: Screen Capture", "tactics": "Collection", "url": "https://attack.mitre.org/techniques/T1113", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": 6, "splunk": 3, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": null, "azure_fullStack": 3, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 3, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 6, "th_playbook": null, "art": 6, "car_red": null, "rta": null, "prelude": 1, "stockpile": 1, "scythe": 13, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 3, "validate_potential": 1 }, { "techID": "T1114", "techName": "Email Collection", "technique": "T1114: Email Collection", "tactics": "Collection", "url": "https://attack.mitre.org/techniques/T1114", "lowestLevel": "n", "mitigations": 3, "nist": 14, "cis": 30, "d3fend": 10, "engage": 7, "splunk": 8, "splunk_threatHunting": null, "elastic": null, "eql_analytics": 1, "azure_fullStack": 1, "sentinel_defender": 6, "azure_sentinel": null, "logpoint": 9, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": 1, "sigma": 2, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": 1, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 1, "validate_potential": 2 }, { "techID": "T1114.001", "techName": "Local Email Collection", "technique": "T1114.001: Local Email Collection", "tactics": "Collection", "url": "https://attack.mitre.org/techniques/T1114/001", "lowestLevel": "y", "mitigations": 1, "nist": 8, "cis": null, "d3fend": 8, "engage": null, "splunk": 2, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": 1, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1114.002", "techName": "Remote Email Collection", "technique": "T1114.002: Remote Email Collection", "tactics": "Collection", "url": "https://attack.mitre.org/techniques/T1114/002", "lowestLevel": "y", "mitigations": 2, "nist": 13, "cis": null, "d3fend": 1, "engage": null, "splunk": 3, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1114.003", "techName": "Email Forwarding Rule", "technique": "T1114.003: Email Forwarding Rule", "tactics": "Collection", "url": "https://attack.mitre.org/techniques/T1114/003", "lowestLevel": "y", "mitigations": 2, "nist": 9, "cis": null, "d3fend": 1, "engage": null, "splunk": 2, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1115", "techName": "Clipboard Data", "technique": "T1115: Clipboard Data", "tactics": "Collection", "url": "https://attack.mitre.org/techniques/T1115", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": 4, "splunk": 1, "splunk_threatHunting": 1, "elastic": null, "eql_analytics": 1, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": 1, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 6, "th_playbook": null, "art": 4, "car_red": null, "rta": null, "prelude": 1, "stockpile": 1, "scythe": 4, "policy_process_volume": 1, "detect_volume": 2, "test_volume": 2, "validate_potential": 2 }, { "techID": "T1119", "techName": "Automated Collection", "technique": "T1119: Automated Collection", "tactics": "Collection", "url": "https://attack.mitre.org/techniques/T1119", "lowestLevel": "y", "mitigations": 2, "nist": 17, "cis": 8, "d3fend": 3, "engage": 7, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 2, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": 5, "th_playbook": null, "art": 4, "car_red": null, "rta": null, "prelude": null, "stockpile": 1, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 2, "validate_potential": 1 }, { "techID": "T1120", "techName": "Peripheral Device Discovery", "technique": "T1120: Peripheral Device Discovery", "tactics": "Discovery", "url": "https://attack.mitre.org/techniques/T1120", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": 6, "splunk": null, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 2, "th_playbook": null, "art": 2, "car_red": null, "rta": null, "prelude": 1, "stockpile": 2, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 2, "validate_potential": 1 }, { "techID": "T1123", "techName": "Audio Capture", "technique": "T1123: Audio Capture", "tactics": "Collection", "url": "https://attack.mitre.org/techniques/T1123", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": 2, "engage": 7, "splunk": null, "splunk_threatHunting": 1, "elastic": 1, "eql_analytics": 2, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": 1, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": 2, "aws": null, "gcp": null, "car": null, "atc": 2, "sigma": 6, "th_playbook": 1, "art": 2, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 3, "test_volume": 1, "validate_potential": 2 }, { "techID": "T1124", "techName": "System Time Discovery", "technique": "T1124: System Time Discovery", "tactics": "Discovery", "url": "https://attack.mitre.org/techniques/T1124", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": 4, "splunk": 1, "splunk_threatHunting": 1, "elastic": null, "eql_analytics": 1, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": 1, "logpoint": 2, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": 1, "sigma": 2, "th_playbook": null, "art": 3, "car_red": null, "rta": 2, "prelude": 1, "stockpile": 1, "scythe": 3, "policy_process_volume": 1, "detect_volume": 2, "test_volume": 3, "validate_potential": 3 }, { "techID": "T1125", "techName": "Video Capture", "technique": "T1125: Video Capture", "tactics": "Collection", "url": "https://attack.mitre.org/techniques/T1125", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": 2, "engage": 8, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": 1, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1127", "techName": "Trusted Developer Utilities Proxy Execution", "technique": "T1127: Trusted Developer Utilities Proxy Execution", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1127", "lowestLevel": "n", "mitigations": 2, "nist": 8, "cis": 11, "d3fend": 4, "engage": null, "splunk": 9, "splunk_threatHunting": 2, "elastic": 3, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": 1, "logpoint": 4, "proofpoint_emergingThreats": null, "tanium_threatResponse": 8, "aws": null, "gcp": null, "car": null, "atc": 3, "sigma": 15, "th_playbook": null, "art": 2, "car_red": null, "rta": 3, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 2, "validate_potential": 2 }, { "techID": "T1127.001", "techName": "MSBuild", "technique": "T1127.001: MSBuild", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1127/001", "lowestLevel": "y", "mitigations": 1, "nist": 5, "cis": null, "d3fend": 4, "engage": null, "splunk": 6, "splunk_threatHunting": null, "elastic": 5, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": 2, "aws": null, "gcp": null, "car": 1, "atc": null, "sigma": 2, "th_playbook": null, "art": 2, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 2, "test_volume": 1, "validate_potential": 2 }, { "techID": "T1129", "techName": "Shared Modules", "technique": "T1129: Shared Modules", "tactics": "Execution", "url": "https://attack.mitre.org/techniques/T1129", "lowestLevel": "y", "mitigations": 1, "nist": 5, "cis": 3, "d3fend": null, "engage": 1, "splunk": null, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 2, "proofpoint_emergingThreats": null, "tanium_threatResponse": 11, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1132", "techName": "Data Encoding", "technique": "T1132: Data Encoding", "tactics": "Command and Control", "url": "https://attack.mitre.org/techniques/T1132", "lowestLevel": "n", "mitigations": 1, "nist": 7, "cis": 1, "d3fend": 9, "engage": 6, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": 1, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": 1, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1132.001", "techName": "Standard Encoding", "technique": "T1132.001: Standard Encoding", "tactics": "Command and Control", "url": "https://attack.mitre.org/techniques/T1132/001", "lowestLevel": "y", "mitigations": 1, "nist": 7, "cis": null, "d3fend": 9, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": 2, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1132.002", "techName": "Non-Standard Encoding", "technique": "T1132.002: Non-Standard Encoding", "tactics": "Command and Control", "url": "https://attack.mitre.org/techniques/T1132/002", "lowestLevel": "y", "mitigations": 1, "nist": 7, "cis": null, "d3fend": 9, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1133", "techName": "External Remote Services", "technique": "T1133: External Remote Services", "tactics": "Persistence, Initial Access", "url": "https://attack.mitre.org/techniques/T1133", "lowestLevel": "y", "mitigations": 4, "nist": 18, "cis": 29, "d3fend": 13, "engage": 8, "splunk": null, "splunk_threatHunting": null, "elastic": 2, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": 1, "azure_sentinel": null, "logpoint": 4, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 4, "gcp": 1, "car": null, "atc": null, "sigma": 4, "th_playbook": null, "art": 2, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 1, "validate_potential": 2 }, { "techID": "T1134", "techName": "Access Token Manipulation", "technique": "T1134: Access Token Manipulation", "tactics": "Defense Evasion, Privilege Escalation", "url": "https://attack.mitre.org/techniques/T1134", "lowestLevel": "n", "mitigations": 2, "nist": 7, "cis": 17, "d3fend": 8, "engage": 3, "splunk": 2, "splunk_threatHunting": null, "elastic": 6, "eql_analytics": null, "azure_fullStack": 3, "sentinel_defender": 2, "azure_sentinel": null, "logpoint": 3, "proofpoint_emergingThreats": null, "tanium_threatResponse": 1, "aws": null, "gcp": null, "car": null, "atc": 4, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": 1, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 1, "validate_potential": 2 }, { "techID": "T1134.001", "techName": "Token Impersonation/Theft", "technique": "T1134.001: Token Impersonation/Theft", "tactics": "Defense Evasion, Privilege Escalation", "url": "https://attack.mitre.org/techniques/T1134/001", "lowestLevel": "y", "mitigations": 2, "nist": 7, "cis": null, "d3fend": 5, "engage": null, "splunk": 1, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 5, "th_playbook": null, "art": 4, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1134.002", "techName": "Create Process with Token", "technique": "T1134.002: Create Process with Token", "tactics": "Defense Evasion, Privilege Escalation", "url": "https://attack.mitre.org/techniques/T1134/002", "lowestLevel": "y", "mitigations": 2, "nist": 7, "cis": null, "d3fend": 5, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 5, "th_playbook": null, "art": 4, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1134.003", "techName": "Make and Impersonate Token", "technique": "T1134.003: Make and Impersonate Token", "tactics": "Defense Evasion, Privilege Escalation", "url": "https://attack.mitre.org/techniques/T1134/003", "lowestLevel": "y", "mitigations": 2, "nist": 7, "cis": null, "d3fend": 5, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1134.004", "techName": "Parent PID Spoofing", "technique": "T1134.004: Parent PID Spoofing", "tactics": "Defense Evasion, Privilege Escalation", "url": "https://attack.mitre.org/techniques/T1134/004", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": 3, "engage": null, "splunk": 1, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": 10, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1134.005", "techName": "SID-History Injection", "technique": "T1134.005: SID-History Injection", "tactics": "Defense Evasion, Privilege Escalation", "url": "https://attack.mitre.org/techniques/T1134/005", "lowestLevel": "y", "mitigations": 1, "nist": 12, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": 1, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": 2, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1135", "techName": "Network Share Discovery", "technique": "T1135: Network Share Discovery", "tactics": "Discovery", "url": "https://attack.mitre.org/techniques/T1135", "lowestLevel": "y", "mitigations": 1, "nist": 3, "cis": null, "d3fend": null, "engage": 10, "splunk": null, "splunk_threatHunting": 2, "elastic": 2, "eql_analytics": 2, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": 2, "logpoint": 2, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": 2, "sigma": 7, "th_playbook": null, "art": 8, "car_red": null, "rta": 1, "prelude": 2, "stockpile": 2, "scythe": 5, "policy_process_volume": 2, "detect_volume": 2, "test_volume": 3, "validate_potential": 3 }, { "techID": "T1136", "techName": "Create Account", "technique": "T1136: Create Account", "tactics": "Persistence", "url": "https://attack.mitre.org/techniques/T1136", "lowestLevel": "n", "mitigations": 4, "nist": 15, "cis": 18, "d3fend": 7, "engage": 4, "splunk": 11, "splunk_threatHunting": 1, "elastic": null, "eql_analytics": 1, "azure_fullStack": 6, "sentinel_defender": 3, "azure_sentinel": 1, "logpoint": 8, "proofpoint_emergingThreats": null, "tanium_threatResponse": 3, "aws": 1, "gcp": null, "car": null, "atc": 4, "sigma": 1, "th_playbook": null, "art": null, "car_red": null, "rta": 1, "prelude": null, "stockpile": null, "scythe": 3, "policy_process_volume": 3, "detect_volume": 3, "test_volume": 2, "validate_potential": 3 }, { "techID": "T1136.001", "techName": "Local Account", "technique": "T1136.001: Local Account", "tactics": "Persistence", "url": "https://attack.mitre.org/techniques/T1136/001", "lowestLevel": "y", "mitigations": 2, "nist": 11, "cis": null, "d3fend": null, "engage": null, "splunk": 4, "splunk_threatHunting": null, "elastic": 3, "eql_analytics": null, "azure_fullStack": 4, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": 3, "aws": null, "gcp": null, "car": 1, "atc": null, "sigma": 12, "th_playbook": null, "art": 6, "car_red": 2, "rta": null, "prelude": 1, "stockpile": null, "scythe": 2, "policy_process_volume": 2, "detect_volume": 2, "test_volume": 2, "validate_potential": 2 }, { "techID": "T1136.002", "techName": "Domain Account", "technique": "T1136.002: Domain Account", "tactics": "Persistence", "url": "https://attack.mitre.org/techniques/T1136/002", "lowestLevel": "y", "mitigations": 4, "nist": 15, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 2, "th_playbook": null, "art": 3, "car_red": null, "rta": null, "prelude": 1, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1136.003", "techName": "Cloud Account", "technique": "T1136.003: Cloud Account", "tactics": "Persistence", "url": "https://attack.mitre.org/techniques/T1136/003", "lowestLevel": "y", "mitigations": 3, "nist": 15, "cis": null, "d3fend": null, "engage": null, "splunk": 6, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 3, "sentinel_defender": 4, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": 1, "car": null, "atc": null, "sigma": 2, "th_playbook": null, "art": 1, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 2, "test_volume": 1, "validate_potential": 2 }, { "techID": "T1137", "techName": "Office Application Startup", "technique": "T1137: Office Application Startup", "tactics": "Persistence", "url": "https://attack.mitre.org/techniques/T1137", "lowestLevel": "n", "mitigations": 4, "nist": 9, "cis": 13, "d3fend": 8, "engage": 4, "splunk": null, "splunk_threatHunting": null, "elastic": 2, "eql_analytics": 2, "azure_fullStack": 2, "sentinel_defender": 2, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": 4, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 6, "th_playbook": null, "art": 1, "car_red": null, "rta": 1, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 2, "validate_potential": 2 }, { "techID": "T1137.001", "techName": "Office Template Macros", "technique": "T1137.001: Office Template Macros", "tactics": "Persistence", "url": "https://attack.mitre.org/techniques/T1137/001", "lowestLevel": "y", "mitigations": 1, "nist": 6, "cis": null, "d3fend": 7, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": 1, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1137.002", "techName": "Office Test", "technique": "T1137.002: Office Test", "tactics": "Persistence", "url": "https://attack.mitre.org/techniques/T1137/002", "lowestLevel": "y", "mitigations": 2, "nist": 6, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": 1, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": 1, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1137.003", "techName": "Outlook Forms", "technique": "T1137.003: Outlook Forms", "tactics": "Persistence", "url": "https://attack.mitre.org/techniques/T1137/003", "lowestLevel": "y", "mitigations": 1, "nist": 2, "cis": null, "d3fend": 5, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1137.004", "techName": "Outlook Home Page", "technique": "T1137.004: Outlook Home Page", "tactics": "Persistence", "url": "https://attack.mitre.org/techniques/T1137/004", "lowestLevel": "y", "mitigations": 1, "nist": 2, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": 1, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 0, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1137.005", "techName": "Outlook Rules", "technique": "T1137.005: Outlook Rules", "tactics": "Persistence", "url": "https://attack.mitre.org/techniques/T1137/005", "lowestLevel": "y", "mitigations": 1, "nist": 2, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1137.006", "techName": "Add-ins", "technique": "T1137.006: Add-ins", "tactics": "Persistence", "url": "https://attack.mitre.org/techniques/T1137/006", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": 1, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": 1, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 3, "th_playbook": null, "art": 1, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1140", "techName": "Deobfuscate/Decode Files or Information", "technique": "T1140: Deobfuscate/Decode Files or Information", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1140", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": 10, "engage": 1, "splunk": 2, "splunk_threatHunting": 1, "elastic": 6, "eql_analytics": 1, "azure_fullStack": 3, "sentinel_defender": 5, "azure_sentinel": 1, "logpoint": 9, "proofpoint_emergingThreats": null, "tanium_threatResponse": 3, "aws": null, "gcp": null, "car": 1, "atc": 6, "sigma": 11, "th_playbook": null, "art": 6, "car_red": 2, "rta": 2, "prelude": null, "stockpile": null, "scythe": 3, "policy_process_volume": 2, "detect_volume": 3, "test_volume": 2, "validate_potential": 3 }, { "techID": "T1149", "techName": "LC_MAIN Hijacking", "technique": "T1149: LC_MAIN Hijacking", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1149", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 0, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1153", "techName": "Source", "technique": "T1153: Source", "tactics": "Execution", "url": "https://attack.mitre.org/techniques/T1153", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 0, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1175", "techName": "Component Object Model and Distributed COM", "technique": "T1175: Component Object Model and Distributed COM", "tactics": "Lateral Movement, Execution", "url": "https://attack.mitre.org/techniques/T1175", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": 3, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": 3, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 0, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1176", "techName": "Browser Extensions", "technique": "T1176: Browser Extensions", "tactics": "Persistence", "url": "https://attack.mitre.org/techniques/T1176", "lowestLevel": "y", "mitigations": 4, "nist": 15, "cis": 37, "d3fend": 1, "engage": 5, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": 1, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": 4, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1185", "techName": "Browser Session Hijacking", "technique": "T1185: Browser Session Hijacking", "tactics": "Collection", "url": "https://attack.mitre.org/techniques/T1185", "lowestLevel": "y", "mitigations": 2, "nist": 11, "cis": 19, "d3fend": 8, "engage": 4, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1187", "techName": "Forced Authentication", "technique": "T1187: Forced Authentication", "tactics": "Credential Access", "url": "https://attack.mitre.org/techniques/T1187", "lowestLevel": "y", "mitigations": 2, "nist": 10, "cis": 4, "d3fend": 6, "engage": 4, "splunk": 1, "splunk_threatHunting": 1, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": 1, "logpoint": 5, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": 1, "atc": null, "sigma": 3, "th_playbook": null, "art": 2, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 1, "validate_potential": 2 }, { "techID": "T1189", "techName": "Drive-by Compromise", "technique": "T1189: Drive-by Compromise", "tactics": "Initial Access", "url": "https://attack.mitre.org/techniques/T1189", "lowestLevel": "y", "mitigations": 6, "nist": 18, "cis": 11, "d3fend": 13, "engage": 3, "splunk": 2, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": null, "azure_fullStack": 5, "sentinel_defender": 3, "azure_sentinel": null, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 3, "gcp": null, "car": null, "atc": null, "sigma": 2, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1190", "techName": "Exploit Public-Facing Application", "technique": "T1190: Exploit Public-Facing Application", "tactics": "Initial Access", "url": "https://attack.mitre.org/techniques/T1190", "lowestLevel": "y", "mitigations": 6, "nist": 29, "cis": 21, "d3fend": 12, "engage": 3, "splunk": 27, "splunk_threatHunting": null, "elastic": 14, "eql_analytics": null, "azure_fullStack": 14, "sentinel_defender": 23, "azure_sentinel": null, "logpoint": 13, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 7, "gcp": 2, "car": null, "atc": 2, "sigma": 66, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1195", "techName": "Supply Chain Compromise", "technique": "T1195: