diff --git a/.github/workflows/sphinx.yml b/.github/workflows/sphinx.yml index 18802e4..09e4232 100644 --- a/.github/workflows/sphinx.yml +++ b/.github/workflows/sphinx.yml @@ -29,6 +29,14 @@ jobs: run: poetry run python src/util/cli_validator.py - name: Build HTML docs run: poetry run make docs-ci + - name: Copy Mappings Excel to Website + run: mkdir docs/extra/xlsx && cp "mappings/input/enterprise/xlsx/Sensor to Data Source.xlsx" docs/extra/xlsx + - name: Copy Mappings CSVs to Website + run: mkdir docs/extra/csv && cp mappings/input/enterprise/csv/*.csv docs/extra/csv + - name: Copy Navigator Layers to Website + run: mkdir docs/extra/navigator && cp mappings/layers/enterprise/*.json docs/extra/navigator + - name: Copy STIX Bundles to Website + run: mkdir docs/extra/stix && cp mappings/stix/enterprise/*.json docs/extra/stix - name: Upload HTML docs uses: actions/upload-artifact@v3 with: diff --git a/docs/_static/handsontable.full.min.css b/docs/_static/handsontable.full.min.css deleted file mode 100644 index b6e78fd..0000000 --- a/docs/_static/handsontable.full.min.css +++ /dev/null @@ -1,31 +0,0 @@ -@charset "UTF-8";/*! -(The MIT License) - -Copyright (c) 2012-2014 Marcin Warpechowski -Copyright (c) 2015 Handsoncode sp. z o.o. - -Permission is hereby granted, free of charge, to any person obtaining -a copy of this software and associated documentation files (the -'Software'), to deal in the Software without restriction, including -without limitation the rights to use, copy, modify, merge, publish, -distribute, sublicense, and/or sell copies of the Software, and to -permit persons to whom the Software is furnished to do so, subject to -the following conditions: - -The above copyright notice and this permission notice shall be -included in all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND, -EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF -MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. -IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY -CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, -TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE -SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - -*/.handsontable{position:relative}.handsontable .hide{display:none}.handsontable .relative{position:relative}.handsontable.htAutoSize{visibility:hidden;left:-99000px;position:absolute;top:-99000px}.handsontable .wtHider{width:0}.handsontable .wtSpreader{position:relative;width:0;height:auto}.handsontable table,.handsontable tbody,.handsontable thead,.handsontable td,.handsontable th,.handsontable input,.handsontable textarea,.handsontable div{box-sizing:content-box;-webkit-box-sizing:content-box;-moz-box-sizing:content-box}.handsontable input,.handsontable textarea{min-height:initial}.handsontable table.htCore{border-collapse:separate;border-spacing:0;margin:0;border-width:0;table-layout:fixed;width:0;outline-width:0;max-width:none;max-height:none}.handsontable col{width:50px}.handsontable col.rowHeader{width:50px}.handsontable th,.handsontable td{border-top-width:0;border-left-width:0;border-right:1px solid #CCC;border-bottom:1px solid #CCC;height:22px;empty-cells:show;line-height:21px;padding:0 4px 0 4px;background-color:#FFF;vertical-align:top;overflow:hidden;outline-width:0;white-space:pre-line;background-clip:padding-box}.handsontable td.htInvalid{background-color:#ff4c42!important}.handsontable td.htNoWrap{white-space:nowrap}.handsontable th:last-child{border-right:1px solid #CCC;border-bottom:1px solid #CCC}.handsontable tr:first-child th.htNoFrame,.handsontable th:first-child.htNoFrame,.handsontable th.htNoFrame{border-left-width:0;background-color:white;border-color:#FFF}.handsontable th:first-child,.handsontable th:nth-child(2),.handsontable td:first-of-type,.handsontable .htNoFrame+th,.handsontable .htNoFrame+td{border-left:1px solid #CCC}.handsontable.htRowHeaders thead tr th:nth-child(2){border-left:1px solid #CCC}.handsontable tr:first-child th,.handsontable tr:first-child td{border-top:1px solid #CCC}.ht_master:not(.innerBorderLeft):not(.emptyColumns) ~ .handsontable tbody tr th,.ht_master:not(.innerBorderLeft):not(.emptyColumns) ~ .handsontable:not(.ht_clone_top) thead tr th:first-child{border-right-width:0}.ht_master:not(.innerBorderTop) thead tr:last-child th,.ht_master:not(.innerBorderTop) ~ .handsontable thead tr:last-child th,.ht_master:not(.innerBorderTop) thead