Supply Chain Compromise", "tactics": "Initial Access", "url": "https://attack.mitre.org/techniques/T1195", "lowestLevel": "n", "mitigations": 2, "nist": 8, "cis": 7, "d3fend": 1, "engage": 2, "splunk": 3, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": 2, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": 1, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1195.001", "techName": "Compromise Software Dependencies and Development Tools", "technique": "T1195.001: Compromise Software Dependencies and Development Tools", "tactics": "Initial Access", "url": "https://attack.mitre.org/techniques/T1195/001", "lowestLevel": "y", "mitigations": 2, "nist": 8, "cis": null, "d3fend": 1, "engage": null, "splunk": 2, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1195.002", "techName": "Compromise Software Supply Chain", "technique": "T1195.002: Compromise Software Supply Chain", "tactics": "Initial Access", "url": "https://attack.mitre.org/techniques/T1195/002", "lowestLevel": "y", "mitigations": 2, "nist": 8, "cis": null, "d3fend": 1, "engage": null, "splunk": 1, "splunk_threatHunting": null, "elastic": 4, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1195.003", "techName": "Compromise Hardware Supply Chain", "technique": "T1195.003: Compromise Hardware Supply Chain", "tactics": "Initial Access", "url": "https://attack.mitre.org/techniques/T1195/003", "lowestLevel": "y", "mitigations": 1, "nist": 11, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1197", "techName": "BITS Jobs", "technique": "T1197: BITS Jobs", "tactics": "Defense Evasion, Persistence", "url": "https://attack.mitre.org/techniques/T1197", "lowestLevel": "y", "mitigations": 3, "nist": 14, "cis": 15, "d3fend": 11, "engage": 3, "splunk": 6, "splunk_threatHunting": 2, "elastic": 1, "eql_analytics": 2, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": 2, "logpoint": 4, "proofpoint_emergingThreats": null, "tanium_threatResponse": 1, "aws": null, "gcp": null, "car": 2, "atc": 2, "sigma": 17, "th_playbook": null, "art": 8, "car_red": 4, "rta": null, "prelude": null, "stockpile": null, "scythe": 1, "policy_process_volume": 3, "detect_volume": 3, "test_volume": 3, "validate_potential": 3 }, { "techID": "T1199", "techName": "Trusted Relationship", "technique": "T1199: Trusted Relationship", "tactics": "Initial Access", "url": "https://attack.mitre.org/techniques/T1199", "lowestLevel": "y", "mitigations": 2, "nist": 8, "cis": 5, "d3fend": 9, "engage": 4, "splunk": 2, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": 3, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1200", "techName": "Hardware Additions", "technique": "T1200: Hardware Additions", "tactics": "Initial Access", "url": "https://attack.mitre.org/techniques/T1200", "lowestLevel": "y", "mitigations": 2, "nist": 5, "cis": 15, "d3fend": null, "engage": 3, "splunk": 5, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 2, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": 1, "sigma": 2, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1201", "techName": "Password Policy Discovery", "technique": "T1201: Password Policy Discovery", "tactics": "Discovery", "url": "https://attack.mitre.org/techniques/T1201", "lowestLevel": "y", "mitigations": 1, "nist": 5, "cis": 1, "d3fend": null, "engage": 3, "splunk": 7, "splunk_threatHunting": 1, "elastic": null, "eql_analytics": 1, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": 1, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 4, "th_playbook": null, "art": 9, "car_red": null, "rta": null, "prelude": 1, "stockpile": 2, "scythe": 2, "policy_process_volume": 2, "detect_volume": 2, "test_volume": 3, "validate_potential": 3 }, { "techID": "T1202", "techName": "Indirect Command Execution", "technique": "T1202: Indirect Command Execution", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1202", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": 2, "splunk": 3, "splunk_threatHunting": 1, "elastic": null, "eql_analytics": 1, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": 1, "logpoint": 6, "proofpoint_emergingThreats": null, "tanium_threatResponse": 14, "aws": null, "gcp": null, "car": null, "atc": 5, "sigma": 25, "th_playbook": null, "art": 3, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": 1, "policy_process_volume": 1, "detect_volume": 3, "test_volume": 1, "validate_potential": 2 }, { "techID": "T1203", "techName": "Exploitation for Client Execution", "technique": "T1203: Exploitation for Client Execution", "tactics": "Execution", "url": "https://attack.mitre.org/techniques/T1203", "lowestLevel": "y", "mitigations": 2, "nist": 14, "cis": 3, "d3fend": 6, "engage": 4, "splunk": 4, "splunk_threatHunting": null, "elastic": 2, "eql_analytics": null, "azure_fullStack": 5, "sentinel_defender": 9, "azure_sentinel": null, "logpoint": 4, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 4, "gcp": null, "car": null, "atc": 2, "sigma": 21, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1204", "techName": "User Execution", "technique": "T1204: User Execution", "tactics": "Execution", "url": "https://attack.mitre.org/techniques/T1204", "lowestLevel": "n", "mitigations": 4, "nist": 13, "cis": 18, "d3fend": 18, "engage": 6, "splunk": 15, "splunk_threatHunting": null, "elastic": 2, "eql_analytics": 1, "azure_fullStack": 4, "sentinel_defender": 3, "azure_sentinel": null, "logpoint": 5, "proofpoint_emergingThreats": null, "tanium_threatResponse": 31, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": 7, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": 1, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 1, "validate_potential": 2 }, { "techID": "T1204.001", "techName": "Malicious Link", "technique": "T1204.001: Malicious Link", "tactics": "Execution", "url": "https://attack.mitre.org/techniques/T1204/001", "lowestLevel": "y", "mitigations": 3, "nist": 11, "cis": null, "d3fend": 11, "engage": null, "splunk": 1, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": 1, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": 3, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1204.002", "techName": "Malicious File", "technique": "T1204.002: Malicious File", "tactics": "Execution", "url": "https://attack.mitre.org/techniques/T1204/002", "lowestLevel": "y", "mitigations": 2, "nist": 12, "cis": null, "d3fend": 7, "engage": null, "splunk": 4, "splunk_threatHunting": null, "elastic": 5, "eql_analytics": null, "azure_fullStack": 3, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 2, "proofpoint_emergingThreats": null, "tanium_threatResponse": 28, "aws": null, "gcp": null, "car": 1, "atc": null, "sigma": 27, "th_playbook": null, "art": 10, "car_red": 2, "rta": null, "prelude": null, "stockpile": null, "scythe": 2, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 3, "validate_potential": 3 }, { "techID": "T1204.003", "techName": "Malicious Image", "technique": "T1204.003: Malicious Image", "tactics": "Execution", "url": "https://attack.mitre.org/techniques/T1204/003", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": 7, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 0, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1205", "techName": "Traffic Signaling", "technique": "T1205: Traffic Signaling", "tactics": "Defense Evasion, Persistence, Command and Control", "url": "https://attack.mitre.org/techniques/T1205", "lowestLevel": "n", "mitigations": 1, "nist": 9, "cis": 3, "d3fend": 8, "engage": 3, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 2, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 2, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1205.001", "techName": "Port Knocking", "technique": "T1205.001: Port Knocking", "tactics": "Defense Evasion, Persistence, Command and Control", "url": "https://attack.mitre.org/techniques/T1205/001", "lowestLevel": "y", "mitigations": 1, "nist": 8, "cis": null, "d3fend": 8, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 2, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 2, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1207", "techName": "Rogue Domain Controller", "technique": "T1207: Rogue Domain Controller", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1207", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": 10, "engage": 3, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": 1, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": 1, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1210", "techName": "Exploitation of Remote Services", "technique": "T1210: Exploitation of Remote Services", "tactics": "Lateral Movement", "url": "https://attack.mitre.org/techniques/T1210", "lowestLevel": "y", "mitigations": 8, "nist": 32, "cis": 29, "d3fend": 15, "engage": 4, "splunk": 1, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": null, "azure_fullStack": 8, "sentinel_defender": 3, "azure_sentinel": null, "logpoint": 6, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 5, "gcp": null, "car": null, "atc": 3, "sigma": 8, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1211", "techName": "Exploitation for Defense Evasion", "technique": "T1211: Exploitation for Defense Evasion", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1211", "lowestLevel": "y", "mitigations": 4, "nist": 23, "cis": 5, "d3fend": 6, "engage": 4, "splunk": null, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": null, "azure_fullStack": 5, "sentinel_defender": 1, "azure_sentinel": null, "logpoint": 23, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 3, "gcp": null, "car": null, "atc": 2, "sigma": 3, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1212", "techName": "Exploitation for Credential Access", "technique": "T1212: Exploitation for Credential Access", "tactics": "Credential Access", "url": "https://attack.mitre.org/techniques/T1212", "lowestLevel": "y", "mitigations": 4, "nist": 24, "cis": 6, "d3fend": 8, "engage": 5, "splunk": 2, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": null, "azure_fullStack": 5, "sentinel_defender": 1, "azure_sentinel": null, "logpoint": 5, "proofpoint_emergingThreats": null, "tanium_threatResponse": 2, "aws": 4, "gcp": null, "car": null, "atc": 3, "sigma": 8, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1213", "techName": "Data from Information Repositories", "technique": "T1213: Data from Information Repositories", "tactics": "Collection", "url": "https://attack.mitre.org/techniques/T1213", "lowestLevel": "n", "mitigations": 3, "nist": 24, "cis": 38, "d3fend": 1, "engage": 6, "splunk": 1, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 5, "sentinel_defender": 1, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1213.001", "techName": "Confluence", "technique": "T1213.001: Confluence", "tactics": "Collection", "url": "https://attack.mitre.org/techniques/T1213/001", "lowestLevel": "y", "mitigations": 3, "nist": 24, "cis": null, "d3fend": 1, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1213.002", "techName": "Sharepoint", "technique": "T1213.002: Sharepoint", "tactics": "Collection", "url": "https://attack.mitre.org/techniques/T1213/002", "lowestLevel": "y", "mitigations": 3, "nist": 24, "cis": null, "d3fend": 1, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 3, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1213.003", "techName": "Code Repositories", "technique": "T1213.003: Code Repositories", "tactics": "Collection", "url": "https://attack.mitre.org/techniques/T1213/003", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 0, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1216", "techName": "Signed Script Proxy Execution", "technique": "T1216: Signed Script Proxy Execution", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1216", "lowestLevel": "n", "mitigations": 1, "nist": 6, "cis": 3, "d3fend": null, "engage": 3, "splunk": null, "splunk_threatHunting": 1, "elastic": null, "eql_analytics": 1, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": 1, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": 1, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 14, "th_playbook": null, "art": 2, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 2, "test_volume": 1, "validate_potential": 2 }, { "techID": "T1216.001", "techName": "PubPrn", "technique": "T1216.001: PubPrn", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1216/001", "lowestLevel": "y", "mitigations": 1, "nist": 6, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": 1, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 0, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1217", "techName": "Browser Bookmark Discovery", "technique": "T1217: Browser Bookmark Discovery", "tactics": "Discovery", "url": "https://attack.mitre.org/techniques/T1217", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": 6, "splunk": null, "splunk_threatHunting": 1, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": 1, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 3, "th_playbook": null, "art": 8, "car_red": null, "rta": null, "prelude": null, "stockpile": 1, "scythe": null, "policy_process_volume": 2, "detect_volume": 2, "test_volume": 3, "validate_potential": 3 }, { "techID": "T1218", "techName": "Signed Binary Proxy Execution", "technique": "T1218: Signed Binary Proxy Execution", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1218", "lowestLevel": "n", "mitigations": 4, "nist": 15, "cis": 10, "d3fend": 18, "engage": 3, "splunk": 63, "splunk_threatHunting": 2, "elastic": 6, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": 2, "logpoint": 43, "proofpoint_emergingThreats": null, "tanium_threatResponse": 63, "aws": null, "gcp": null, "car": null, "atc": 9, "sigma": 77, "th_playbook": 1, "art": 13, "car_red": null, "rta": null, "prelude": 1, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 3, "test_volume": 3, "validate_potential": 3 }, { "techID": "T1218.001", "techName": "Compiled HTML File", "technique": "T1218.001: Compiled HTML File", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1218/001", "lowestLevel": "y", "mitigations": 2, "nist": 7, "cis": null, "d3fend": 4, "engage": null, "splunk": 4, "splunk_threatHunting": null, "elastic": 2, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": 1, "aws": null, "gcp": null, "car": 1, "atc": null, "sigma": 3, "th_playbook": null, "art": 7, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 2, "test_volume": 3, "validate_potential": 3 }, { "techID": "T1218.002", "techName": "Control Panel", "technique": "T1218.002: Control Panel", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1218/002", "lowestLevel": "y", "mitigations": 2, "nist": 9, "cis": null, "d3fend": 3, "engage": null, "splunk": 1, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 3, "proofpoint_emergingThreats": null, "tanium_threatResponse": 7, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": 1, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1218.003", "techName": "CMSTP", "technique": "T1218.003: CMSTP", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1218/003", "lowestLevel": "y", "mitigations": 2, "nist": 8, "cis": null, "d3fend": 11, "engage": null, "splunk": 3, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 4, "proofpoint_emergingThreats": null, "tanium_threatResponse": 1, "aws": null, "gcp": null, "car": 1, "atc": null, "sigma": 5, "th_playbook": null, "art": 2, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1218.004", "techName": "InstallUtil", "technique": "T1218.004: InstallUtil", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1218/004", "lowestLevel": "y", "mitigations": 2, "nist": 8, "cis": null, "d3fend": null, "engage": null, "splunk": 9, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 2, "proofpoint_emergingThreats": null, "tanium_threatResponse": 3, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": 8, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 3, "validate_potential": 1 }, { "techID": "T1218.005", "techName": "Mshta", "technique": "T1218.005: Mshta", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1218/005", "lowestLevel": "y", "mitigations": 2, "nist": 8, "cis": null, "d3fend": null, "engage": null, "splunk": 12, "splunk_threatHunting": null, "elastic": 4, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 10, "proofpoint_emergingThreats": null, "tanium_threatResponse": 6, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 8, "th_playbook": null, "art": 10, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": 1, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1218.007", "techName": "Msiexec", "technique": "T1218.007: Msiexec", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1218/007", "lowestLevel": "y", "mitigations": 1, "nist": 9, "cis": null, "d3fend": null, "engage": null, "splunk": 6, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": 1, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 7, "th_playbook": null, "art": 11, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1218.008", "techName": "Odbcconf", "technique": "T1218.008: Odbcconf", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1218/008", "lowestLevel": "y", "mitigations": 2, "nist": 8, "cis": null, "d3fend": null, "engage": null, "splunk": 3, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": 2, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1218.009", "techName": "Regsvcs/Regasm", "technique": "T1218.009: Regsvcs/Regasm", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1218/009", "lowestLevel": "y", "mitigations": 2, "nist": 8, "cis": null, "d3fend": null, "engage": null, "splunk": 6, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": 3, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": 2, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1218.010", "techName": "Regsvr32", "technique": "T1218.010: Regsvr32", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1218/010", "lowestLevel": "y", "mitigations": 1, "nist": 4, "cis": null, "d3fend": null, "engage": null, "splunk": 5, "splunk_threatHunting": null, "elastic": 2, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 2, "proofpoint_emergingThreats": null, "tanium_threatResponse": 3, "aws": null, "gcp": null, "car": 2, "atc": null, "sigma": 16, "th_playbook": null, "art": 5, "car_red": 2, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 2, "test_volume": 1, "validate_potential": 2 }, { "techID": "T1218.011", "techName": "Rundll32", "technique": "T1218.011: Rundll32", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1218/011", "lowestLevel": "y", "mitigations": 1, "nist": 4, "cis": null, "d3fend": 6, "engage": null, "splunk": 16, "splunk_threatHunting": null, "elastic": 3, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 9, "proofpoint_emergingThreats": null, "tanium_threatResponse": 19, "aws": null, "gcp": null, "car": 1, "atc": null, "sigma": 30, "th_playbook": null, "art": 12, "car_red": 1, "rta": null, "prelude": null, "stockpile": null, "scythe": 7, "policy_process_volume": 2, "detect_volume": 2, "test_volume": 3, "validate_potential": 3 }, { "techID": "T1218.012", "techName": "Verclsid", "technique": "T1218.012: Verclsid", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1218/012", "lowestLevel": "y", "mitigations": 3, "nist": 13, "cis": null, "d3fend": null, "engage": null, "splunk": 1, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1218.013", "techName": "Mavinject", "technique": "T1218.013: Mavinject", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1218/013", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": 4, "engage": null, "splunk": 1, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1218.014", "techName": "MMC", "technique": "T1218.014: MMC", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1218/014", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": 1, "engage": null, "splunk": 3, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1219", "techName": "Remote Access Software", "technique": "T1219: Remote Access Software", "tactics": "Command and Control", "url": "https://attack.mitre.org/techniques/T1219", "lowestLevel": "y", "mitigations": 3, "nist": 13, "cis": 7, "d3fend": 9, "engage": 7, "splunk": 1, "splunk_threatHunting": null, "elastic": 3, "eql_analytics": null, "azure_fullStack": 3, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 2, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 2, "gcp": null, "car": null, "atc": 2, "sigma": 19, "th_playbook": null, "art": 8, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": 24, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 3, "validate_potential": 3 }, { "techID": "T1220", "techName": "XSL Script Processing", "technique": "T1220: XSL Script Processing", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1220", "lowestLevel": "y", "mitigations": 1, "nist": 6, "cis": 3, "d3fend": 10, "engage": 4, "splunk": 2, "splunk_threatHunting": null, "elastic": 3, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": 1, "aws": null, "gcp": null, "car": null, "atc": 1, "sigma": 3, "th_playbook": null, "art": 4, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1221", "techName": "Template Injection", "technique": "T1221: Template Injection", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1221", "lowestLevel": "y", "mitigations": 3, "nist": 14, "cis": 22, "d3fend": null, "engage": 4, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": 1, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": 1, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": 1, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1222", "techName": "File and Directory Permissions Modification", "technique": "T1222: File and Directory Permissions Modification", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1222", "lowestLevel": "n", "mitigations": 2, "nist": 11, "cis": null, "d3fend": null, "engage": 3, "splunk": 11, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": 1, "azure_fullStack": 3, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 3, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": null, "atc": 2, "sigma": null, "th_playbook": 1, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 2, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1222.001", "techName": "Windows File and Directory Permissions Modification", "technique": "T1222.001: Windows File and Directory Permissions Modification", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1222/001", "lowestLevel": "y", "mitigations": 2, "nist": 11, "cis": null, "d3fend": null, "engage": null, "splunk": 2, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 2, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 4, "th_playbook": null, "art": 5, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 2, "test_volume": 1, "validate_potential": 2 }, { "techID": "T1222.002", "techName": "Linux and Mac File and Directory Permissions Modification", "technique": "T1222.002: Linux and Mac File and Directory Permissions Modification", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1222/002", "lowestLevel": "y", "mitigations": 2, "nist": 11, "cis": null, "d3fend": null, "engage": null, "splunk": 1, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": 1, "atc": null, "sigma": 3, "th_playbook": null, "art": 11, "car_red": 2, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 2, "test_volume": 3, "validate_potential": 3 }, { "techID": "T1480", "techName": "Execution Guardrails", "technique": "T1480: Execution Guardrails", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1480", "lowestLevel": "n", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": 3, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": 1, "stockpile": null, "scythe": 2, "policy_process_volume": 2, "detect_volume": 0, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1480.001", "techName": "Environmental Keying", "technique": "T1480.001: Environmental Keying", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1480/001", "lowestLevel": "y", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1482", "techName": "Domain Trust Discovery", "technique": "T1482: Domain Trust Discovery", "tactics": "Discovery", "url": "https://attack.mitre.org/techniques/T1482", "lowestLevel": "y", "mitigations": 2, "nist": 9, "cis": 23, "d3fend": null, "engage": 2, "splunk": 11, "splunk_threatHunting": null, "elastic": 2, "eql_analytics": 2, "azure_fullStack": 4, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": 2, "aws": 1, "gcp": null, "car": null, "atc": 1, "sigma": 10, "th_playbook": null, "art": 8, "car_red": null, "rta": null, "prelude": null, "stockpile": 1, "scythe": 10, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 3, "validate_potential": 3 }, { "techID": "T1484", "techName": "Domain Policy Modification", "technique": "T1484: Domain Policy Modification", "tactics": "Defense Evasion, Privilege Escalation", "url": "https://attack.mitre.org/techniques/T1484", "lowestLevel": "n", "mitigations": 3, "nist": 13, "cis": 29, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 3, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 2, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1484.001", "techName": "Group Policy Modification", "technique": "T1484.001: Group Policy Modification", "tactics": "Defense Evasion, Privilege Escalation", "url": "https://attack.mitre.org/techniques/T1484/001", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": 3, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 2, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": 1, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": 4, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 0, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1484.002", "techName": "Domain Trust Modification", "technique": "T1484.002: Domain Trust Modification", "tactics": "Defense Evasion, Privilege Escalation", "url": "https://attack.mitre.org/techniques/T1484/002", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": 4, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": 2, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 0, "detect_volume": 2, "test_volume": 1, "validate_potential": 2 }, { "techID": "T1485", "techName": "Data Destruction", "technique": "T1485: Data Destruction", "tactics": "Impact", "url": "https://attack.mitre.org/techniques/T1485", "lowestLevel": "y", "mitigations": 1, "nist": 10, "cis": 5, "d3fend": null, "engage": 6, "splunk": 19, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 6, "sentinel_defender": 8, "azure_sentinel": null, "logpoint": 8, "proofpoint_emergingThreats": null, "tanium_threatResponse": 5, "aws": 6, "gcp": null, "car": null, "atc": null, "sigma": 9, "th_playbook": null, "art": 3, "car_red": null, "rta": null, "prelude": 2, "stockpile": null, "scythe": 10, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 3, "validate_potential": 3 }, { "techID": "T1486", "techName": "Data Encrypted for Impact", "technique": "T1486: Data Encrypted for Impact", "tactics": "Impact", "url": "https://attack.mitre.org/techniques/T1486", "lowestLevel": "y", "mitigations": 1, "nist": 11, "cis": 5, "d3fend": null, "engage": 3, "splunk": 7, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 4, "sentinel_defender": 5, "azure_sentinel": null, "logpoint": 14, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 4, "gcp": null, "car": null, "atc": null, "sigma": 10, "th_playbook": null, "art": 5, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": 22, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 3, "validate_potential": 3 }, { "techID": "T1489", "techName": "Service Stop", "technique": "T1489: Service Stop", "tactics": "Impact", "url": "https://attack.mitre.org/techniques/T1489", "lowestLevel": "y", "mitigations": 3, "nist": 13, "cis": 20, "d3fend": null, "engage": 2, "splunk": 12, "splunk_threatHunting": null, "elastic": 2, "eql_analytics": 2, "azure_fullStack": 1, "sentinel_defender": 2, "azure_sentinel": null, "logpoint": 3, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 2, "gcp": null, "car": null, "atc": 1, "sigma": 4, "th_playbook": null, "art": 3, "car_red": null, "rta": null, "prelude": 2, "stockpile": 1, "scythe": 12, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 3, "validate_potential": 3 }, { "techID": "T1490", "techName": "Inhibit System Recovery", "technique": "T1490: Inhibit System Recovery", "tactics": "Impact", "url": "https://attack.mitre.org/techniques/T1490", "lowestLevel": "y", "mitigations": 2, "nist": 12, "cis": 7, "d3fend": null, "engage": 2, "splunk": 12, "splunk_threatHunting": null, "elastic": 6, "eql_analytics": 3, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": 9, "aws": 2, "gcp": null, "car": 2, "atc": 2, "sigma": 15, "th_playbook": null, "art": 9, "car_red": 5, "rta": null, "prelude": 3, "stockpile": null, "scythe": 9, "policy_process_volume": 3, "detect_volume": 3, "test_volume": 3, "validate_potential": 3 }, { "techID": "T1491", "techName": "Defacement", "technique": "T1491: Defacement", "tactics": "Impact", "url": "https://attack.mitre.org/techniques/T1491", "lowestLevel": "n", "mitigations": 1, "nist": 10, "cis": 5, "d3fend": 1, "engage": 2, "splunk": 1, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 3, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": 1, "stockpile": 2, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 2, "validate_potential": 1 }, { "techID": "T1491.001", "techName": "Internal Defacement", "technique": "T1491.001: Internal Defacement", "tactics": "Impact", "url": "https://attack.mitre.org/techniques/T1491/001", "lowestLevel": "y", "mitigations": null, "nist": 10, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 3, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": 1, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": 8, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 2, "validate_potential": 1 }, { "techID": "T1491.002", "techName": "External Defacement", "technique": "T1491.002: External Defacement", "tactics": "Impact", "url": "https://attack.mitre.org/techniques/T1491/002", "lowestLevel": "y", "mitigations": null, "nist": 10, "cis": null, "d3fend": 1, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 3, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1495", "techName": "Firmware Corruption", "technique": "T1495: Firmware Corruption", "tactics": "Impact", "url": "https://attack.mitre.org/techniques/T1495", "lowestLevel": "y", "mitigations": 3, "nist": 16, "cis": 11, "d3fend": null, "engage": 1, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1496", "techName": "Resource Hijacking", "technique": "T1496: Resource Hijacking", "tactics": "Impact", "url": "https://attack.mitre.org/techniques/T1496", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": 3, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 3, "sentinel_defender": 12, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 4, "gcp": 2, "car": null, "atc": null, "sigma": 4, "th_playbook": null, "art": 1, "car_red": null, "rta": null, "prelude": null, "stockpile": 2, "scythe": null, "policy_process_volume": 1, "detect_volume": 2, "test_volume": 2, "validate_potential": 2 }, { "techID": "T1497", "techName": "Virtualization/Sandbox Evasion", "technique": "T1497: Virtualization/Sandbox Evasion", "tactics": "Defense Evasion, Discovery", "url": "https://attack.mitre.org/techniques/T1497", "lowestLevel": "n", "mitigations": null, "nist": null, "cis": null, "d3fend": 3, "engage": 3, "splunk": 1, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1497.001", "techName": "System Checks", "technique": "T1497.001: System Checks", "tactics": "Defense Evasion, Discovery", "url": "https://attack.mitre.org/techniques/T1497/001", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": 8, "car_red": null, "rta": null, "prelude": null, "stockpile": 3, "scythe": null, "policy_process_volume": 0, "detect_volume": 1, "test_volume": 3, "validate_potential": 1 }, { "techID": "T1497.002", "techName": "User Activity Based Checks", "technique": "T1497.002: User Activity Based Checks", "tactics": "Defense Evasion, Discovery", "url": "https://attack.mitre.org/techniques/T1497/002", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 0, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1497.003", "techName": "Time Based Evasion", "technique": "T1497.003: Time Based Evasion", "tactics": "Defense Evasion, Discovery", "url": "https://attack.mitre.org/techniques/T1497/003", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": 3, "engage": null, "splunk": 1, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": 1, "scythe": 1, "policy_process_volume": 1, "detect_volume": 0, "test_volume": 2, "validate_potential": 1 }, { "techID": "T1498", "techName": "Network Denial of Service", "technique": "T1498: Network Denial of Service", "tactics": "Impact", "url": "https://attack.mitre.org/techniques/T1498", "lowestLevel": "n", "mitigations": 1, "nist": 8, "cis": 3, "d3fend": 9, "engage": 2, "splunk": 7, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 3, "sentinel_defender": 2, "azure_sentinel": null, "logpoint": 20, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 5, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1498.001", "techName": "Direct Network Flood", "technique": "T1498.001: Direct Network Flood", "tactics": "Impact", "url": "https://attack.mitre.org/techniques/T1498/001", "lowestLevel": "y", "mitigations": 1, "nist": 8, "cis": null, "d3fend": 9, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 4, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1498.002", "techName": "Reflection Amplification", "technique": "T1498.002: Reflection Amplification", "tactics": "Impact", "url": "https://attack.mitre.org/techniques/T1498/002", "lowestLevel": "y", "mitigations": 1, "nist": 8, "cis": null, "d3fend": 9, "engage": null, "splunk": 1, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 4, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1499", "techName": "Endpoint Denial of Service", "technique": "T1499: Endpoint Denial of Service", "tactics": "Impact", "url": "https://attack.mitre.org/techniques/T1499", "lowestLevel": "n", "mitigations": 1, "nist": 9, "cis": 3, "d3fend": null, "engage": 2, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 6, "sentinel_defender": 1, "azure_sentinel": null, "logpoint": 11, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 4, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": 2, "scythe": null, "policy_process_volume": 2, "detect_volume": 2, "test_volume": 2, "validate_potential": 2 }, { "techID": "T1499.001", "techName": "OS Exhaustion Flood", "technique": "T1499.001: OS Exhaustion Flood", "tactics": "Impact", "url": "https://attack.mitre.org/techniques/T1499/001", "lowestLevel": "y", "mitigations": 1, "nist": 9, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 5, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 4, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 2, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1499.002", "techName": "Service Exhaustion Flood", "technique": "T1499.002: Service Exhaustion Flood", "tactics": "Impact", "url": "https://attack.mitre.org/techniques/T1499/002", "lowestLevel": "y", "mitigations": 1, "nist": 9, "cis": null, "d3fend": 9, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 4, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 4, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1499.003", "techName": "Application Exhaustion Flood", "technique": "T1499.003: Application Exhaustion Flood", "tactics": "Impact", "url": "https://attack.mitre.org/techniques/T1499/003", "lowestLevel": "y", "mitigations": 1, "nist": 9, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 4, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 4, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 2, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1499.004", "techName": "Application or System Exploitation", "technique": "T1499.004: Application or System Exploitation", "tactics": "Impact", "url": "https://attack.mitre.org/techniques/T1499/004", "lowestLevel": "y", "mitigations": 1, "nist": 9, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": 3, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1505", "techName": "Server Software Component", "technique": "T1505: Server Software Component", "tactics": "Persistence", "url": "https://attack.mitre.org/techniques/T1505", "lowestLevel": "n", "mitigations": 3, "nist": 21, "cis": 29, "d3fend": 18, "engage": 2, "splunk": 6, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 5, "sentinel_defender": 3, "azure_sentinel": null, "logpoint": 4, "proofpoint_emergingThreats": null, "tanium_threatResponse": 1, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1505.001", "techName": "SQL Stored Procedures", "technique": "T1505.001: SQL Stored Procedures", "tactics": "Persistence", "url": "https://attack.mitre.org/techniques/T1505/001", "lowestLevel": "y", "mitigations": 3, "nist": 21, "cis": null, "d3fend": 4, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1505.002", "techName": "Transport Agent", "technique": "T1505.002: Transport Agent", "tactics": "Persistence", "url": "https://attack.mitre.org/techniques/T1505/002", "lowestLevel": "y", "mitigations": 3, "nist": 21, "cis": null, "d3fend": 3, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 3, "th_playbook": null, "art": 1, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1505.003", "techName": "Web Shell", "technique": "T1505.003: Web Shell", "tactics": "Persistence", "url": "https://attack.mitre.org/techniques/T1505/003", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": 14, "engage": null, "splunk": 6, "splunk_threatHunting": null, "elastic": 2, "eql_analytics": null, "azure_fullStack": 3, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 4, "proofpoint_emergingThreats": null, "tanium_threatResponse": 1, "aws": null, "gcp": null, "car": 1, "atc": null, "sigma": 25, "th_playbook": null, "art": 1, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 2, "test_volume": 1, "validate_potential": 2 }, { "techID": "T1505.004", "techName": "IIS Components", "technique": "T1505.004: IIS Components", "tactics": "Persistence", "url": "https://attack.mitre.org/techniques/T1505/004", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": 1, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1518", "techName": "Software Discovery", "technique": "T1518: Software Discovery", "tactics": "Discovery", "url": "https://attack.mitre.org/techniques/T1518", "lowestLevel": "n", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": 4, "splunk": null, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 18, "proofpoint_emergingThreats": null, "tanium_threatResponse": 2, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 2, "th_playbook": null, "art": 6, "car_red": null, "rta": null, "prelude": null, "stockpile": 4, "scythe": 4, "policy_process_volume": 1, "detect_volume": 1, "test_volume": 2, "validate_potential": 1 }, { "techID": "T1518.001", "techName": "Security Software Discovery", "technique": "T1518.001: Security Software Discovery", "tactics": "Discovery", "url": "https://attack.mitre.org/techniques/T1518/001", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": 2, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 17, "proofpoint_emergingThreats": null, "tanium_threatResponse": 2, "aws": null, "gcp": null, "car": 1, "atc": null, "sigma": 4, "th_playbook": null, "art": 6, "car_red": 1, "rta": null, "prelude": 7, "stockpile": 3, "scythe": 3, "policy_process_volume": 0, "detect_volume": 2, "test_volume": 3, "validate_potential": 3 }, { "techID": "T1525", "techName": "Implant Internal Image", "technique": "T1525: Implant Internal Image", "tactics": "Persistence", "url": "https://attack.mitre.org/techniques/T1525", "lowestLevel": "y", "mitigations": 3, "nist": 16, "cis": 29, "d3fend": 3, "engage": 2, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 6, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1526", "techName": "Cloud Service Discovery", "technique": "T1526: Cloud Service Discovery", "tactics": "Discovery", "url": "https://attack.mitre.org/techniques/T1526", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": 4, "splunk": 7, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 3, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": 1, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 2, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1528", "techName": "Steal Application Access Token", "technique": "T1528: Steal Application Access Token", "tactics": "Credential Access", "url": "https://attack.mitre.org/techniques/T1528", "lowestLevel": "y", "mitigations": 4, "nist": 19, "cis": 43, "d3fend": 5, "engage": 4, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 5, "sentinel_defender": 5, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 2, "gcp": null, "car": null, "atc": null, "sigma": 6, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": 2, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 1, "validate_potential": 2 }, { "techID": "T1529", "techName": "System Shutdown/Reboot", "technique": "T1529: System Shutdown/Reboot", "tactics": "Impact", "url": "https://attack.mitre.org/techniques/T1529", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": 3, "splunk": 3, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": 2, "aws": 2, "gcp": null, "car": null, "atc": null, "sigma": 5, "th_playbook": null, "art": 10, "car_red": null, "rta": null, "prelude": 1, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 1, "test_volume": 3, "validate_potential": 1 }, { "techID": "T1530", "techName": "Data from Cloud Storage Object", "technique": "T1530: Data from Cloud Storage Object", "tactics": "Collection", "url": "https://attack.mitre.org/techniques/T1530", "lowestLevel": "y", "mitigations": 6, "nist": 33, "cis": 47, "d3fend": null, "engage": 9, "splunk": 6, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 6, "sentinel_defender": 1, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 8, "gcp": 9, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": 2, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1531", "techName": "Account Access Removal", "technique": "T1531: Account Access Removal", "tactics": "Impact", "url": "https://attack.mitre.org/techniques/T1531", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": 5, "engage": 6, "splunk": 4, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 3, "sentinel_defender": 1, "azure_sentinel": null, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 2, "gcp": null, "car": null, "atc": null, "sigma": 3, "th_playbook": null, "art": 3, "car_red": null, "rta": null, "prelude": 1, "stockpile": null, "scythe": 1, "policy_process_volume": 2, "detect_volume": 2, "test_volume": 2, "validate_potential": 2 }, { "techID": "T1534", "techName": "Internal Spearphishing", "technique": "T1534: Internal Spearphishing", "tactics": "Lateral Movement", "url": "https://attack.mitre.org/techniques/T1534", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": 8, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1535", "techName": "Unused/Unsupported Cloud Regions", "technique": "T1535: Unused/Unsupported Cloud Regions", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1535", "lowestLevel": "y", "mitigations": 2, "nist": 1, "cis": 2, "d3fend": null, "engage": 2, "splunk": 8, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 3, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1537", "techName": "Transfer Data to Cloud Account", "technique": "T1537: Transfer Data to Cloud