tr.lastChild th,.ht_master:not(.innerBorderTop) ~ .handsontable thead tr.lastChild th{border-bottom-width:0}.handsontable th{background-color:#f3f3f3;color:#222;text-align:center;font-weight:normal;white-space:nowrap}.handsontable thead th{padding:0}.handsontable th.active{background-color:#CCC}.handsontable thead th .relative{padding:2px 4px}.handsontable tbody th.ht__highlight,.handsontable thead th.ht__highlight{background-color:#dcdcdc}.handsontable.ht__selection--columns thead th.ht__highlight,.handsontable.ht__selection--rows tbody th.ht__highlight{background-color:#8eb0e7;color:#000}.handsontable .manualColumnResizer{position:fixed;top:0;cursor:col-resize;z-index:110;width:5px;height:25px}.handsontable .manualRowResizer{position:fixed;left:0;cursor:row-resize;z-index:110;height:5px;width:50px}.handsontable .manualColumnResizer:hover,.handsontable .manualColumnResizer.active,.handsontable .manualRowResizer:hover,.handsontable .manualRowResizer.active{background-color:#AAB}.handsontable .manualColumnResizerGuide{position:fixed;right:0;top:0;background-color:#AAB;display:none;width:0;border-right:1px dashed #777;margin-left:5px}.handsontable .manualRowResizerGuide{position:fixed;left:0;bottom:0;background-color:#AAB;display:none;height:0;border-bottom:1px dashed #777;margin-top:5px}.handsontable .manualColumnResizerGuide.active,.handsontable .manualRowResizerGuide.active{display:block;z-index:199}.handsontable .columnSorting{position:relative}.handsontable .columnSorting:hover{text-decoration:underline;cursor:pointer}.handsontable .columnSorting.ascending::after{content:'\25B2';color:#5f5f5f;position:absolute;right:-15px}.handsontable .columnSorting.descending::after{content:'\25BC';color:#5f5f5f;position:absolute;right:-15px}.handsontable .wtBorder{position:absolute;font-size:0}.handsontable .wtBorder.hidden{display:none!important}.handsontable td.area{background:-moz-linear-gradient(top,rgba(181,209,255,0.34) 0,rgba(181,209,255,0.34) 100%);background:-webkit-gradient(linear,left top,left bottom,color-stop(0%,rgba(181,209,255,0.34)),color-stop(100%,rgba(181,209,255,0.34)));background:-webkit-linear-gradient(top,rgba(181,209,255,0.34) 0,rgba(181,209,255,0.34) 100%);background:-o-linear-gradient(top,rgba(181,209,255,0.34) 0,rgba(181,209,255,0.34) 100%);background:-ms-linear-gradient(top,rgba(181,209,255,0.34) 0,rgba(181,209,255,0.34) 100%);background:linear-gradient(to bottom,rgba(181,209,255,0.34) 0,rgba(181,209,255,0.34) 100%);filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#57b5d1ff',endColorstr='#57b5d1ff',GradientType=0);background-color:#fff}.handsontable .wtBorder.corner{font-size:0;cursor:crosshair}.handsontable .htBorder.htFillBorder{background:red;width:1px;height:1px}.handsontableInput{border:0;outline-width:0;margin:0;padding:1px 5px 0 5px;font-family:inherit;line-height:21px;font-size:inherit;box-shadow:0 0 0 2px #5292f7 inset;resize:none;display:inline-block;color:#000;border-radius:0;background-color:#FFF}.handsontableInputHolder{position:absolute;top:0;left:0;z-index:100}.htSelectEditor{-webkit-appearance:menulist-button!important;position:absolute;width:auto}.handsontable .htDimmed{color:#777}.handsontable .htSubmenu{position:relative}.handsontable .htSubmenu :after{content:'▶';color:#777;position:absolute;right:5px}.handsontable .htLeft{text-align:left}.handsontable .htCenter{text-align:center}.handsontable .htRight{text-align:right}.handsontable .htJustify{text-align:justify}.handsontable .htTop{vertical-align:top}.handsontable .htMiddle{vertical-align:middle}.handsontable .htBottom{vertical-align:bottom}.handsontable .htPlaceholder{color:#999}.handsontable .htAutocompleteArrow{float:right;font-size:10px;color:#EEE;cursor:default;width:16px;text-align:center}.handsontable td .htAutocompleteArrow:hover{color:#777}.handsontable td.area .htAutocompleteArrow{color:#d3d3d3}.handsontable .htCheckboxRendererInput{display:inline-block;vertical-align:middle}.handsontable .htCheckboxRendererInput.noValue{opacity:.5}.handsontable .htCheckboxRendererLabel{cursor:pointer;display:inline-block;width:100%}@-webkit-keyframes opacity-hide{from{opacity:1}to{opacity:0}}@keyframes opacity-hide{from{opacity:1}to{opacity:0}}@-webkit-keyframes opacity-show{from{opacity:0}to{opacity:1}}@keyframes opacity-show{from{opacity:0}to{opacity:1}}.handsontable .handsontable.ht_clone_top .wtHider{padding:0 