Account", "tactics": "Exfiltration", "url": "https://attack.mitre.org/techniques/T1537", "lowestLevel": "y", "mitigations": 3, "nist": 20, "cis": 14, "d3fend": null, "engage": 9, "splunk": 2, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": 4, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": 1, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 1, "validate_potential": 2 }, { "techID": "T1538", "techName": "Cloud Service Dashboard", "technique": "T1538: Cloud Service Dashboard", "tactics": "Discovery", "url": "https://attack.mitre.org/techniques/T1538", "lowestLevel": "y", "mitigations": 1, "nist": 6, "cis": 10, "d3fend": null, "engage": 5, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 3, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 2, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1539", "techName": "Steal Web Session Cookie", "technique": "T1539: Steal Web Session Cookie", "tactics": "Credential Access", "url": "https://attack.mitre.org/techniques/T1539", "lowestLevel": "y", "mitigations": 4, "nist": 10, "cis": 16, "d3fend": 4, "engage": 4, "splunk": null, "splunk_threatHunting": null, "elastic": 3, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": 2, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1542", "techName": "Pre-OS Boot", "technique": "T1542: Pre-OS Boot", "tactics": "Defense Evasion, Persistence", "url": "https://attack.mitre.org/techniques/T1542", "lowestLevel": "n", "mitigations": 3, "nist": 19, "cis": null, "d3fend": 6, "engage": 1, "splunk": 1, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 3, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 2, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1542.001", "techName": "System Firmware", "technique": "T1542.001: System Firmware", "tactics": "Persistence, Defense Evasion", "url": "https://attack.mitre.org/techniques/T1542/001", "lowestLevel": "y", "mitigations": 3, "nist": 18, "cis": null, "d3fend": 5, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 2, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1542.002", "techName": "Component Firmware", "technique": "T1542.002: Component Firmware", "tactics": "Persistence, Defense Evasion", "url": "https://attack.mitre.org/techniques/T1542/002", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": 4, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1542.003", "techName": "Bootkit", "technique": "T1542.003: Bootkit", "tactics": "Persistence, Defense Evasion", "url": "https://attack.mitre.org/techniques/T1542/003", "lowestLevel": "y", "mitigations": 2, "nist": 18, "cis": null, "d3fend": 1, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1542.004", "techName": "ROMMONkit", "technique": "T1542.004: ROMMONkit", "tactics": "Defense Evasion, Persistence", "url": "https://attack.mitre.org/techniques/T1542/004", "lowestLevel": "y", "mitigations": 3, "nist": 20, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1542.005", "techName": "TFTP Boot", "technique": "T1542.005: TFTP Boot", "tactics": "Defense Evasion, Persistence", "url": "https://attack.mitre.org/techniques/T1542/005", "lowestLevel": "y", "mitigations": 6, "nist": 24, "cis": null, "d3fend": null, "engage": null, "splunk": 1, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 2, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1543", "techName": "Create or Modify System Process", "technique": "T1543: Create or Modify System Process", "tactics": "Persistence, Privilege Escalation", "url": "https://attack.mitre.org/techniques/T1543", "lowestLevel": "n", "mitigations": 4, "nist": 21, "cis": null, "d3fend": 4, "engage": 4, "splunk": 16, "splunk_threatHunting": null, "elastic": 8, "eql_analytics": null, "azure_fullStack": 6, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 5, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": 2, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1543.001", "techName": "Launch Agent", "technique": "T1543.001: Launch Agent", "tactics": "Persistence, Privilege Escalation", "url": "https://attack.mitre.org/techniques/T1543/001", "lowestLevel": "y", "mitigations": 1, "nist": 7, "cis": null, "d3fend": 3, "engage": null, "splunk": 2, "splunk_threatHunting": null, "elastic": 3, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": 4, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1543.002", "techName": "Systemd Service", "technique": "T1543.002: Systemd Service", "tactics": "Persistence, Privilege Escalation", "url": "https://attack.mitre.org/techniques/T1543/002", "lowestLevel": "y", "mitigations": 4, "nist": 16, "cis": null, "d3fend": 4, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": 2, "th_playbook": null, "art": 4, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1543.003", "techName": "Windows Service", "technique": "T1543.003: Windows Service", "tactics": "Persistence, Privilege Escalation", "url": "https://attack.mitre.org/techniques/T1543/003", "lowestLevel": "y", "mitigations": 2, "nist": 15, "cis": null, "d3fend": null, "engage": null, "splunk": 14, "splunk_threatHunting": null, "elastic": 13, "eql_analytics": null, "azure_fullStack": 5, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 2, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": 6, "atc": null, "sigma": 35, "th_playbook": null, "art": 8, "car_red": 1, "rta": null, "prelude": null, "stockpile": 1, "scythe": 2, "policy_process_volume": 2, "detect_volume": 2, "test_volume": 2, "validate_potential": 2 }, { "techID": "T1543.004", "techName": "Launch Daemon", "technique": "T1543.004: Launch Daemon", "tactics": "Persistence, Privilege Escalation", "url": "https://attack.mitre.org/techniques/T1543/004", "lowestLevel": "y", "mitigations": 1, "nist": 7, "cis": null, "d3fend": 3, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": 2, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 0, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1546", "techName": "Event Triggered Execution", "technique": "T1546: Event Triggered Execution", "tactics": "Privilege Escalation, Persistence", "url": "https://attack.mitre.org/techniques/T1546", "lowestLevel": "n", "mitigations": null, "nist": 4, "cis": null, "d3fend": 27, "engage": 2, "splunk": 12, "splunk_threatHunting": null, "elastic": 2, "eql_analytics": null, "azure_fullStack": 4, "sentinel_defender": 3, "azure_sentinel": null, "logpoint": 22, "proofpoint_emergingThreats": null, "tanium_threatResponse": 3, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 8, "th_playbook": 2, "art": null, "car_red": null, "rta": null, "prelude": 1, "stockpile": null, "scythe": 1, "policy_process_volume": 2, "detect_volume": 2, "test_volume": 1, "validate_potential": 2 }, { "techID": "T1546.001", "techName": "Change Default File Association", "technique": "T1546.001: Change Default File Association", "tactics": "Privilege Escalation, Persistence", "url": "https://attack.mitre.org/techniques/T1546/001", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": 2, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 2, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 3, "th_playbook": null, "art": 2, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 0, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1546.002", "techName": "Screensaver", "technique": "T1546.002: Screensaver", "tactics": "Privilege Escalation, Persistence", "url": "https://attack.mitre.org/techniques/T1546/002", "lowestLevel": "y", "mitigations": 2, "nist": 9, "cis": null, "d3fend": 7, "engage": null, "splunk": 1, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": 1, "atc": null, "sigma": 4, "th_playbook": null, "art": 2, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 1, "validate_potential": 2 }, { "techID": "T1546.003", "techName": "Windows Management Instrumentation Event Subscription", "technique": "T1546.003: Windows Management Instrumentation Event Subscription", "tactics": "Privilege Escalation, Persistence", "url": "https://attack.mitre.org/techniques/T1546/003", "lowestLevel": "y", "mitigations": 2, "nist": 7, "cis": null, "d3fend": 10, "engage": null, "splunk": 3, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 3, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 12, "th_playbook": null, "art": 6, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": 2, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1546.004", "techName": "Unix Shell Configuration Modification", "technique": "T1546.004: Unix Shell Configuration Modification", "tactics": "Privilege Escalation, Persistence", "url": "https://attack.mitre.org/techniques/T1546/004", "lowestLevel": "y", "mitigations": 1, "nist": 8, "cis": null, "d3fend": 4, "engage": null, "splunk": 2, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": 4, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1546.005", "techName": "Trap", "technique": "T1546.005: Trap", "tactics": "Privilege Escalation, Persistence", "url": "https://attack.mitre.org/techniques/T1546/005", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": 7, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": 2, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 0, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1546.006", "techName": "LC_LOAD_DYLIB Addition", "technique": "T1546.006: LC_LOAD_DYLIB Addition", "tactics": "Privilege Escalation, Persistence", "url": "https://attack.mitre.org/techniques/T1546/006", "lowestLevel": "y", "mitigations": 3, "nist": 14, "cis": null, "d3fend": 7, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1546.007", "techName": "Netsh Helper DLL", "technique": "T1546.007: Netsh Helper DLL", "tactics": "Privilege Escalation, Persistence", "url": "https://attack.mitre.org/techniques/T1546/007", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": 6, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 3, "proofpoint_emergingThreats": null, "tanium_threatResponse": 1, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": 2, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1546.008", "techName": "Accessibility Features", "technique": "T1546.008: Accessibility Features", "tactics": "Privilege Escalation, Persistence", "url": "https://attack.mitre.org/techniques/T1546/008", "lowestLevel": "y", "mitigations": 3, "nist": 6, "cis": null, "d3fend": 17, "engage": null, "splunk": 1, "splunk_threatHunting": null, "elastic": 2, "eql_analytics": null, "azure_fullStack": 3, "sentinel_defender": 1, "azure_sentinel": null, "logpoint": 4, "proofpoint_emergingThreats": null, "tanium_threatResponse": 16, "aws": null, "gcp": null, "car": 2, "atc": null, "sigma": 4, "th_playbook": null, "art": 4, "car_red": 1, "rta": null, "prelude": 1, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 2, "validate_potential": 2 }, { "techID": "T1546.009", "techName": "AppCert DLLs", "technique": "T1546.009: AppCert DLLs", "tactics": "Privilege Escalation, Persistence", "url": "https://attack.mitre.org/techniques/T1546/009", "lowestLevel": "y", "mitigations": 1, "nist": 3, "cis": null, "d3fend": 6, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": 1, "azure_sentinel": null, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": 2, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1546.010", "techName": "AppInit DLLs", "technique": "T1546.010: AppInit DLLs", "tactics": "Privilege Escalation, Persistence", "url": "https://attack.mitre.org/techniques/T1546/010", "lowestLevel": "y", "mitigations": null, "nist": 5, "cis": null, "d3fend": 6, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": 1, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": 2, "atc": null, "sigma": 1, "th_playbook": null, "art": 2, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 2, "test_volume": 1, "validate_potential": 2 }, { "techID": "T1546.011", "techName": "Application Shimming", "technique": "T1546.011: Application Shimming", "tactics": "Privilege Escalation, Persistence", "url": "https://attack.mitre.org/techniques/T1546/011", "lowestLevel": "y", "mitigations": 2, "nist": 2, "cis": null, "d3fend": 1, "engage": null, "splunk": 3, "splunk_threatHunting": null, "elastic": 3, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 2, "proofpoint_emergingThreats": null, "tanium_threatResponse": 3, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 2, "th_playbook": null, "art": 6, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1546.012", "techName": "Image File Execution Options Injection", "technique": "T1546.012: Image File Execution Options Injection", "tactics": "Privilege Escalation, Persistence", "url": "https://attack.mitre.org/techniques/T1546/012", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": 1, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 2, "proofpoint_emergingThreats": null, "tanium_threatResponse": 1, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 2, "th_playbook": null, "art": 4, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 0, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1546.013", "techName": "PowerShell Profile", "technique": "T1546.013: PowerShell Profile", "tactics": "Privilege Escalation, Persistence", "url": "https://attack.mitre.org/techniques/T1546/013", "lowestLevel": "y", "mitigations": 4, "nist": 10, "cis": null, "d3fend": 7, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 3, "th_playbook": null, "art": 2, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1546.014", "techName": "Emond", "technique": "T1546.014: Emond", "tactics": "Privilege Escalation, Persistence", "url": "https://attack.mitre.org/techniques/T1546/014", "lowestLevel": "y", "mitigations": 1, "nist": 6, "cis": null, "d3fend": 3, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": 2, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": 1, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": 2, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1546.015", "techName": "Component Object Model Hijacking", "technique": "T1546.015: Component Object Model Hijacking", "tactics": "Privilege Escalation, Persistence", "url": "https://attack.mitre.org/techniques/T1546/015", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": 7, "engage": null, "splunk": 1, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 2, "proofpoint_emergingThreats": null, "tanium_threatResponse": 7, "aws": null, "gcp": null, "car": 1, "atc": null, "sigma": 7, "th_playbook": null, "art": 8, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 2, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1547", "techName": "Boot or Logon Autostart Execution", "technique": "T1547: Boot or Logon Autostart Execution", "tactics": "Persistence, Privilege Escalation", "url": "https://attack.mitre.org/techniques/T1547", "lowestLevel": "n", "mitigations": null, "nist": null, "cis": null, "d3fend": 9, "engage": 1, "splunk": 15, "splunk_threatHunting": null, "elastic": 3, "eql_analytics": null, "azure_fullStack": 5, "sentinel_defender": 2, "azure_sentinel": null, "logpoint": 13, "proofpoint_emergingThreats": null, "tanium_threatResponse": 1, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 6, "th_playbook": null, "art": 2, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": 3, "policy_process_volume": 2, "detect_volume": 2, "test_volume": 1, "validate_potential": 2 }, { "techID": "T1547.001", "techName": "Registry Run Keys / Startup Folder", "technique": "T1547.001: Registry Run Keys / Startup Folder", "tactics": "Persistence, Privilege Escalation", "url": "https://attack.mitre.org/techniques/T1547/001", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": 8, "engage": null, "splunk": 2, "splunk_threatHunting": null, "elastic": 9, "eql_analytics": null, "azure_fullStack": 4, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 8, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": 3, "atc": null, "sigma": 27, "th_playbook": null, "art": 18, "car_red": 3, "rta": null, "prelude": null, "stockpile": null, "scythe": 19, "policy_process_volume": 2, "detect_volume": 2, "test_volume": 3, "validate_potential": 3 }, { "techID": "T1547.002", "techName": "Authentication Package", "technique": "T1547.002: Authentication Package", "tactics": "Persistence, Privilege Escalation", "url": "https://attack.mitre.org/techniques/T1547/002", "lowestLevel": "y", "mitigations": 1, "nist": 5, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": 3, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": 2, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1547.003", "techName": "Time Providers", "technique": "T1547.003: Time Providers", "tactics": "Persistence, Privilege Escalation", "url": "https://attack.mitre.org/techniques/T1547/003", "lowestLevel": "y", "mitigations": 1, "nist": 10, "cis": null, "d3fend": null, "engage": null, "splunk": 1, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": 4, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1547.004", "techName": "Winlogon Helper DLL", "technique": "T1547.004: Winlogon Helper DLL", "tactics": "Persistence, Privilege Escalation", "url": "https://attack.mitre.org/techniques/T1547/004", "lowestLevel": "y", "mitigations": 2, "nist": 11, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": 2, "atc": null, "sigma": 3, "th_playbook": null, "art": 6, "car_red": 2, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1547.005", "techName": "Security Support Provider", "technique": "T1547.005: Security Support Provider", "tactics": "Persistence, Privilege Escalation", "url": "https://attack.mitre.org/techniques/T1547/005", "lowestLevel": "y", "mitigations": 1, "nist": 5, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": null, "azure_fullStack": 3, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": 1, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": 2, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1547.006", "techName": "Kernel Modules and Extensions", "technique": "T1547.006: Kernel Modules and Extensions", "tactics": "Persistence, Privilege Escalation", "url": "https://attack.mitre.org/techniques/T1547/006", "lowestLevel": "y", "mitigations": 3, "nist": 13, "cis": null, "d3fend": 3, "engage": null, "splunk": 3, "splunk_threatHunting": null, "elastic": 4, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": 2, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1547.007", "techName": "Re-opened Applications", "technique": "T1547.007: Re-opened Applications", "tactics": "Persistence, Privilege Escalation", "url": "https://attack.mitre.org/techniques/T1547/007", "lowestLevel": "y", "mitigations": 2, "nist": 11, "cis": null, "d3fend": 3, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": 4, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 0, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1547.008", "techName": "LSASS Driver", "technique": "T1547.008: LSASS Driver", "tactics": "Persistence, Privilege Escalation", "url": "https://attack.mitre.org/techniques/T1547/008", "lowestLevel": "y", "mitigations": 2, "nist": 7, "cis": null, "d3fend": 4, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1547.009", "techName": "Shortcut Modification", "technique": "T1547.009: Shortcut Modification", "tactics": "Persistence, Privilege Escalation", "url": "https://attack.mitre.org/techniques/T1547/009", "lowestLevel": "y", "mitigations": 1, "nist": 8, "cis": null, "d3fend": 7, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 4, "th_playbook": null, "art": 4, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1547.010", "techName": "Port Monitors", "technique": "T1547.010: Port Monitors", "tactics": "Persistence, Privilege Escalation", "url": "https://attack.mitre.org/techniques/T1547/010", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": 1, "splunk_threatHunting": null, "elastic": 2, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 3, "th_playbook": null, "art": 2, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 0, "detect_volume": 2, "test_volume": 1, "validate_potential": 2 }, { "techID": "T1547.011", "techName": "Plist Modification", "technique": "T1547.011: Plist Modification", "tactics": "Persistence, Privilege Escalation", "url": "https://attack.mitre.org/techniques/T1547/011", "lowestLevel": "y", "mitigations": 2, "nist": 12, "cis": null, "d3fend": 3, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": 2, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1547.012", "techName": "Print Processors", "technique": "T1547.012: Print Processors", "tactics": "Persistence, Privilege Escalation", "url": "https://attack.mitre.org/techniques/T1547/012", "lowestLevel": "y", "mitigations": 1, "nist": 8, "cis": null, "d3fend": null, "engage": null, "splunk": 7, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1547.013", "techName": "XDG Autostart Entries", "technique": "T1547.013: XDG Autostart Entries", "tactics": "Persistence, Privilege Escalation", "url": "https://attack.mitre.org/techniques/T1547/013", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 0, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1547.014", "techName": "Active Setup", "technique": "T1547.014: Active Setup", "tactics": "Persistence, Privilege Escalation", "url": "https://attack.mitre.org/techniques/T1547/014", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": 1, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 0, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1547.015", "techName": "Login Items", "technique": "T1547.015: Login Items", "tactics": "Persistence, Privilege Escalation", "url": "https://attack.mitre.org/techniques/T1547/015", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 0, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1548", "techName": "Abuse Elevation Control Mechanism", "technique": "T1548: Abuse Elevation Control Mechanism", "tactics": "Privilege Escalation, Defense Evasion", "url": "https://attack.mitre.org/techniques/T1548", "lowestLevel": "n", "mitigations": 6, "nist": 21, "cis": null, "d3fend": 11, "engage": 2, "splunk": 26, "splunk_threatHunting": null, "elastic": 5, "eql_analytics": null, "azure_fullStack": 4, "sentinel_defender": 2, "azure_sentinel": null, "logpoint": 14, "proofpoint_emergingThreats": null, "tanium_threatResponse": 17, "aws": 1, "gcp": null, "car": 1, "atc": null, "sigma": 16, "th_playbook": null, "art": null, "car_red": 2, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 3, "test_volume": 1, "validate_potential": 2 }, { "techID": "T1548.001", "techName": "Setuid and Setgid", "technique": "T1548.001: Setuid and Setgid", "tactics": "Privilege Escalation, Defense Evasion", "url": "https://attack.mitre.org/techniques/T1548/001", "lowestLevel": "y", "mitigations": 1, "nist": 3, "cis": null, "d3fend": null, "engage": null, "splunk": 3, "splunk_threatHunting": null, "elastic": 2, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": 11, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": 10, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1548.002", "techName": "Bypass User Account Control", "technique": "T1548.002: Bypass User Account Control", "tactics": "Privilege Escalation, Defense Evasion", "url": "https://attack.mitre.org/techniques/T1548/002", "lowestLevel": "y", "mitigations": 4, "nist": 12, "cis": null, "d3fend": 10, "engage": null, "splunk": 13, "splunk_threatHunting": null, "elastic": 12, "eql_analytics": null, "azure_fullStack": 3, "sentinel_defender": 2, "azure_sentinel": null, "logpoint": 4, "proofpoint_emergingThreats": null, "tanium_threatResponse": 4, "aws": null, "gcp": null, "car": 3, "atc": null, "sigma": 47, "th_playbook": null, "art": 42, "car_red": null, "rta": null, "prelude": null, "stockpile": 5, "scythe": 1, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 3, "validate_potential": 3 }, { "techID": "T1548.003", "techName": "Sudo and Sudo Caching", "technique": "T1548.003: Sudo and Sudo Caching", "tactics": "Privilege Escalation, Defense Evasion", "url": "https://attack.mitre.org/techniques/T1548/003", "lowestLevel": "y", "mitigations": 3, "nist": 13, "cis": null, "d3fend": 4, "engage": null, "splunk": 7, "splunk_threatHunting": null, "elastic": 4, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": 2, "th_playbook": null, "art": 6, "car_red": null, "rta": null, "prelude": 1, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 2, "validate_potential": 1 }, { "techID": "T1548.004", "techName": "Elevated Execution with Prompt", "technique": "T1548.004: Elevated Execution with Prompt", "tactics": "Privilege Escalation, Defense Evasion", "url": "https://attack.mitre.org/techniques/T1548/004", "lowestLevel": "y", "mitigations": 1, "nist": 11, "cis": null, "d3fend": 2, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": 1, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1550", "techName": "Use Alternate Authentication Material", "technique": "T1550: Use Alternate Authentication Material", "tactics": "Defense Evasion, Lateral Movement", "url": "https://attack.mitre.org/techniques/T1550", "lowestLevel": "n", "mitigations": 2, "nist": 7, "cis": null, "d3fend": 18, "engage": 2, "splunk": 9, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 3, "sentinel_defender": 3, "azure_sentinel": null, "logpoint": 4, "proofpoint_emergingThreats": null, "tanium_threatResponse": 4, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": 3, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1550.001", "techName": "Application Access Token", "technique": "T1550.001: Application Access Token", "tactics": "Defense Evasion, Lateral Movement", "url": "https://attack.mitre.org/techniques/T1550/001", "lowestLevel": "y", "mitigations": 3, "nist": 16, "cis": null, "d3fend": 15, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": 4, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": 3, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1550.002", "techName": "Pass the Hash", "technique": "T1550.002: Pass the Hash", "tactics": "Defense Evasion, Lateral Movement", "url": "https://attack.mitre.org/techniques/T1550/002", "lowestLevel": "y", "mitigations": 4, "nist": 8, "cis": null, "d3fend": 5, "engage": null, "splunk": 3, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 3, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 4, "proofpoint_emergingThreats": null, "tanium_threatResponse": 3, "aws": null, "gcp": null, "car": 1, "atc": null, "sigma": 6, "th_playbook": null, "art": 6, "car_red": 1, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 1, "validate_potential": 2 }, { "techID": "T1550.003", "techName": "Pass the Ticket", "technique": "T1550.003: Pass the Ticket", "tactics": "Defense Evasion, Lateral Movement", "url": "https://attack.mitre.org/techniques/T1550/003", "lowestLevel": "y", "mitigations": 4, "nist": 11, "cis": null, "d3fend": 5, "engage": null, "splunk": 3, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": 3, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 3, "th_playbook": null, "art": 4, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1550.004", "techName": "Web Session Cookie", "technique": "T1550.004: Web Session Cookie", "tactics": "Defense Evasion, Lateral Movement", "url": "https://attack.mitre.org/techniques/T1550/004", "lowestLevel": "y", "mitigations": 2, "nist": 3, "cis": null, "d3fend": 14, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1552", "techName": "Unsecured Credentials", "technique": "T1552: Unsecured Credentials", "tactics": "Credential Access", "url": "https://attack.mitre.org/techniques/T1552", "lowestLevel": "n", "mitigations": 10, "nist": 33, "cis": null, "d3fend": 7, "engage": 7, "splunk": 2, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 6, "sentinel_defender": 1, "azure_sentinel": null, "logpoint": 6, "proofpoint_emergingThreats": null, "tanium_threatResponse": 3, "aws": 7, "gcp": null, "car": null, "atc": null, "sigma": 5, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": 1, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 1, "validate_potential": 2 }, { "techID": "T1552.001", "techName": "Credentials In Files", "technique": "T1552.001: Credentials In Files", "tactics": "Credential Access", "url": "https://attack.mitre.org/techniques/T1552/001", "lowestLevel": "y", "mitigations": 4, "nist": 18, "cis": null, "d3fend": 7, "engage": null, "splunk": 1, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 4, "proofpoint_emergingThreats": null, "tanium_threatResponse": 1, "aws": 6, "gcp": null, "car": null, "atc": null, "sigma": 14, "th_playbook": null, "art": 11, "car_red": null, "rta": null, "prelude": 1, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 2, "validate_potential": 2 }, { "techID": "T1552.002", "techName": "Credentials in Registry", "technique": "T1552.002: Credentials in Registry", "tactics": "Credential Access", "url": "https://attack.mitre.org/techniques/T1552/002", "lowestLevel": "y", "mitigations": 3, "nist": 18, "cis": null, "d3fend": 4, "engage": null, "splunk": 2, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": 1, "aws": 1, "gcp": null, "car": 1, "atc": null, "sigma": 4, "th_playbook": null, "art": 2, "car_red": null, "rta": null, "prelude": null, "stockpile": 2, "scythe": 1, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 2, "validate_potential": 2 }, { "techID": "T1552.003", "techName": "Bash History", "technique": "T1552.003: Bash History", "tactics": "Credential Access", "url": "https://attack.mitre.org/techniques/T1552/003", "lowestLevel": "y", "mitigations": 1, "nist": 4, "cis": null, "d3fend": 7, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 3, "th_playbook": null, "art": 1, "car_red": null, "rta": null, "prelude": 1, "stockpile": 1, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 2, "validate_potential": 1 }, { "techID": "T1552.004", "techName": "Private Keys", "technique": "T1552.004: Private Keys", "tactics": "Credential Access", "url": "https://attack.mitre.org/techniques/T1552/004", "lowestLevel": "y", "mitigations": 4, "nist": 22, "cis": null, "d3fend": 4, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": 2, "aws": 4, "gcp": null, "car": null, "atc": null, "sigma": 5, "th_playbook": null, "art": 7, "car_red": null, "rta": null, "prelude": null, "stockpile": 1, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 3, "validate_potential": 3 }, { "techID": "T1552.005", "techName": "Cloud Instance Metadata API", "technique": "T1552.005: Cloud Instance Metadata API", "tactics": "Credential Access", "url": "https://attack.mitre.org/techniques/T1552/005", "lowestLevel": "y", "mitigations": 2, "nist": 13, "cis": null, "d3fend": 4, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": 4, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 2, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": 2, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1552.006", "techName": "Group Policy Preferences", "technique": "T1552.006: Group Policy Preferences", "tactics": "Credential Access", "url": "https://attack.mitre.org/techniques/T1552/006", "lowestLevel": "y", "mitigations": 3, "nist": 13, "cis": null, "d3fend": 4, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 2, "th_playbook": null, "art": 2, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1552.007", "techName": "Container API", "technique": "T1552.007: Container API", "tactics": "Credential Access", "url": "https://attack.mitre.org/techniques/T1552/007", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": 2, "th_playbook": null, "art": 2, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 0, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1553", "techName": "Subvert Trust Controls", "technique": "T1553: Subvert Trust Controls", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1553", "lowestLevel": "n", "mitigations": 4, "nist": 19, "cis": null, "d3fend": null, "engage": 3, "splunk": 2, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": null, "azure_fullStack": 3, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 2, "proofpoint_emergingThreats": null, "tanium_threatResponse": 2, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1553.001", "techName": "Gatekeeper Bypass", "technique": "T1553.001: Gatekeeper Bypass", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1553/001", "lowestLevel": "y", "mitigations": 1, "nist": 6, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": 2, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": 1, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1553.002", "techName": "Code Signing", "technique": "T1553.002: Code Signing", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1553/002", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": 1, "policy_process_volume": 0, "detect_volume": 2, "test_volume": 1, "validate_potential": 2 }, { "techID": "T1553.003", "techName": "SIP and Trust Provider Hijacking", "technique": "T1553.003: SIP and Trust Provider Hijacking", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1553/003", "lowestLevel": "y", "mitigations": 2, "nist": 10, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1553.004", "techName": "Install Root Certificate", "technique": "T1553.004: Install Root Certificate", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1553/004", "lowestLevel": "y", "mitigations": 3, "nist": 6, "cis": null, "d3fend": null, "engage": null, "splunk": 2, "splunk_threatHunting": null, "elastic": 2, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": 1, "atc": null, "sigma": 4, "th_playbook": null, "art": 6, "car_red": 2, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 2, "test_volume": 2, "validate_potential": 2 }, { "techID": "T1553.005", "techName": "Mark-of-the-Web Bypass", "technique": "T1553.005: Mark-of-the-Web Bypass", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1553/005", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 3, "th_playbook": null, "art": 3, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 0, "detect_volume": 0, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1553.006", "techName": "Code Signing Policy Modification", "technique": "T1553.006: Code Signing Policy Modification", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1553/006", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 0, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1554", "techName": "Compromise Client Software Binary", "technique": "T1554: Compromise Client Software Binary", "tactics": "Persistence", "url": "https://attack.mitre.org/techniques/T1554", "lowestLevel": "y", "mitigations": 1, "nist": 9, "cis": null, "d3fend": 1, "engage": 4, "splunk": 2, "splunk_threatHunting": null, "elastic": 2, "eql_analytics": null, "azure_fullStack": 3, "sentinel_defender": 2, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 3, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1555", "techName": "Credentials from Password Stores", "technique": "T1555: Credentials from Password Stores", "tactics": "Credential Access", "url": "https://attack.mitre.org/techniques/T1555", "lowestLevel": "n", "mitigations": 3, "nist": 3, "cis": null, "d3fend": null, "engage": 8, "splunk": 3, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": null, "azure_fullStack": 7, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 2, "proofpoint_emergingThreats": null, "tanium_threatResponse": 3, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": 4, "th_playbook": null, "art": 8, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": 1, "policy_process_volume": 2, "detect_volume": 2, "test_volume": 2, "validate_potential": 2 }, { "techID": "T1555.001", "techName": "Keychain", "technique": "T1555.001: Keychain", "tactics": "Credential Access", "url": "https://attack.mitre.org/techniques/T1555/001", "lowestLevel": "y", "mitigations": 1, "nist": 3, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": 4, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": 1, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": 1, "car_red": null, "rta": null, "prelude": 1, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1555.002", "techName": "Securityd Memory", "technique": "T1555.002: Securityd Memory", "tactics": "Credential Access", "url": "https://attack.mitre.org/techniques/T1555/002", "lowestLevel": "y", "mitigations": null, "nist": 3, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1555.003", "techName": "Credentials from Web Browsers", "technique": "T1555.003: Credentials from Web Browsers", "tactics": "Credential Access", "url": "https://attack.mitre.org/techniques/T1555/003", "lowestLevel": "y", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": 3, "splunk_threatHunting": null, "elastic": 2, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 2, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": 15, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1555.004", "techName": "Windows Credential Manager", "technique": "T1555.004: Windows Credential Manager", "tactics": "Credential Access", "url": "https://attack.mitre.org/techniques/T1555/004", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 2, "th_playbook": null, "art": 2, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 0, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1555.005", "techName": "Password Managers", "technique": "T1555.005: Password Managers", "tactics": "Credential Access", "url": "https://attack.mitre.org/techniques/T1555/005", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 0, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1556", "techName": "Modify Authentication Process", "technique": "T1556: Modify Authentication Process", "tactics": "Credential Access, Defense Evasion, Persistence", "url": "https://attack.mitre.org/techniques/T1556", "lowestLevel": "n", "mitigations": 5, "nist": 16, "cis": null, "d3fend": 6, "engage": 2, "splunk": 2, "splunk_threatHunting": null, "elastic": 5, "eql_analytics": null, "azure_fullStack": 4, "sentinel_defender": 3, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": 1, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": 1, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 1, "validate_potential": 2 }, { "techID": "T1556.001", "techName": "Domain Controller Authentication", "technique": "T1556.001: Domain Controller Authentication", "tactics": "Credential Access, Defense Evasion, Persistence", "url": "https://attack.mitre.org/techniques/T1556/001", "lowestLevel": "y", "mitigations": 3, "nist": 14, "cis": null, "d3fend": 2, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1556.002", "techName": "Password Filter DLL", "technique": "T1556.002: Password Filter DLL", "tactics": "Credential Access, Defense Evasion, Persistence", "url": "https://attack.mitre.org/techniques/T1556/002", "lowestLevel": "y", "mitigations": 1, "nist": 3, "cis": null, "d3fend": 5, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 2, "th_playbook": null, "art": 3, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1556.003", "techName": "Pluggable Authentication Modules", "technique": "T1556.003: Pluggable Authentication Modules", "tactics": "Credential Access, Defense Evasion, Persistence", "url": "https://attack.mitre.org/techniques/T1556/003", "lowestLevel": "y", "mitigations": 2, "nist": 12, "cis": null, "d3fend": 6, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": 6, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1556.004", "techName": "Network Device Authentication", "technique": "T1556.004: Network Device Authentication", "tactics": "Credential Access, Defense Evasion, Persistence", "url": "https://attack.mitre.org/techniques/T1556/004", "lowestLevel": "y", "mitigations": 2, "nist": 13, "cis": null, "d3fend": 2, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1557", "techName": "Adversary-in-the-Middle", "technique": "T1557: Adversary-in-the-Middle", "tactics": "Credential Access, Collection", "url": "https://attack.mitre.org/techniques/T1557", "lowestLevel": "n", "mitigations": 7, "nist": 24, "cis": null, "d3fend": 9, "engage": 4, "splunk": 4, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 5, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": 2, "aws": 4, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1557.001", "techName": "LLMNR/NBT-NS Poisoning and SMB Relay", "technique": "T1557.001: LLMNR/NBT-NS Poisoning and SMB Relay", "tactics": "Credential Access, Collection", "url": "https://attack.mitre.org/techniques/T1557/001", "lowestLevel": "y", "mitigations": 4, "nist": 15, "cis": null, "d3fend": 9, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 4, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": 1, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": 6, "th_playbook": null, "art": 2, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1557.002", "techName": "ARP Cache Poisoning", "technique": "T1557.002: ARP Cache Poisoning", "tactics": "Credential Access, Collection", "url": "https://attack.mitre.org/techniques/T1557/002", "lowestLevel": "y", "mitigations": 6, "nist": 22, "cis": null, "d3fend": null, "engage": null, "splunk": 3, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1558", "techName": "Steal or Forge Kerberos Tickets", "technique": "T1558: Steal or Forge Kerberos Tickets", "tactics": "Credential Access", "url": "https://attack.mitre.org/techniques/T1558", "lowestLevel": "n", "mitigations": 4, "nist": 19, "cis": null, "d3fend": 14, "engage": 4, "splunk": 15, "splunk_threatHunting": null, "elastic": 4, "eql_analytics": null, "azure_fullStack": 5, "sentinel_defender": 1, "azure_sentinel": null, "logpoint": 6, "proofpoint_emergingThreats": null, "tanium_threatResponse": 2, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 3, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1558.001", "techName": "Golden Ticket", "technique": "T1558.001: Golden Ticket", "tactics": "Credential Access", "url": "https://attack.mitre.org/techniques/T1558/001", "lowestLevel": "y", "mitigations": 2, "nist": 9, "cis": null, "d3fend": 5, "engage": null, "splunk": 1, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 4, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": 2, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1558.002", "techName": "Silver Ticket", "technique": "T1558.002: Silver Ticket", "tactics": "Credential Access", "url": "https://attack.mitre.org/techniques/T1558/002", "lowestLevel": "y", "mitigations": 3, "nist": 19, "cis": null, "d3fend": 5, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": 1, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1558.003", "techName": "Kerberoasting", "technique": "T1558.003: Kerberoasting", "tactics": "Credential Access", "url": "https://attack.mitre.org/techniques/T1558/003", "lowestLevel": "y", "mitigations": 3, "nist": 19, "cis": null, "d3fend": 14, "engage": null, "splunk": 8, "splunk_threatHunting": null, "elastic": 4, "eql_analytics": null, "azure_fullStack": 4, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 6, "proofpoint_emergingThreats": null, "tanium_threatResponse": 2, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 11, "th_playbook": null, "art": 7, "car_red": null, "rta": null, "prelude": 1, "stockpile": null, "scythe": 1, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 2, "validate_potential": 2 }, { "techID": "T1558.004", "techName": "AS-REP Roasting", "technique": "T1558.004: AS-REP Roasting", "tactics": "Credential Access", "url": "https://attack.mitre.org/techniques/T1558/004", "lowestLevel": "y", "mitigations": 3, "nist": 20, "cis": null, "d3fend": null, "engage": null, "splunk": 5, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": 3, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1559", "techName": "Inter-Process Communication", "technique": "T1559: Inter-Process