0 5px 0}.handsontable .autocompleteEditor.handsontable{padding-right:17px}.handsontable .autocompleteEditor.handsontable.htMacScroll{padding-right:15px}.handsontable.listbox{margin:0}.handsontable.listbox .ht_master table{border:1px solid #ccc;border-collapse:separate;background:white}.handsontable.listbox th,.handsontable.listbox tr:first-child th,.handsontable.listbox tr:last-child th,.handsontable.listbox tr:first-child td,.handsontable.listbox td{border-color:transparent}.handsontable.listbox th,.handsontable.listbox td{white-space:nowrap;text-overflow:ellipsis}.handsontable.listbox td.htDimmed{cursor:default;color:inherit;font-style:inherit}.handsontable.listbox .wtBorder{visibility:hidden}.handsontable.listbox tr td.current,.handsontable.listbox tr:hover td{background:#eee}.ht_clone_top{z-index:101}.ht_clone_left{z-index:102}.ht_clone_top_left_corner,.ht_clone_bottom_left_corner{z-index:103}.ht_clone_debug{z-index:103}.handsontable td.htSearchResult{background:#fcedd9;color:#583707}.htBordered{border-width:1px}.htBordered.htTopBorderSolid{border-top-style:solid;border-top-color:#000}.htBordered.htRightBorderSolid{border-right-style:solid;border-right-color:#000}.htBordered.htBottomBorderSolid{border-bottom-style:solid;border-bottom-color:#000}.htBordered.htLeftBorderSolid{border-left-style:solid;border-left-color:#000}.handsontable tbody tr th:nth-last-child(2){border-right:1px solid #CCC}.handsontable thead tr:nth-last-child(2) th.htGroupIndicatorContainer{border-bottom:1px solid #CCC;padding-bottom:5px}.ht_clone_top_left_corner thead tr th:nth-last-child(2){border-right:1px solid #CCC}.htCollapseButton{width:10px;height:10px;line-height:10px;text-align:center;border-radius:5px;border:1px solid #f3f3f3;-webkit-box-shadow:1px 1px 3px rgba(0,0,0,0.4);box-shadow:1px 1px 3px rgba(0,0,0,0.4);cursor:pointer;margin-bottom:3px;position:relative}.htCollapseButton:after{content:"";height:300%;width:1px;display:block;background:#ccc;margin-left:4px;position:absolute;bottom:10px}thead .htCollapseButton{right:5px;position:absolute;top:5px;background:#fff}thead .htCollapseButton:after{height:1px;width:700%;right:10px;top:4px}.handsontable tr th .htExpandButton{position:absolute;width:10px;height:10px;line-height:10px;text-align:center;border-radius:5px;border:1px solid #f3f3f3;-webkit-box-shadow:1px 1px 3px rgba(0,0,0,0.4);box-shadow:1px 1px 3px rgba(0,0,0,0.4);cursor:pointer;top:0;display:none}.handsontable thead tr th .htExpandButton{top:5px}.handsontable tr th .htExpandButton.clickable{display:block}.collapsibleIndicator{position:absolute;top:50%;transform:translate(0%,-50%);right:5px;border:1px solid #a6a6a6;line-height:10px;color:#222;border-radius:10px;font-size:10px;width:10px;height:10px;cursor:pointer;-webkit-box-shadow:0 0 0 6px rgba(238,238,238,1);-moz-box-shadow:0 0 0 6px rgba(238,238,238,1);box-shadow:0 0 0 6px rgba(238,238,238,1);background:#eee}.handsontable col.hidden{width:0!important}.handsontable table tr th.lightRightBorder{border-right:1px solid #e6e6e6}.handsontable tr.hidden,.handsontable tr.hidden td,.handsontable tr.hidden th{display:none}.ht_master,.ht_clone_left,.ht_clone_top,.ht_clone_bottom{overflow:hidden}.ht_master .wtHolder{overflow:auto}.ht_clone_left .wtHolder{overflow-x:hidden;overflow-y:auto}.ht_clone_top .wtHolder,.ht_clone_bottom .wtHolder{overflow-x:auto;overflow-y:hidden}.wtDebugHidden{display:none}.wtDebugVisible{display:block;-webkit-animation-duration:.5s;-webkit-animation-name:wtFadeInFromNone;animation-duration:.5s;animation-name:wtFadeInFromNone}@keyframes wtFadeInFromNone{0%{display:none;opacity:0}1%{display:block;opacity:0}100%{display:block;opacity:1}}@-webkit-keyframes wtFadeInFromNone{0%{display:none;opacity:0}1%{display:block;opacity:0}100%{display:block;opacity:1}}.handsontable.mobile,.handsontable.mobile .wtHolder{-webkit-touch-callout:none;-webkit-user-select:none;-khtml-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none;-webkit-tap-highlight-color:rgba(0,0,0,0);-webkit-overflow-scrolling:touch}.htMobileEditorContainer{display:none;position:absolute;top:0;width:70%;height:54pt;background:#f8f8f8;border-radius:20px;border:1px solid #ebebeb;z-index:999;box-sizing:border-box;-webkit-box-sizing:border-box;-webkit-text-size-adjust:none}.topLeftSelectionHandle:not(.ht_master .topLeftSelectionHandle),.topLeftSelectionHandle-HitArea:not(.ht_master .topLeftSelectionHandle-HitArea){z-index:9999}.topLeftSelectionHandle,.topLeftSelectionHandle-HitArea,.bottomRightSelectionHandle,.bottomRightSelectionHandle-HitArea{left:-10000px;top:-10000px}.htMobileEditorContainer.active{display:block}.htMobileEditorContainer .inputs{position:absolute;right:210pt;bottom:10pt;top:10pt;left:14px;height:34pt}.htMobileEditorContainer .inputs textarea{font-size:13pt;border:1px solid #a1a1a1;-webkit-appearance:none;-webkit-box-shadow:none;-moz-box-shadow:none;box-shadow:none;position:absolute;left:14px;right:14px;top:0;bottom:0;padding:7pt}.htMobileEditorContainer .cellPointer{position:absolute;top:-13pt;height:0;width:0;left:30px;border-left:13pt solid transparent;border-right:13pt solid transparent;border-bottom:13pt solid #ebebeb}.htMobileEditorContainer .cellPointer.hidden{display:none}.htMobileEditorContainer .cellPointer:before{content:'';display:block;position:absolute;top:2px;height:0;width:0;left:-13pt;border-left:13pt solid transparent;border-right:13pt solid transparent;border-bottom:13pt solid #f8f8f8}.htMobileEditorContainer .moveHandle{position:absolute;top:10pt;left:5px;width:30px;bottom:0;cursor:move;z-index:9999}.htMobileEditorContainer .moveHandle:after{content:"..\a..\a..\a..";white-space:pre;line-height:10px;font-size:20pt;display:inline-block;margin-top:-8px;color:#ebebeb}.htMobileEditorContainer .positionControls{width:205pt;position:absolute;right:5pt;top:0;bottom:0}.htMobileEditorContainer .positionControls>div{width:50pt;height:100%;float:left}.htMobileEditorContainer .positionControls>div:after{content:" ";display:block;width:15pt;height:15pt;text-align:center;line-height:50pt}.htMobileEditorContainer .leftButton:after,.htMobileEditorContainer .rightButton:after,.htMobileEditorContainer .upButton:after,.htMobileEditorContainer .downButton:after{transform-origin:5pt 5pt;-webkit-transform-origin:5pt 5pt;margin:21pt 0 0 21pt}.htMobileEditorContainer .leftButton:after{border-top:2px solid #288ffe;border-left:2px solid #288ffe;-webkit-transform:rotate(-45deg)}.htMobileEditorContainer .leftButton:active:after{border-color:#cfcfcf}.htMobileEditorContainer .rightButton:after{border-top:2px solid #288ffe;border-left:2px solid #288ffe;-webkit-transform:rotate(135deg)}.htMobileEditorContainer .rightButton:active:after{border-color:#cfcfcf}.htMobileEditorContainer .upButton:after{border-top:2px solid #288ffe;border-left:2px solid #288ffe;-webkit-transform:rotate(45deg)}.htMobileEditorContainer .upButton:active:after{border-color:#cfcfcf}.htMobileEditorContainer .downButton:after{border-top:2px solid #288ffe;border-left:2px solid #288ffe;-webkit-transform:rotate(225deg)}.htMobileEditorContainer .downButton:active:after{border-color:#cfcfcf}.handsontable.hide-tween{-webkit-animation:opacity-hide .3s;animation:opacity-hide .3s;animation-fill-mode:forwards;-webkit-animation-fill-mode:forwards}.handsontable.show-tween{-webkit-animation:opacity-show .3s;animation:opacity-show .3s;animation-fill-mode:forwards;-webkit-animation-fill-mode:forwards}.htCommentCell{position:relative}.htCommentCell:after{content:'';position:absolute;top:0;right:0;border-left:6px solid transparent;border-top:6px solid black}.htComments{display:none;z-index:1059;position:absolute}.htCommentTextArea{box-shadow:rgba(0,0,0,0.117647) 0 1px 3px,rgba(0,0,0,0.239216) 0 1px 2px;-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box;border:0;border-left:3px solid #ccc;background-color:#fff;width:215px;height:90px;font-size:12px;padding:5px;outline:0!important;-webkit-appearance:none}.htCommentTextArea:focus{box-shadow:rgba(0,0,0,0.117647) 0 1px 3px,rgba(0,0,0,0.239216) 0 1px 2px,inset 0 0 0 1px #5292f7;border-left:3px solid #5292f7}/*! - * Handsontable ContextMenu - */.htContextMenu{display:none;position:absolute;z-index:1060}.htContextMenu .ht_clone_top,.htContextMenu .ht_clone_left,.htContextMenu .ht_clone_corner,.htContextMenu .ht_clone_debug{display:none}.htContextMenu table.htCore{border:1px solid #ccc;border-bottom-width:2px;border-right-width:2px}.htContextMenu .wtBorder{visibility:hidden}.htContextMenu table tbody tr td{background:white;border-width:0;padding:4px 6px 0 6px;cursor:pointer;overflow:hidden;white-space:nowrap;text-overflow:ellipsis}.htContextMenu table tbody tr td:first-child{border:0}.htContextMenu table tbody tr td.htDimmed{font-style:normal;color:#323232}.htContextMenu table tbody