Communication", "tactics": "Execution", "url": "https://attack.mitre.org/techniques/T1559", "lowestLevel": "n", "mitigations": 6, "nist": 19, "cis": null, "d3fend": null, "engage": 2, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": 1, "azure_sentinel": null, "logpoint": 2, "proofpoint_emergingThreats": null, "tanium_threatResponse": 2, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1559.001", "techName": "Component Object Model", "technique": "T1559.001: Component Object Model", "tactics": "Execution", "url": "https://attack.mitre.org/techniques/T1559/001", "lowestLevel": "y", "mitigations": 2, "nist": 13, "cis": null, "d3fend": null, "engage": null, "splunk": 1, "splunk_threatHunting": null, "elastic": 2, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 2, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 4, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1559.002", "techName": "Dynamic Data Exchange", "technique": "T1559.002: Dynamic Data Exchange", "tactics": "Execution", "url": "https://attack.mitre.org/techniques/T1559/002", "lowestLevel": "y", "mitigations": 4, "nist": 14, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": 2, "aws": null, "gcp": null, "car": 1, "atc": null, "sigma": 1, "th_playbook": null, "art": 3, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1560", "techName": "Archive Collected Data", "technique": "T1560: Archive Collected Data", "tactics": "Collection", "url": "https://attack.mitre.org/techniques/T1560", "lowestLevel": "n", "mitigations": 1, "nist": 5, "cis": null, "d3fend": 3, "engage": 3, "splunk": 6, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 3, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 2, "th_playbook": null, "art": 1, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": 3, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1560.001", "techName": "Archive via Utility", "technique": "T1560.001: Archive via Utility", "tactics": "Collection", "url": "https://attack.mitre.org/techniques/T1560/001", "lowestLevel": "y", "mitigations": 1, "nist": 5, "cis": null, "d3fend": 3, "engage": null, "splunk": 6, "splunk_threatHunting": null, "elastic": 2, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": 1, "atc": null, "sigma": 10, "th_playbook": null, "art": 8, "car_red": 1, "rta": null, "prelude": 1, "stockpile": 3, "scythe": 2, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 3, "validate_potential": 1 }, { "techID": "T1560.002", "techName": "Archive via Library", "technique": "T1560.002: Archive via Library", "tactics": "Collection", "url": "https://attack.mitre.org/techniques/T1560/002", "lowestLevel": "y", "mitigations": 1, "nist": null, "cis": null, "d3fend": 3, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": 4, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": 5, "policy_process_volume": 2, "detect_volume": 0, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1560.003", "techName": "Archive via Custom Method", "technique": "T1560.003: Archive via Custom Method", "tactics": "Collection", "url": "https://attack.mitre.org/techniques/T1560/003", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": 3, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1561", "techName": "Disk Wipe", "technique": "T1561: Disk Wipe", "tactics": "Impact", "url": "https://attack.mitre.org/techniques/T1561", "lowestLevel": "n", "mitigations": 1, "nist": 10, "cis": null, "d3fend": null, "engage": 5, "splunk": 2, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": 1, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 2, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1561.001", "techName": "Disk Content Wipe", "technique": "T1561.001: Disk Content Wipe", "tactics": "Impact", "url": "https://attack.mitre.org/techniques/T1561/001", "lowestLevel": "y", "mitigations": null, "nist": 10, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 2, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1561.002", "techName": "Disk Structure Wipe", "technique": "T1561.002: Disk Structure Wipe", "tactics": "Impact", "url": "https://attack.mitre.org/techniques/T1561/002", "lowestLevel": "y", "mitigations": null, "nist": 10, "cis": null, "d3fend": null, "engage": null, "splunk": 2, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 2, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1562", "techName": "Impair Defenses", "technique": "T1562: Impair Defenses", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1562", "lowestLevel": "n", "mitigations": 2, "nist": 16, "cis": null, "d3fend": 16, "engage": 4, "splunk": 62, "splunk_threatHunting": null, "elastic": 2, "eql_analytics": null, "azure_fullStack": 5, "sentinel_defender": 6, "azure_sentinel": null, "logpoint": 15, "proofpoint_emergingThreats": null, "tanium_threatResponse": 19, "aws": 5, "gcp": null, "car": null, "atc": null, "sigma": 8, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": 1, "stockpile": null, "scythe": 2, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 1, "validate_potential": 2 }, { "techID": "T1562.001", "techName": "Disable or Modify Tools", "technique": "T1562.001: Disable or Modify Tools", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1562/001", "lowestLevel": "y", "mitigations": 2, "nist": 13, "cis": null, "d3fend": 7, "engage": null, "splunk": 45, "splunk_threatHunting": null, "elastic": 17, "eql_analytics": null, "azure_fullStack": 4, "sentinel_defender": 1, "azure_sentinel": null, "logpoint": 10, "proofpoint_emergingThreats": null, "tanium_threatResponse": 16, "aws": 4, "gcp": null, "car": 2, "atc": null, "sigma": 60, "th_playbook": null, "art": 35, "car_red": 1, "rta": null, "prelude": 4, "stockpile": 3, "scythe": 4, "policy_process_volume": 3, "detect_volume": 3, "test_volume": 3, "validate_potential": 3 }, { "techID": "T1562.002", "techName": "Disable Windows Event Logging", "technique": "T1562.002: Disable Windows Event Logging", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1562/002", "lowestLevel": "y", "mitigations": 2, "nist": 13, "cis": null, "d3fend": 1, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": 2, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": 2, "aws": null, "gcp": null, "car": 1, "atc": null, "sigma": 7, "th_playbook": null, "art": 6, "car_red": 7, "rta": null, "prelude": 7, "stockpile": null, "scythe": 1, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 2, "validate_potential": 1 }, { "techID": "T1562.003", "techName": "Impair Command History Logging", "technique": "T1562.003: Impair Command History Logging", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1562/003", "lowestLevel": "y", "mitigations": 2, "nist": 4, "cis": null, "d3fend": 8, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": 2, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1562.004", "techName": "Disable or Modify System Firewall", "technique": "T1562.004: Disable or Modify System Firewall", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1562/004", "lowestLevel": "y", "mitigations": 2, "nist": 13, "cis": null, "d3fend": null, "engage": null, "splunk": 5, "splunk_threatHunting": null, "elastic": 4, "eql_analytics": null, "azure_fullStack": 3, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": 1, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": 10, "th_playbook": null, "art": 17, "car_red": null, "rta": null, "prelude": 1, "stockpile": null, "scythe": 4, "policy_process_volume": 2, "detect_volume": 2, "test_volume": 3, "validate_potential": 3 }, { "techID": "T1562.006", "techName": "Indicator Blocking", "technique": "T1562.006: Indicator Blocking", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1562/006", "lowestLevel": "y", "mitigations": 4, "nist": 13, "cis": null, "d3fend": null, "engage": null, "splunk": 1, "splunk_threatHunting": null, "elastic": 3, "eql_analytics": null, "azure_fullStack": 3, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 5, "proofpoint_emergingThreats": null, "tanium_threatResponse": 5, "aws": 2, "gcp": null, "car": 2, "atc": null, "sigma": 4, "th_playbook": null, "art": 7, "car_red": 1, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 2, "test_volume": 1, "validate_potential": 2 }, { "techID": "T1562.007", "techName": "Disable or Modify Cloud Firewall", "technique": "T1562.007: Disable or Modify Cloud Firewall", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1562/007", "lowestLevel": "y", "mitigations": 2, "nist": 6, "cis": null, "d3fend": null, "engage": null, "splunk": 6, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 2, "gcp": 2, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 2, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1562.008", "techName": "Disable Cloud Logs", "technique": "T1562.008: Disable Cloud Logs", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1562/008", "lowestLevel": "y", "mitigations": 1, "nist": 6, "cis": null, "d3fend": null, "engage": null, "splunk": 6, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": 2, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 4, "gcp": 1, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": 9, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1562.009", "techName": "Safe Mode Boot", "technique": "T1562.009: Safe Mode Boot", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1562/009", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": 1, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1562.010", "techName": "Downgrade Attack", "technique": "T1562.010: Downgrade Attack", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1562/010", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 0, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1563", "techName": "Remote Service Session Hijacking", "technique": "T1563: Remote Service Session Hijacking", "tactics": "Lateral Movement", "url": "https://attack.mitre.org/techniques/T1563", "lowestLevel": "n", "mitigations": 4, "nist": 19, "cis": null, "d3fend": 8, "engage": 5, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": 1, "azure_sentinel": null, "logpoint": 2, "proofpoint_emergingThreats": null, "tanium_threatResponse": 1, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1563.001", "techName": "SSH Hijacking", "technique": "T1563.001: SSH Hijacking", "tactics": "Lateral Movement", "url": "https://attack.mitre.org/techniques/T1563/001", "lowestLevel": "y", "mitigations": 4, "nist": 17, "cis": null, "d3fend": 8, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1563.002", "techName": "RDP Hijacking", "technique": "T1563.002: RDP Hijacking", "tactics": "Lateral Movement", "url": "https://attack.mitre.org/techniques/T1563/002", "lowestLevel": "y", "mitigations": 7, "nist": 18, "cis": null, "d3fend": 8, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 2, "proofpoint_emergingThreats": null, "tanium_threatResponse": 1, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 2, "th_playbook": null, "art": 1, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1564", "techName": "Hide Artifacts", "technique": "T1564: Hide Artifacts", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1564", "lowestLevel": "n", "mitigations": null, "nist": null, "cis": null, "d3fend": 10, "engage": 3, "splunk": 1, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 3, "sentinel_defender": 3, "azure_sentinel": null, "logpoint": 6, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 5, "th_playbook": null, "art": 3, "car_red": null, "rta": null, "prelude": 1, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1564.001", "techName": "Hidden Files and Directories", "technique": "T1564.001: Hidden Files and Directories", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1564/001", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": 2, "splunk_threatHunting": null, "elastic": 5, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 3, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 8, "th_playbook": null, "art": 8, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": 1, "policy_process_volume": 0, "detect_volume": 2, "test_volume": 3, "validate_potential": 3 }, { "techID": "T1564.002", "techName": "Hidden Users", "technique": "T1564.002: Hidden Users", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1564/002", "lowestLevel": "y", "mitigations": 1, "nist": 3, "cis": null, "d3fend": 4, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 2, "th_playbook": null, "art": 3, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1564.003", "techName": "Hidden Window", "technique": "T1564.003: Hidden Window", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1564/003", "lowestLevel": "y", "mitigations": 1, "nist": 3, "cis": null, "d3fend": 3, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 2, "th_playbook": null, "art": 1, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1564.004", "techName": "NTFS File Attributes", "technique": "T1564.004: NTFS File Attributes", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1564/004", "lowestLevel": "y", "mitigations": 1, "nist": 6, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": 2, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 2, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": 2, "atc": null, "sigma": 15, "th_playbook": null, "art": 4, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1564.005", "techName": "Hidden File System", "technique": "T1564.005: Hidden File System", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1564/005", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": 1, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1564.006", "techName": "Run Virtual Instance", "technique": "T1564.006: Run Virtual Instance", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1564/006", "lowestLevel": "y", "mitigations": 2, "nist": 7, "cis": null, "d3fend": 5, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 2, "th_playbook": null, "art": 3, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1564.007", "techName": "VBA Stomping", "technique": "T1564.007: VBA Stomping", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1564/007", "lowestLevel": "y", "mitigations": 1, "nist": 4, "cis": null, "d3fend": 5, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1564.008", "techName": "Email Hiding Rules", "technique": "T1564.008: Email Hiding Rules", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1564/008", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": 1, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1564.009", "techName": "Resource Forking", "technique": "T1564.009: Resource Forking", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1564/009", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 0, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1565", "techName": "Data Manipulation", "technique": "T1565: Data Manipulation", "tactics": "Impact", "url": "https://attack.mitre.org/techniques/T1565", "lowestLevel": "n", "mitigations": 4, "nist": 26, "cis": null, "d3fend": 15, "engage": 3, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 4, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 4, "gcp": null, "car": null, "atc": null, "sigma": 2, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1565.001", "techName": "Stored Data Manipulation", "technique": "T1565.001: Stored Data Manipulation", "tactics": "Impact", "url": "https://attack.mitre.org/techniques/T1565/001", "lowestLevel": "y", "mitigations": 3, "nist": 23, "cis": null, "d3fend": 3, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 3, "gcp": 1, "car": null, "atc": null, "sigma": 3, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": 1, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 1, "validate_potential": 2 }, { "techID": "T1565.002", "techName": "Transmitted Data Manipulation", "technique": "T1565.002: Transmitted Data Manipulation", "tactics": "Impact", "url": "https://attack.mitre.org/techniques/T1565/002", "lowestLevel": "y", "mitigations": 1, "nist": 12, "cis": null, "d3fend": 8, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 2, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1565.003", "techName": "Runtime Data Manipulation", "technique": "T1565.003: Runtime Data Manipulation", "tactics": "Impact", "url": "https://attack.mitre.org/techniques/T1565/003", "lowestLevel": "y", "mitigations": 2, "nist": 12, "cis": null, "d3fend": 7, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1566", "techName": "Phishing", "technique": "T1566: Phishing", "tactics": "Initial Access", "url": "https://attack.mitre.org/techniques/T1566", "lowestLevel": "n", "mitigations": 4, "nist": 12, "cis": null, "d3fend": 18, "engage": 7, "splunk": 29, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 3, "sentinel_defender": 4, "azure_sentinel": null, "logpoint": 12, "proofpoint_emergingThreats": null, "tanium_threatResponse": 2, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": 5, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1566.001", "techName": "Spearphishing Attachment", "technique": "T1566.001: Spearphishing Attachment", "tactics": "Initial Access", "url": "https://attack.mitre.org/techniques/T1566/001", "lowestLevel": "y", "mitigations": 3, "nist": 12, "cis": null, "d3fend": 17, "engage": null, "splunk": 25, "splunk_threatHunting": null, "elastic": 11, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 11, "proofpoint_emergingThreats": null, "tanium_threatResponse": 2, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": 12, "th_playbook": null, "art": 2, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 1, "validate_potential": 2 }, { "techID": "T1566.002", "techName": "Spearphishing Link", "technique": "T1566.002: Spearphishing Link", "tactics": "Initial Access", "url": "https://attack.mitre.org/techniques/T1566/002", "lowestLevel": "y", "mitigations": 2, "nist": 11, "cis": null, "d3fend": 18, "engage": null, "splunk": 1, "splunk_threatHunting": null, "elastic": 6, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1566.003", "techName": "Spearphishing via Service", "technique": "T1566.003: Spearphishing via Service", "tactics": "Initial Access", "url": "https://attack.mitre.org/techniques/T1566/003", "lowestLevel": "y", "mitigations": 2, "nist": 8, "cis": null, "d3fend": 5, "engage": null, "splunk": 1, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1567", "techName": "Exfiltration Over Web Service", "technique": "T1567: Exfiltration Over Web Service", "tactics": "Exfiltration", "url": "https://attack.mitre.org/techniques/T1567", "lowestLevel": "n", "mitigations": 1, "nist": 3, "cis": null, "d3fend": 9, "engage": 9, "splunk": 1, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": 6, "azure_sentinel": null, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 2, "gcp": null, "car": null, "atc": null, "sigma": 4, "th_playbook": null, "art": 1, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 1, "validate_potential": 2 }, { "techID": "T1567.001", "techName": "Exfiltration to Code Repository", "technique": "T1567.001: Exfiltration to Code Repository", "tactics": "Exfiltration", "url": "https://attack.mitre.org/techniques/T1567/001", "lowestLevel": "y", "mitigations": 1, "nist": 3, "cis": null, "d3fend": 9, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": 3, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": 3, "scythe": null, "policy_process_volume": 2, "detect_volume": 2, "test_volume": 2, "validate_potential": 2 }, { "techID": "T1567.002", "techName": "Exfiltration to Cloud Storage", "technique": "T1567.002: Exfiltration to Cloud Storage", "tactics": "Exfiltration", "url": "https://attack.mitre.org/techniques/T1567/002", "lowestLevel": "y", "mitigations": 1, "nist": 3, "cis": null, "d3fend": 9, "engage": null, "splunk": 1, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": 2, "azure_sentinel": null, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 2, "gcp": null, "car": null, "atc": null, "sigma": 6, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": 2, "scythe": 9, "policy_process_volume": 2, "detect_volume": 2, "test_volume": 3, "validate_potential": 3 }, { "techID": "T1568", "techName": "Dynamic Resolution", "technique": "T1568: Dynamic Resolution", "tactics": "Command and Control", "url": "https://attack.mitre.org/techniques/T1568", "lowestLevel": "n", "mitigations": 2, "nist": 8, "cis": null, "d3fend": 14, "engage": 2, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 3, "sentinel_defender": 5, "azure_sentinel": null, "logpoint": 4, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": 1, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1568.001", "techName": "Fast Flux DNS", "technique": "T1568.001: Fast Flux DNS", "tactics": "Command and Control", "url": "https://attack.mitre.org/techniques/T1568/001", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": 14, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1568.002", "techName": "Domain Generation Algorithms", "technique": "T1568.002: Domain Generation Algorithms", "tactics": "Command and Control", "url": "https://attack.mitre.org/techniques/T1568/002", "lowestLevel": "y", "mitigations": 2, "nist": 8, "cis": null, "d3fend": 14, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": 3, "eql_analytics": null, "azure_fullStack": 3, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 4, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1568.003", "techName": "DNS Calculation", "technique": "T1568.003: DNS Calculation", "tactics": "Command and Control", "url": "https://attack.mitre.org/techniques/T1568/003", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": 14, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1569", "techName": "System Services", "technique": "T1569: System Services", "tactics": "Execution", "url": "https://attack.mitre.org/techniques/T1569", "lowestLevel": "n", "mitigations": 