tr td.current,.htContextMenu table tbody tr td.zeroclipboard-is-hover{background:#f3f3f3}.htContextMenu table tbody tr td.htSeparator{border-top:1px solid #bbb;height:0;padding:0;cursor:default}.htContextMenu table tbody tr td.htDisabled{color:#999;cursor:default}.htContextMenu table tbody tr td.htDisabled:hover{background:#fff;color:#999;cursor:default}.htContextMenu table tbody tr.htHidden{display:none}.htContextMenu table tbody tr td .htItemWrapper{margin-left:10px;margin-right:6px}.htContextMenu table tbody tr td div span.selected{margin-top:-2px;position:absolute;left:4px}.htContextMenu .ht_master .wtHolder{overflow:hidden}.htRowHeaders .ht_master.innerBorderLeft ~ .ht_clone_top_left_corner th:nth-child(2),.htRowHeaders .ht_master.innerBorderLeft ~ .ht_clone_left td:first-of-type{border-left:0 none}.handsontable .wtHider{position:relative}.handsontable.ht__manualColumnMove.after-selection--columns thead th.ht__highlight{cursor:move;cursor:-moz-grab;cursor:-webkit-grab;cursor:grab}.handsontable.ht__manualColumnMove.on-moving--columns,.handsontable.ht__manualColumnMove.on-moving--columns thead th.ht__highlight{cursor:move;cursor:-moz-grabbing;cursor:-webkit-grabbing;cursor:grabbing}.handsontable.ht__manualColumnMove.on-moving--columns .manualColumnResizer{display:none}.handsontable .ht__manualColumnMove--guideline,.handsontable .ht__manualColumnMove--backlight{position:absolute;height:100%;display:none}.handsontable .ht__manualColumnMove--guideline{background:#757575;width:2px;top:0;margin-left:-1px;z-index:105}.handsontable .ht__manualColumnMove--backlight{background:#343434;background:rgba(52,52,52,0.25);display:none;z-index:105;pointer-events:none}.handsontable.on-moving--columns.show-ui .ht__manualColumnMove--guideline,.handsontable.on-moving--columns .ht__manualColumnMove--backlight{display:block}.handsontable .wtHider{position:relative}.handsontable.ht__manualRowMove.after-selection--rows tbody th.ht__highlight{cursor:move;cursor:-moz-grab;cursor:-webkit-grab;cursor:grab}.handsontable.ht__manualRowMove.on-moving--rows,.handsontable.ht__manualRowMove.on-moving--rows tbody th.ht__highlight{cursor:move;cursor:-moz-grabbing;cursor:-webkit-grabbing;cursor:grabbing}.handsontable.ht__manualRowMove.on-moving--rows .manualRowResizer{display:none}.handsontable .ht__manualRowMove--guideline,.handsontable .ht__manualRowMove--backlight{position:absolute;width:100%;display:none}.handsontable .ht__manualRowMove--guideline{background:#757575;height:2px;left:0;margin-top:-1px;z-index:105}.handsontable .ht__manualRowMove--backlight{background:#343434;background:rgba(52,52,52,0.25);display:none;z-index:105;pointer-events:none}.handsontable.on-moving--rows.show-ui .ht__manualRowMove--guideline,.handsontable.on-moving--rows .ht__manualRowMove--backlight{display:block}/*! - * Pikaday - * Copyright © 2014 David Bushell | BSD & MIT license | http://dbushell.com/ - */.pika-single{z-index:9999;display:block;position:relative;color:#333;background:#fff;border:1px solid #ccc;border-bottom-color:#bbb;font-family:"Helvetica Neue",Helvetica,Arial,sans-serif}.pika-single:before,.pika-single:after{content:" ";display:table}.pika-single:after{clear:both}.pika-single{*zoom:1}.pika-single.is-hidden{display:none}.pika-single.is-bound{position:absolute;box-shadow:0 5px 15px -5px rgba(0,0,0,.5)}.pika-lendar{float:left;width:240px;margin:8px}.pika-title{position:relative;text-align:center}.pika-label{display:inline-block;*display:inline;position:relative;z-index:9999;overflow:hidden;margin:0;padding:5px 3px;font-size:14px;line-height:20px;font-weight:bold;background-color:#fff}.pika-title select{cursor:pointer;position:absolute;z-index:9998;margin:0;left:0;top:5px;filter:alpha(opacity=0);opacity:0}.pika-prev,.pika-next{display:block;cursor:pointer;position:relative;outline:0;border:0;padding:0;width:20px;height:30px;text-indent:20px;white-space:nowrap;overflow:hidden;background-color:transparent;background-position:center center;background-repeat:no-repeat;background-size:75% 75%;opacity:.5;*position:absolute;*top:0}.pika-prev:hover,.pika-next:hover{opacity:1}.pika-prev,.is-rtl .pika-next{float:left;background-image:url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAeCAYAAAAsEj5rAAAAUklEQVR42u3VMQoAIBADQf8Pgj+OD9hG2CtONJB2ymQkKe0HbwAP0xucDiQWARITIDEBEnMgMQ8S8+AqBIl6kKgHiXqQqAeJepBo/z38J/U0uAHlaBkBl9I4GwAAAABJRU5ErkJggg==');*left:0}.pika-next,.is-rtl .pika-prev{float:right;background-image:url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAeCAYAAAAsEj5rAAAAU0lEQVR42u3VOwoAMAgE0dwfAnNjU26bYkBCFGwfiL9VVWoO+BJ4Gf3gtsEKKoFBNTCoCAYVwaAiGNQGMUHMkjGbgjk2mIONuXo0nC8XnCf1JXgArVIZAQh5TKYAAAAASUVORK5CYII=');*right:0}.pika-prev.is-disabled,.pika-next.is-disabled{cursor:default;opacity:.2}.pika-select{display:inline-block;*display:inline}.pika-table{width:100%;border-collapse:collapse;border-spacing:0;border:0}.pika-table th,.pika-table td{width:14.285714285714286%;padding:0}.pika-table th{color:#999;font-size:12px;line-height:25px;font-weight:bold;text-align:center}.pika-button{cursor:pointer;display:block;box-sizing:border-box;-moz-box-sizing:border-box;outline:0;border:0;margin:0;width:100%;padding:5px;color:#666;font-size:12px;line-height:15px;text-align:right;background:#f5f5f5}.pika-week{font-size:11px;color:#999}.is-today .pika-button{color:#3af;font-weight:bold}.is-selected .pika-button{color:#fff;font-weight:bold;background:#3af;box-shadow:inset 0 1px 3px #178fe5;border-radius:3px}.is-inrange .pika-button{background:#d5e9f7}.is-startrange .pika-button{color:#fff;background:#6cb31d;box-shadow:none;border-radius:3px}.is-endrange .pika-button{color:#fff;background:#3af;box-shadow:none;border-radius:3px}.is-disabled .pika-button,.is-outside-current-month .pika-button{pointer-events:none;cursor:default;color:#999;opacity:.3}.pika-button:hover{color:#fff;background:#ff8000;box-shadow:none;border-radius:3px}.pika-table abbr{border-bottom:0;cursor:help} \ No newline at end of file diff --git a/docs/_static/handsontable.full.min.js b/docs/_static/handsontable.full.min.js deleted file mode 100644 index ab1900b..0000000 --- a/docs/_static/handsontable.full.min.js +++ /dev/null @@ -1,89 +0,0 @@ -/*! -(The MIT License) - -Copyright (c) 2012-2014 Marcin Warpechowski -Copyright (c) 2015 Handsoncode sp. z o.o. - -Permission is hereby granted, free of charge, to any person obtaining -a copy of this software and associated documentation files (the -'Software'), to deal in the Software without restriction, including -without limitation the rights to use, copy, modify, merge, publish, -distribute, sublicense, and/or sell copies of the Software, and to -permit persons to whom the Software is furnished to do so, subject to -the following conditions: - -The above copyright notice and this permission notice shall be -included in all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND, -EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF -MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. -IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY -CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, -TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE -SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - -*/ -!function(e){if("object"==typeof exports&&"undefined"!=typeof module)module.exports=e();else if("function"==typeof define&&define.amd)define([],e);else{var t;t="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof self?self:this,t.Handsontable=e()}}(function(){var e;return function e(t,o,n){function r(a,l){if(!o[a]){if(!t[a]){var u="function"==typeof require&&require;if(!l&&u)return u(a,!0);if(i)return i(a,!0);if(s[a]&&"undefined"!=typeof window[s[a]])return window[s[a]];var c=new Error("Cannot find module '"+a+"'");throw c.code="MODULE_NOT_FOUND",c}var d=o[a]={exports:{}};t[a][0].call(d.exports,function(e){var o=t[a][1][e];return r(o?o:e)},d,d.exports,e,t,o,n)}return o[a].exports}for(var i="function"==typeof require&&require,s=JSON.parse('{"zeroclipboard":"ZeroClipboard","moment":"moment","numbro":"numbro","pikaday":"Pikaday"}')||{},a=0;a1)for(t=1,o=arguments.length;tMath.ceil(i.top+i.height)||(e.clientXMath.ceil(i.left+i.width)||void 0)))}function n(e){o(e)&&(r.eventManager.removeEventListener(document.body,"mousemove",n),t.style.display="block")}if(this.mouseDown&&this.wot.getSetting("hideBorderOnMouseDownOver")){e.preventDefault(),w(e);var r=this,i=t.getBoundingClientRect();t.style.display="none",this.eventManager.addEventListener(document.body,"mousemove",n)}},createBorders:function(e){this.main=document.createElement("div");var t=["top","left","bottom","right","corner"],o=this.main.style;o.position="absolute",o.top=0,o.left=0;for(var n=0;n<5;n++){var r=t[n],i=document.createElement("div");i.className="wtBorder "+(this.settings.className||""),this.settings[r]&&this.settings[r].hide&&(i.className+=" hidden"),o=i.style,o.backgroundColor=this.settings[r]&&this.settings[r].color?this.settings[r].color:e.border.color,o.height=this.settings[r]&&this.settings[r].width?this.settings[r].width+"px":e.border.width+"px",o.width=this.settings[r]&&this.settings[r].width?this.settings[r].width+"px":e.border.width+"px",this.main.appendChild(i)}this.top=this.main.childNodes[0],this.left=this.main.childNodes[1],this.bottom=this.main.childNodes[2],this.right=this.main.childNodes[3],this.topStyle=this.top.style,this.leftStyle=this.left.style,this.bottomStyle=this.bottom.style,this.rightStyle=this.right.style,this.corner=this.main.childNodes[4],this.corner.className+=" corner",this.cornerStyle=this.corner.style,this.cornerStyle.width=this.cornerDefaultStyle.width,this.cornerStyle.height=this.cornerDefaultStyle.height,this.cornerStyle.border=[this.cornerDefaultStyle.borderWidth,this.cornerDefaultStyle.borderStyle,this.cornerDefaultStyle.borderColor].join(" "),v()&&this.createMultipleSelectorHandles(),this.disappear(),this.wot.wtTable.bordersHolder||(this.wot.wtTable.bordersHolder=document.createElement("div"),this.wot.wtTable.bordersHolder.className="htBorders",this.wot.wtTable.spreader.appendChild(this.wot.wtTable.bordersHolder)),this.wot.wtTable.bordersHolder.insertBefore(this.main,this.wot.wtTable.bordersHolder.firstChild)},createMultipleSelectorHandles:function(){this.selectionHandles={topLeft:document.createElement("DIV"),topLeftHitArea:document.createElement("DIV"),bottomRight:document.createElement("DIV"),bottomRightHitArea:document.createElement("DIV")};var e=10,t=40;this.selectionHandles.topLeft.className="topLeftSelectionHandle",this.selectionHandles.topLeftHitArea.className="topLeftSelectionHandle-HitArea",this.selectionHandles.bottomRight.className="bottomRightSelectionHandle",this.selectionHandles.bottomRightHitArea.className="bottomRightSelectionHandle-HitArea",this.selectionHandles.styles={topLeft:this.selectionHandles.topLeft.style,topLeftHitArea:this.selectionHandles.topLeftHitArea.style,bottomRight:this.selectionHandles.bottomRight.style,bottomRightHitArea:this.selectionHandles.bottomRightHitArea.style};var o={position:"absolute",height:t+"px",width:t+"px","border-radius":parseInt(t/1.5,10)+"px"};for(var n in o)o.hasOwnProperty(n)&&(this.selectionHandles.styles.bottomRightHitArea[n]=o[n],this.selectionHandles.styles.topLeftHitArea[n]=o[n]);var r={position:"absolute",height:e+"px",width:e+"px","border-radius":parseInt(e/1.5,10)+"px",background:"#F5F5FF",border:"1px solid #4285c8"};for(var i in r)r.hasOwnProperty(i)&&(this.selectionHandles.styles.bottomRight[i]=r[i],this.selectionHandles.styles.topLeft[i]=r[i]);this.main.appendChild(this.selectionHandles.topLeft),this.main.appendChild(this.selectionHandles.bottomRight),this.main.appendChild(this.selectionHandles.topLeftHitArea),this.main.appendChild(this.selectionHandles.bottomRightHitArea)},isPartRange:function(e,t){return!(!this.wot.selections.area.cellRange||e==this.wot.selections.area.cellRange.to.row&&t==this.wot.selections.area.cellRange.to.col)},updateMultipleSelectionHandlesPosition:function(e,t,o,n,r,i){var s=parseInt(this.selectionHandles.styles.topLeft.width,10),a=parseInt(this.selectionHandles.styles.topLeftHitArea.width,10);this.selectionHandles.styles.topLeft.top=parseInt(o-s,10)+"px",this.selectionHandles.styles.topLeft.left=parseInt(n-s,10)+"px",this.selectionHandles.styles.topLeftHitArea.top=parseInt(o-a/4*3,10)+"px",this.selectionHandles.styles.topLeftHitArea.left=parseInt(n-a/4*3,10)+"px",this.selectionHandles.styles.bottomRight.top=parseInt(o+i,10)+"px",this.selectionHandles.styles.bottomRight.left=parseInt(n+r,10)+"px",this.selectionHandles.styles.bottomRightHitArea.top=parseInt(o+i-a/4,10)+"px",this.selectionHandles.styles.bottomRightHitArea.left=parseInt(n+r-a/4,10)+"px",this.settings.border.multipleSelectionHandlesVisible&&this.settings.border.multipleSelectionHandlesVisible()?(this.selectionHandles.styles.topLeft.display="block",this.selectionHandles.styles.topLeftHitArea.display="block",this.isPartRange(e,t)?