3, "nist": 14, "cis": null, "d3fend": null, "engage": 3, "splunk": 5, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": 3, "azure_sentinel": null, "logpoint": 8, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 4, "th_playbook": 2, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": 2, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 1, "validate_potential": 2 }, { "techID": "T1569.001", "techName": "Launchctl", "technique": "T1569.001: Launchctl", "tactics": "Execution", "url": "https://attack.mitre.org/techniques/T1569/001", "lowestLevel": "y", "mitigations": 1, "nist": 7, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": 1, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": 1, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1569.002", "techName": "Service Execution", "technique": "T1569.002: Service Execution", "tactics": "Execution", "url": "https://attack.mitre.org/techniques/T1569/002", "lowestLevel": "y", "mitigations": 2, "nist": 13, "cis": null, "d3fend": null, "engage": null, "splunk": 5, "splunk_threatHunting": null, "elastic": 3, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 8, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": 4, "atc": null, "sigma": 33, "th_playbook": null, "art": 4, "car_red": 3, "rta": null, "prelude": null, "stockpile": 1, "scythe": 1, "policy_process_volume": 2, "detect_volume": 2, "test_volume": 2, "validate_potential": 2 }, { "techID": "T1570", "techName": "Lateral Tool Transfer", "technique": "T1570: Lateral Tool Transfer", "tactics": "Lateral Movement", "url": "https://attack.mitre.org/techniques/T1570", "lowestLevel": "y", "mitigations": 2, "nist": 11, "cis": null, "d3fend": 10, "engage": 2, "splunk": null, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": 4, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": 3, "atc": null, "sigma": 2, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": 2, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 2, "validate_potential": 2 }, { "techID": "T1571", "techName": "Non-Standard Port", "technique": "T1571: Non-Standard Port", "tactics": "Command and Control", "url": "https://attack.mitre.org/techniques/T1571", "lowestLevel": "y", "mitigations": 2, "nist": 8, "cis": null, "d3fend": 9, "engage": 2, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 3, "sentinel_defender": 3, "azure_sentinel": null, "logpoint": 5, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 3, "gcp": null, "car": null, "atc": null, "sigma": 3, "th_playbook": null, "art": 2, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 1, "validate_potential": 2 }, { "techID": "T1572", "techName": "Protocol Tunneling", "technique": "T1572: Protocol Tunneling", "tactics": "Command and Control", "url": "https://attack.mitre.org/techniques/T1572", "lowestLevel": "y", "mitigations": 2, "nist": 11, "cis": null, "d3fend": 9, "engage": 2, "splunk": null, "splunk_threatHunting": null, "elastic": 5, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": 1, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": 4, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": 7, "th_playbook": null, "art": 3, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 1, "validate_potential": 2 }, { "techID": "T1573", "techName": "Encrypted Channel", "technique": "T1573: Encrypted Channel", "tactics": "Command and Control", "url": "https://attack.mitre.org/techniques/T1573", "lowestLevel": "n", "mitigations": 2, "nist": 11, "cis": null, "d3fend": 13, "engage": 3, "splunk": null, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": 1, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": 2, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 4, "th_playbook": null, "art": 1, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1573.001", "techName": "Symmetric Cryptography", "technique": "T1573.001: Symmetric Cryptography", "tactics": "Command and Control", "url": "https://attack.mitre.org/techniques/T1573/001", "lowestLevel": "y", "mitigations": 1, "nist": 11, "cis": null, "d3fend": 9, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": 1, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 0, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1573.002", "techName": "Asymmetric Cryptography", "technique": "T1573.002: Asymmetric Cryptography", "tactics": "Command and Control", "url": "https://attack.mitre.org/techniques/T1573/002", "lowestLevel": "y", "mitigations": 2, "nist": 11, "cis": null, "d3fend": 13, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1574", "techName": "Hijack Execution Flow", "technique": "T1574: Hijack Execution Flow", "tactics": "Persistence, Privilege Escalation, Defense Evasion", "url": "https://attack.mitre.org/techniques/T1574", "lowestLevel": "n", "mitigations": 6, "nist": 19, "cis": null, "d3fend": 11, "engage": 2, "splunk": 5, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 3, "sentinel_defender": 1, "azure_sentinel": null, "logpoint": 13, "proofpoint_emergingThreats": null, "tanium_threatResponse": 9, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 7, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1574.001", "techName": "DLL Search Order Hijacking", "technique": "T1574.001: DLL Search Order Hijacking", "tactics": "Persistence, Privilege Escalation, Defense Evasion", "url": "https://attack.mitre.org/techniques/T1574/001", "lowestLevel": "y", "mitigations": 2, "nist": 9, "cis": null, "d3fend": 3, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": 1, "aws": null, "gcp": null, "car": 1, "atc": null, "sigma": 7, "th_playbook": null, "art": 3, "car_red": 2, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1574.002", "techName": "DLL Side-Loading", "technique": "T1574.002: DLL Side-Loading", "tactics": "Persistence, Privilege Escalation, Defense Evasion", "url": "https://attack.mitre.org/techniques/T1574/002", "lowestLevel": "y", "mitigations": 3, "nist": 9, "cis": null, "d3fend": 3, "engage": null, "splunk": 2, "splunk_threatHunting": null, "elastic": 2, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 11, "proofpoint_emergingThreats": null, "tanium_threatResponse": 1, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 25, "th_playbook": null, "art": 3, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1574.004", "techName": "Dylib Hijacking", "technique": "T1574.004: Dylib Hijacking", "tactics": "Persistence, Privilege Escalation, Defense Evasion", "url": "https://attack.mitre.org/techniques/T1574/004", "lowestLevel": "y", "mitigations": 1, "nist": 13, "cis": null, "d3fend": 3, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1574.005", "techName": "Executable Installer File Permissions Weakness", "technique": "T1574.005: Executable Installer File Permissions Weakness", "tactics": "Persistence, Privilege Escalation, Defense Evasion", "url": "https://attack.mitre.org/techniques/T1574/005", "lowestLevel": "y", "mitigations": 3, "nist": 12, "cis": null, "d3fend": 2, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": 1, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1574.006", "techName": "Dynamic Linker Hijacking", "technique": "T1574.006: Dynamic Linker Hijacking", "tactics": "Persistence, Privilege Escalation, Defense Evasion", "url": "https://attack.mitre.org/techniques/T1574/006", "lowestLevel": "y", "mitigations": 1, "nist": 4, "cis": null, "d3fend": 4, "engage": null, "splunk": 1, "splunk_threatHunting": null, "elastic": 3, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": 1, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 2, "th_playbook": null, "art": 9, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1574.007", "techName": "Path Interception by PATH Environment Variable", "technique": "T1574.007: Path Interception by PATH Environment Variable", "tactics": "Persistence, Privilege Escalation, Defense Evasion", "url": "https://attack.mitre.org/techniques/T1574/007", "lowestLevel": "y", "mitigations": 3, "nist": 16, "cis": null, "d3fend": 7, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": 3, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1574.008", "techName": "Path Interception by Search Order Hijacking", "technique": "T1574.008: Path Interception by Search Order Hijacking", "tactics": "Persistence, Privilege Escalation, Defense Evasion", "url": "https://attack.mitre.org/techniques/T1574/008", "lowestLevel": "y", "mitigations": 3, "nist": 16, "cis": null, "d3fend": 7, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": 3, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1574.009", "techName": "Path Interception by Unquoted Path", "technique": "T1574.009: Path Interception by Unquoted Path", "tactics": "Persistence, Privilege Escalation, Defense Evasion", "url": "https://attack.mitre.org/techniques/T1574/009", "lowestLevel": "y", "mitigations": 3, "nist": 16, "cis": null, "d3fend": 7, "engage": null, "splunk": 1, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": 1, "atc": null, "sigma": null, "th_playbook": null, "art": 3, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 2, "test_volume": 1, "validate_potential": 2 }, { "techID": "T1574.010", "techName": "Services File Permissions Weakness", "technique": "T1574.010: Services File Permissions Weakness", "tactics": "Persistence, Privilege Escalation, Defense Evasion", "url": "https://attack.mitre.org/techniques/T1574/010", "lowestLevel": "y", "mitigations": 1, "nist": 12, "cis": null, "d3fend": 2, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": 2, "aws": null, "gcp": null, "car": 1, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": 1, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1574.011", "techName": "Services Registry Permissions Weakness", "technique": "T1574.011: Services Registry Permissions Weakness", "tactics": "Persistence, Privilege Escalation, Defense Evasion", "url": "https://attack.mitre.org/techniques/T1574/011", "lowestLevel": "y", "mitigations": null, "nist": 2, "cis": null, "d3fend": 1, "engage": null, "splunk": 2, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": 2, "aws": null, "gcp": null, "car": 4, "atc": null, "sigma": 6, "th_playbook": null, "art": 6, "car_red": 2, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 2, "test_volume": 2, "validate_potential": 2 }, { "techID": "T1574.012", "techName": "COR_PROFILER", "technique": "T1574.012: COR_PROFILER", "tactics": "Persistence, Privilege Escalation, Defense Evasion", "url": "https://attack.mitre.org/techniques/T1574/012", "lowestLevel": "y", "mitigations": 2, "nist": 9, "cis": null, "d3fend": 3, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 2, "th_playbook": null, "art": 9, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 3, "validate_potential": 1 }, { "techID": "T1578", "techName": "Modify Cloud Compute Infrastructure", "technique": "T1578: Modify Cloud Compute Infrastructure", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1578", "lowestLevel": "n", "mitigations": 2, "nist": 11, "cis": null, "d3fend": null, "engage": 4, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 3, "sentinel_defender": 6, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": 4, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 2, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1578.001", "techName": "Create Snapshot", "technique": "T1578.001: Create Snapshot", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1578/001", "lowestLevel": "y", "mitigations": 2, "nist": 11, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1578.002", "techName": "Create Cloud Instance", "technique": "T1578.002: Create Cloud Instance", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1578/002", "lowestLevel": "y", "mitigations": 2, "nist": 11, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": 1, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1578.003", "techName": "Delete Cloud Instance", "technique": "T1578.003: Delete Cloud Instance", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1578/003", "lowestLevel": "y", "mitigations": 2, "nist": 11, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": 1, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1578.004", "techName": "Revert Cloud Instance", "technique": "T1578.004: Revert Cloud Instance", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1578/004", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 0, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1580", "techName": "Cloud Infrastructure Discovery", "technique": "T1580: Cloud Infrastructure Discovery", "tactics": "Discovery", "url": "https://attack.mitre.org/techniques/T1580", "lowestLevel": "y", "mitigations": 1, "nist": 5, "cis": null, "d3fend": null, "engage": 6, "splunk": 2, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 5, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 3, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 2, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1583", "techName": "Acquire Infrastructure", "technique": "T1583: Acquire Infrastructure", "tactics": "Resource Development", "url": "https://attack.mitre.org/techniques/T1583", "lowestLevel": "n", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1583.001", "techName": "Domains", "technique": "T1583.001: Domains", "tactics": "Resource Development", "url": "https://attack.mitre.org/techniques/T1583/001", "lowestLevel": "y", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1583.002", "techName": "DNS Server", "technique": "T1583.002: DNS Server", "tactics": "Resource Development", "url": "https://attack.mitre.org/techniques/T1583/002", "lowestLevel": "y", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1583.003", "techName": "Virtual Private Server", "technique": "T1583.003: Virtual Private Server", "tactics": "Resource Development", "url": "https://attack.mitre.org/techniques/T1583/003", "lowestLevel": "y", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1583.004", "techName": "Server", "technique": "T1583.004: Server", "tactics": "Resource Development", "url": "https://attack.mitre.org/techniques/T1583/004", "lowestLevel": "y", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1583.005", "techName": "Botnet", "technique": "T1583.005: Botnet", "tactics": "Resource Development", "url": "https://attack.mitre.org/techniques/T1583/005", "lowestLevel": "y", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1583.006", "techName": "Web Services", "technique": "T1583.006: Web Services", "tactics": "Resource Development", "url": "https://attack.mitre.org/techniques/T1583/006", "lowestLevel": "y", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1584", "techName": "Compromise Infrastructure", "technique": "T1584: Compromise Infrastructure", "tactics": "Resource Development", "url": "https://attack.mitre.org/techniques/T1584", "lowestLevel": "n", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 2, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1584.001", "techName": "Domains", "technique": "T1584.001: Domains", "tactics": "Resource Development", "url": "https://attack.mitre.org/techniques/T1584/001", "lowestLevel": "y", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1584.002", "techName": "DNS Server", "technique": "T1584.002: DNS Server", "tactics": "Resource Development", "url": "https://attack.mitre.org/techniques/T1584/002", "lowestLevel": "y", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1584.003", "techName": "Virtual Private Server", "technique": "T1584.003: Virtual Private Server", "tactics": "Resource Development", "url": "https://attack.mitre.org/techniques/T1584/003", "lowestLevel": "y", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1584.004", "techName": "Server", "technique": "T1584.004: Server", "tactics": "Resource Development", "url": "https://attack.mitre.org/techniques/T1584/004", "lowestLevel": "y", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1584.005", "techName": "Botnet", "technique": "T1584.005: Botnet", "tactics": "Resource Development", "url": "https://attack.mitre.org/techniques/T1584/005", "lowestLevel": "y", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1584.006", "techName": "Web Services", "technique": "T1584.006: Web Services", "tactics": "Resource Development", "url": "https://attack.mitre.org/techniques/T1584/006", "lowestLevel": "y", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1585", "techName": "Establish Accounts", "technique": "T1585: Establish Accounts", "tactics": "Resource Development", "url": "https://attack.mitre.org/techniques/T1585", "lowestLevel": "n", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1585.001", "techName": "Social Media Accounts", "technique": "T1585.001: Social Media Accounts", "tactics": "Resource Development", "url": "https://attack.mitre.org/techniques/T1585/001", "lowestLevel": "y", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1585.002", "techName": "Email Accounts", "technique": "T1585.002: Email Accounts", "tactics": "Resource Development", "url": "https://attack.mitre.org/techniques/T1585/002", "lowestLevel": "y", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1586", "techName": "Compromise Accounts", "technique": "T1586: Compromise Accounts", "tactics": "Resource Development", "url": "https://attack.mitre.org/techniques/T1586", "lowestLevel": "n", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1586.001", "techName": "Social Media Accounts", "technique": "T1586.001: Social Media Accounts", "tactics": "Resource Development", "url": "https://attack.mitre.org/techniques/T1586/001", "lowestLevel": "y", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1586.002", "techName": "Email Accounts", "technique": "T1586.002: Email Accounts", "tactics": "Resource Development", "url": "https://attack.mitre.org/techniques/T1586/002", "lowestLevel": "y", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1587", "techName": "Develop Capabilities", "technique": "T1587: Develop Capabilities", "tactics": "Resource Development", "url": "https://attack.mitre.org/techniques/T1587", "lowestLevel": "n", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 5, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1587.001", "techName": "Malware", "technique": "T1587.001: Malware", "tactics": "Resource Development", "url": "https://attack.mitre.org/techniques/T1587/001", "lowestLevel": "y", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 9, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1587.002", "techName": "Code Signing Certificates", "technique": "T1587.002: Code Signing Certificates", "tactics": "Resource Development", "url": "https://attack.mitre.org/techniques/T1587/002", "lowestLevel": "y", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1587.003", "techName": "Digital Certificates", "technique": "T1587.003: Digital Certificates", "tactics": "Resource Development", "url": "https://attack.mitre.org/techniques/T1587/003", "lowestLevel": "y", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": 2, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1587.004", "techName": "Exploits", "technique": "T1587.004: Exploits", "tactics": "Resource Development", "url": "https://attack.mitre.org/techniques/T1587/004", "lowestLevel": "y", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1588", "techName": "Obtain Capabilities", "technique": "T1588: Obtain Capabilities", "tactics": "Resource Development", "url": "https://attack.mitre.org/techniques/T1588", "lowestLevel": "n", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 2, "gcp": null, "car": null, "atc": null, "sigma": 2, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1588.001", "techName": "Malware", "technique": "T1588.001: Malware", "tactics": "Resource Development", "url": "https://attack.mitre.org/techniques/T1588/001", "lowestLevel": "y", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1588.002", "techName": "Tool", "technique": "T1588.002: Tool", "tactics": "Resource Development", "url": "https://attack.mitre.org/techniques/T1588/002", "lowestLevel": "y", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": 2, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 4, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1588.003", "techName": "Code Signing Certificates", "technique": "T1588.003: Code Signing Certificates", "tactics": "Resource Development", "url": "https://attack.mitre.org/techniques/T1588/003", "lowestLevel": "y", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 2, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1588.004", "techName": "Digital Certificates", "technique": "T1588.004: Digital Certificates", "tactics": "Resource Development", "url": "https://attack.mitre.org/techniques/T1588/004", "lowestLevel": "y", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": 2, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 2, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1588.005", "techName": "Exploits", "technique": "T1588.005: Exploits", "tactics": "Resource Development", "url": "https://attack.mitre.org/techniques/T1588/005", "lowestLevel": "y", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1588.006", "techName": "Vulnerabilities", "technique": "T1588.006: Vulnerabilities", "tactics": "Resource Development", "url": "https://attack.mitre.org/techniques/T1588/006", "lowestLevel": "y", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1589", "techName": "Gather Victim Identity Information", "technique": "T1589: Gather Victim Identity Information", "tactics": "Reconnaissance", "url": "https://attack.mitre.org/techniques/T1589", "lowestLevel": "n", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": 3, "splunk": 1, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1589.001", "techName": "Credentials", "technique": "T1589.001: Credentials", "tactics": "Reconnaissance", "url": "https://attack.mitre.org/techniques/T1589/001", "lowestLevel": "y", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1589.002", "techName": "Email Addresses", "technique": "T1589.002: Email Addresses", "tactics": "Reconnaissance", "url": "https://attack.mitre.org/techniques/T1589/002", "lowestLevel": "y", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": 1, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1589.003", "techName": "Employee Names", "technique": "T1589.003: Employee Names", "tactics": "Reconnaissance", "url": "https://attack.mitre.org/techniques/T1589/003", "lowestLevel": "y", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1590", "techName": "Gather Victim Network Information", "technique": "T1590: Gather Victim Network Information", "tactics": "Reconnaissance", "url": "https://attack.mitre.org/techniques/T1590", "lowestLevel": "n", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": 3, "splunk": 2, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 3, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 3, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 2, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1590.001", "techName": "Domain Properties", "technique": "T1590.001: Domain Properties", "tactics": "Reconnaissance", "url": "https://attack.mitre.org/techniques/T1590/001", "lowestLevel": "y", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 3, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1590.002", "techName": "DNS", "technique": "T1590.002: DNS", "tactics": "Reconnaissance", "url": "https://attack.mitre.org/techniques/T1590/002", "lowestLevel": "y", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1590.003", "techName": "Network Trust Dependencies", "technique": "T1590.003: Network Trust Dependencies", "tactics": "Reconnaissance", "url": "https://attack.mitre.org/techniques/T1590/003", "lowestLevel": "y", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1590.004", "techName": "Network Topology", "technique": "T1590.004: Network Topology", "tactics": "Reconnaissance", "url": "https://attack.mitre.org/techniques/T1590/004", "lowestLevel": "y", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 3, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1590.005", "techName": "IP Addresses", "technique": "T1590.005: IP Addresses", "tactics": "Reconnaissance", "url": "https://attack.mitre.org/techniques/T1590/005", "lowestLevel": "y", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": 2, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 3, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 2, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1590.006", "techName": "Network Security Appliances", "technique": "T1590.006: Network Security Appliances", "tactics": "Reconnaissance", "url": "https://attack.mitre.org/techniques/T1590/006", "lowestLevel": "y", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 3, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1591", "techName": "Gather Victim Org Information", "technique": "T1591: Gather Victim Org Information", "tactics": "Reconnaissance", "url": "https://attack.mitre.org/techniques/T1591", "lowestLevel": "n", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": 3, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1591.001", "techName": "Determine Physical Locations", "technique": "T1591.001: Determine Physical Locations", "tactics": "Reconnaissance", "url": "https://attack.mitre.org/techniques/T1591/001", "lowestLevel": "y", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1591.002", "techName": "Business Relationships", "technique": "T1591.002: Business Relationships", "tactics": "Reconnaissance", "url": "https://attack.mitre.org/techniques/T1591/002", "lowestLevel": "y", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1591.003", "techName": "Identify Business Tempo", "technique": "T1591.003: Identify Business Tempo", "tactics": "Reconnaissance", "url": "https://attack.mitre.org/techniques/T1591/003", "lowestLevel": "y", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1591.004", "techName": "Identify Roles", "technique": "T1591.004: Identify Roles", "tactics": "Reconnaissance", "url": "https://attack.mitre.org/techniques/T1591/004", "lowestLevel": "y", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1592", "techName": "Gather Victim Host Information", "technique": "T1592: Gather Victim Host Information", "tactics": "Reconnaissance", "url": "https://attack.mitre.org/techniques/T1592", "lowestLevel": "n", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": 5, "splunk": 4, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": 1, "proofpoint_emergingThreats": null, "tanium_threatResponse": 1, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1592.001", "techName": "Hardware", "technique": "T1592.001: Hardware", "tactics": "Reconnaissance", "url": "https://attack.mitre.org/techniques/T1592/001", "lowestLevel": "y", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1592.002", "techName": "Software", "technique": "T1592.002: Software", "tactics": "Reconnaissance", "url": "https://attack.mitre.org/techniques/T1592/002", "lowestLevel": "y", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1592.003", "techName": "Firmware", "technique": "T1592.003: Firmware", "tactics": "Reconnaissance", "url": "https://attack.mitre.org/techniques/T1592/003", "lowestLevel": "y", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1592.004", "techName": "Client Configurations", "technique": "T1592.004: Client Configurations", "tactics": "Reconnaissance", "url": "https://attack.mitre.org/techniques/T1592/004", "lowestLevel": "y", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": 3, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1593", "techName": "Search Open Websites/Domains", "technique": "T1593: Search Open Websites/Domains", "tactics": "Reconnaissance", "url": "https://attack.mitre.org/techniques/T1593", "lowestLevel": "n", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": 4, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1593.001", "techName": "Social Media", "technique": "T1593.001: Social Media", "tactics": "Reconnaissance", "url": "https://attack.mitre.org/techniques/T1593/001", "lowestLevel": "y", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1593.002", "techName": "Search Engines", "technique": "T1593.002: Search Engines", "tactics": "Reconnaissance", "url": "https://attack.mitre.org/techniques/T1593/002", "lowestLevel": "y", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1594", "techName": "Search Victim-Owned Websites", "technique": "T1594: Search Victim-Owned Websites", "tactics": "Reconnaissance", "url": "https://attack.mitre.org/techniques/T1594", "lowestLevel": "y", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": 4, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1595", "techName": "Active Scanning", "technique": "T1595: Active Scanning", "tactics": "Reconnaissance", "url": "https://attack.mitre.org/techniques/T1595", "lowestLevel": "n", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": 6, "splunk": 1, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 4, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 5, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 2, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1595.001", "techName": "Scanning IP Blocks", "technique": "T1595.001: Scanning IP Blocks", "tactics": "Reconnaissance", "url": "https://attack.mitre.org/techniques/T1595/001", "lowestLevel": "y", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 1, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 5, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1595.002", "techName": "Vulnerability Scanning", "technique": "T1595.002: Vulnerability Scanning", "tactics": "Reconnaissance", "url": "https://attack.mitre.org/techniques/T1595/002", "lowestLevel": "y", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 4, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 5, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 2, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1596", "techName": "Search Open Technical Databases", "technique": "T1596: Search Open Technical Databases", "tactics": "Reconnaissance", "url": "https://attack.mitre.org/techniques/T1596", "lowestLevel": "n", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": 2, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1596.001", "techName": "DNS/Passive DNS", "technique": "T1596.001: DNS/Passive DNS", "tactics": "Reconnaissance", "url": "https://attack.mitre.org/techniques/T1596/001", "lowestLevel": "y", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1596.002", "techName": "WHOIS", "technique": "T1596.002: WHOIS", "tactics": "Reconnaissance", "url": "https://attack.mitre.org/techniques/T1596/002", "lowestLevel": "y", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1596.003", "techName": "Digital Certificates", "technique": "T1596.003: Digital Certificates", "tactics": "Reconnaissance", "url": "https://attack.mitre.org/techniques/T1596/003", "lowestLevel": "y", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1596.004", "techName": "CDNs", "technique": "T1596.004: CDNs", "tactics": "Reconnaissance", "url": "https://attack.mitre.org/techniques/T1596/004", "lowestLevel": "y", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1596.005", "techName": "Scan Databases", "technique": "T1596.005: Scan Databases", "tactics": "Reconnaissance", "url": "https://attack.mitre.org/techniques/T1596/005", "lowestLevel": "y", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1597", "techName": "Search Closed Sources", "technique": "T1597: Search Closed Sources", "tactics": "Reconnaissance", "url": "https://attack.mitre.org/techniques/T1597", "lowestLevel": "n", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": 2, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1597.001", "techName": "Threat Intel Vendors", "technique": "T1597.001: Threat Intel Vendors", "tactics": "Reconnaissance", "url": "https://attack.mitre.org/techniques/T1597/001", "lowestLevel": "y", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1597.002", "techName": "Purchase Technical Data", "technique": "T1597.002: Purchase Technical Data", "tactics": "Reconnaissance", "url": "https://attack.mitre.org/techniques/T1597/002", "lowestLevel": "y", "mitigations": 1, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1598", "techName": "Phishing for Information", "technique": "T1598: Phishing for Information", "tactics": "Reconnaissance", "url": "https://attack.mitre.org/techniques/T1598", "lowestLevel": "n", "mitigations": 1, "nist": 11, "cis": null, "d3fend": null, "engage": 3, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1598.001", "techName": "Spearphishing Service", "technique": "T1598.001: Spearphishing Service", "tactics": "Reconnaissance", "url": "https://attack.mitre.org/techniques/T1598/001", "lowestLevel": "y", "mitigations": 1, "nist": 7, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1598.002", "techName": "Spearphishing Attachment", "technique": "T1598.002: Spearphishing Attachment", "tactics": "Reconnaissance", "url": "https://attack.mitre.org/techniques/T1598/002", "lowestLevel": "y", "mitigations": 1, "nist": 11, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1598.003", "techName": "Spearphishing Link", "technique": "T1598.003: Spearphishing Link", "tactics": "Reconnaissance", "url": "https://attack.mitre.org/techniques/T1598/003", "lowestLevel": "y", "mitigations": 1, "nist": 11, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1599", "techName": "Network Boundary Bridging", "technique": "T1599: Network Boundary Bridging", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1599", "lowestLevel": "n", "mitigations": 5, "nist": 18, "cis": null, "d3fend": null, "engage": 3, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1599.001", "techName": "Network Address Translation Traversal", "technique": "T1599.001: Network Address Translation Traversal", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1599/001", "lowestLevel": "y", "mitigations": 5, "nist": 18, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1600", "techName": "Weaken Encryption", "technique": "T1600: Weaken Encryption", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1600", "lowestLevel": "n", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": 6, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1600.001", "techName": "Reduce Key Space", "technique": "T1600.001: Reduce Key Space", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1600/001", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 0, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1600.002", "techName": "Disable Crypto Hardware", "technique": "T1600.002: Disable Crypto Hardware", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1600/002", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 0, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1601", "techName": "Modify System Image", "technique": "T1601: Modify System Image", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1601", "lowestLevel": "n", "mitigations": 6, "nist": 26, "cis": null, "d3fend": null, "engage": 4, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1601.001", "techName": "Patch System Image", "technique": "T1601.001: Patch System Image", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1601/001", "lowestLevel": "y", "mitigations": 6, "nist": 26, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1601.002", "techName": "Downgrade System Image", "technique": "T1601.002: Downgrade System Image", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1601/002", "lowestLevel": "y", "mitigations": 6, "nist": 26, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1602", "techName": "Data from Configuration Repository", "technique": "T1602: Data from Configuration Repository", "tactics": "Collection", "url": "https://attack.mitre.org/techniques/T1602", "lowestLevel": "n", "mitigations": 7, "nist": 25, "cis": null, "d3fend": null, "engage": 8, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 3, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1602.001", "techName": "SNMP (MIB Dump)", "technique": "T1602.001: SNMP (MIB Dump)", "tactics": "Collection", "url": "https://attack.mitre.org/techniques/T1602/001", "lowestLevel": "y", "mitigations": 7, "nist": 25, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1602.002", "techName": "Network Device Configuration Dump", "technique": "T1602.002: Network Device Configuration Dump", "tactics": "Collection", "url": "https://attack.mitre.org/techniques/T1602/002", "lowestLevel": "y", "mitigations": 7, "nist": 25, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1606", "techName": "Forge Web Credentials", "technique": "T1606: Forge Web Credentials", "tactics": "Credential Access", "url": "https://attack.mitre.org/techniques/T1606", "lowestLevel": "n", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": 3, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1606.001", "techName": "Web Cookies", "technique": "T1606.001: Web Cookies", "tactics": "Credential Access", "url": "https://attack.mitre.org/techniques/T1606/001", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 0, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1606.002", "techName": "SAML Tokens", "technique": "T1606.002: SAML Tokens", "tactics": "Credential Access", "url": "https://attack.mitre.org/techniques/T1606/002", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": 2, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": 1, "atc": null, "sigma": null, "th_playbook": null, "art": 1, "car_red": 2, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 0, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1608", "techName": "Stage Capabilities", "technique": "T1608: Stage Capabilities", "tactics": "Resource Development", "url": "https://attack.mitre.org/techniques/T1608", "lowestLevel": "n", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 0, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1608.001", "techName": "Upload Malware", "technique": "T1608.001: Upload Malware", "tactics": "Resource Development", "url": "https://attack.mitre.org/techniques/T1608/001", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 0, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1608.002", "techName": "Upload Tool", "technique": "T1608.002: Upload Tool", "tactics": "Resource Development", "url": "https://attack.mitre.org/techniques/T1608/002", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 0, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1608.003", "techName": "Install Digital Certificate", "technique": "T1608.003: Install Digital Certificate", "tactics": "Resource Development", "url": "https://attack.mitre.org/techniques/T1608/003", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 0, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1608.004", "techName": "Drive-by Target", "technique": "T1608.004: Drive-by Target", "tactics": "Resource Development", "url": "https://attack.mitre.org/techniques/T1608/004", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 0, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1608.005", "techName": "Link Target", "technique": "T1608.005: Link Target", "tactics": "Resource Development", "url": "https://attack.mitre.org/techniques/T1608/005", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 0, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1609", "techName": "Container Administration Command", "technique": "T1609: Container Administration Command", "tactics": "Execution", "url": "https://attack.mitre.org/techniques/T1609", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": 2, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": 1, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1610", "techName": "Deploy Container", "technique": "T1610: Deploy Container", "tactics": "Defense Evasion, Execution", "url": "https://attack.mitre.org/techniques/T1610", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": 1, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 2, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1611", "techName": "Escape to Host", "technique": "T1611: Escape to Host", "tactics": "Privilege Escalation", "url": "https://attack.mitre.org/techniques/T1611", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": 1, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": 2, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 1, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1612", "techName": "Build Image on Host", "technique": "T1612: Build Image on Host", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1612", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": 1, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1613", "techName": "Container and Resource Discovery", "technique": "T1613: Container and Resource Discovery", "tactics": "Discovery", "url": "https://attack.mitre.org/techniques/T1613", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": 7, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": 1, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 2, "detect_volume": 1, "test_volume": 0, "validate_potential": 1 }, { "techID": "T1614", "techName": "System Location Discovery", "technique": "T1614: System Location Discovery", "tactics": "Discovery", "url": "https://attack.mitre.org/techniques/T1614", "lowestLevel": "n", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": 5, "splunk": null, "splunk_threatHunting": null, "elastic": 1, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": 2, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 0, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1614.001", "techName": "System Language Discovery", "technique": "T1614.001: System Language Discovery", "tactics": "Discovery", "url": "https://attack.mitre.org/techniques/T1614/001", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 1, "th_playbook": null, "art": 2, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 0, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1615", "techName": "Group Policy Discovery", "technique": "T1615: Group Policy Discovery", "tactics": "Discovery", "url": "https://attack.mitre.org/techniques/T1615", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": null, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": 2, "th_playbook": null, "art": 5, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 0, "detect_volume": 0, "test_volume": 1, "validate_potential": 1 }, { "techID": "T1619", "techName": "Cloud Storage Object Discovery", "technique": "T1619: Cloud Storage Object Discovery", "tactics": "Discovery", "url": "https://attack.mitre.org/techniques/T1619", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": 1, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": null, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 }, { "techID": "T1620", "techName": "Reflective Code Loading", "technique": "T1620: Reflective Code Loading", "tactics": "Defense Evasion", "url": "https://attack.mitre.org/techniques/T1620", "lowestLevel": "y", "mitigations": null, "nist": null, "cis": null, "d3fend": 2, "engage": null, "splunk": null, "splunk_threatHunting": null, "elastic": null, "eql_analytics": null, "azure_fullStack": null, "sentinel_defender": null, "azure_sentinel": null, "logpoint": null, "proofpoint_emergingThreats": null, "tanium_threatResponse": null, "aws": null, "gcp": null, "car": null, "atc": null, "sigma": null, "th_playbook": null, "art": 1, "car_red": null, "rta": null, "prelude": null, "stockpile": null, "scythe": null, "policy_process_volume": 1, "detect_volume": 0, "test_volume": 0, "validate_potential": 0 } ]