(this.selectionHandles.styles.bottomRight.display="none",this.selectionHandles.styles.bottomRightHitArea.display="none"):(this.selectionHandles.styles.bottomRight.display="block",this.selectionHandles.styles.bottomRightHitArea.display="block")):(this.selectionHandles.styles.topLeft.display="none",this.selectionHandles.styles.bottomRight.display="none",this.selectionHandles.styles.topLeftHitArea.display="none",this.selectionHandles.styles.bottomRightHitArea.display="none"),e==this.wot.wtSettings.getSetting("fixedRowsTop")||t==this.wot.wtSettings.getSetting("fixedColumnsLeft")?(this.selectionHandles.styles.topLeft.zIndex="9999",this.selectionHandles.styles.topLeftHitArea.zIndex="9999"):(this.selectionHandles.styles.topLeft.zIndex="",this.selectionHandles.styles.topLeftHitArea.zIndex="")},appear:function(e){if(!this.disabled){var t,o,n,r,i,s,a,l,u,w,y,C,_,R,M,S,E,O,T;T=this.wot.wtTable.getRenderedRowsCount();for(var k=0;k=e[0]&&D<=e[2]){_=D;break}}for(var x=T-1;x>=0;x--){var H=this.wot.wtTable.rowFilter.renderedToSource(x);if(H>=e[0]&&H<=e[2]){M=H;break}}T=this.wot.wtTable.getRenderedColumnsCount();for(var A=0;A=e[1]&&P<=e[3]){R=P;break}}for(var N=T-1;N>=0;N--){var L=this.wot.wtTable.columnFilter.renderedToSource(N);if(L>=e[1]&&L<=e[3]){S=L;break}}if(void 0===_||void 0===R)return void this.disappear();t=_!==M||R!==S,o=this.wot.wtTable.getCell(new b(_,R)),n=t?this.wot.wtTable.getCell(new b(M,S)):o,r=p(o),i=t?p(n):r,s=p(this.wot.wtTable.TABLE),l=r.top,y=i.top+g(n)-l,w=r.left,C=i.left+m(n)-w,a=l-s.top-1,u=w-s.left-1;var I=c(o);parseInt(I.borderTopWidth,10)>0&&(a+=1,y=y>0?y-1:0),parseInt(I.borderLeftWidth,10)>0&&(u+=1,C=C>0?C-1:0),this.topStyle.top=a+"px",this.topStyle.left=u+"px",this.topStyle.width=C+"px",this.topStyle.display="block",this.leftStyle.top=a+"px",this.leftStyle.left=u+"px",this.leftStyle.height=y+"px",this.leftStyle.display="block";var W=Math.floor(this.settings.border.width/2);this.bottomStyle.top=a+y-W+"px",this.bottomStyle.left=u+"px",this.bottomStyle.width=C+"px",this.bottomStyle.display="block",this.rightStyle.top=a+"px",this.rightStyle.left=u+C-W+"px",this.rightStyle.height=y+1+"px",this.rightStyle.display="block",v()||!this.hasSetting(this.settings.border.cornerVisible)||this.isPartRange(M,S)?this.cornerStyle.display="none":(this.cornerStyle.top=a+y-4+"px",this.cornerStyle.left=u+C-4+"px",this.cornerStyle.borderRightWidth=this.cornerDefaultStyle.borderWidth,this.cornerStyle.width=this.cornerDefaultStyle.width,this.cornerStyle.display="none",E=d(this.wot.wtTable.TABLE),S===this.wot.getSetting("totalColumns")-1&&(O=n.offsetLeft+m(n)+parseInt(this.cornerDefaultStyle.width)/2>=h(E),O&&(this.cornerStyle.left=Math.floor(u+C-3-parseInt(this.cornerDefaultStyle.width)/2)+"px",this.cornerStyle.borderRightWidth=0)),M===this.wot.getSetting("totalRows")-1&&(O=n.offsetTop+g(n)+parseInt(this.cornerDefaultStyle.height)/2>=f(E),O&&(this.cornerStyle.top=Math.floor(a+y-3-parseInt(this.cornerDefaultStyle.height)/2)+"px",this.cornerStyle.borderBottomWidth=0)),this.cornerStyle.display="block"),v()&&this.updateMultipleSelectionHandlesPosition(_,R,a,u,C,y)}},disappear:function(){this.topStyle.display="none",this.leftStyle.display="none",this.bottomStyle.display="none",this.rightStyle.display="none",this.cornerStyle.display="none",v()&&(this.selectionHandles.styles.topLeft.display="none",this.selectionHandles.styles.bottomRight.display="none")},hasSetting:function(e){return"function"==typeof e?e():!!e}},{}),window.WalkontableBorder=C},{"cell/coords":6,eventManager:42,"helpers/browser":44,"helpers/dom/element":47,"helpers/dom/event":48,"overlay/_base.js":12}],4:[function(e,t,o){"use strict";Object.defineProperties(o,{WalkontableViewportColumnsCalculator:{get:function(){return r}},__esModule:{value:!0}});var n=new WeakMap,r=function(e,t,o,r,i,s,a){var l=void 0!==arguments[7]?arguments[7]:function(e){return e};n.set(this,{viewportWidth:e,scrollOffset:t,totalColumns:o,columnWidthFn:r,overrideFn:i,onlyFullyVisible:s,stretchingColumnWidthFn:l}),this.count=0,this.startColumn=null,this.endColumn=null,this.startPosition=null,this.stretchAllRatio=0,this.stretchLastWidth=0,this.stretch=a,this.totalTargetWidth=0,this.needVerifyLastColumnWidth=!0,this.stretchAllColumnsWidth=[],this.calculate()},i=r;$traceurRuntime.createClass(r,{calculate:function(){for(var e,t=0,o=!0,r=[],i=n.get(this),s=i.onlyFullyVisible,a=i.overrideFn,l=i.scrollOffset,u=i.totalColumns,c=i.viewportWidth,d=0;d0?c+1:c;if(t>=l&&t+e<=l+h&&(null==this.startColumn&&(this.startColumn=d),this.endColumn=d),r.push(t),t+=e,s||(this.endColumn=d),t>=l+c){o=!1;break}}if(this.endColumn===u-1&&o)for(this.startColumn=this.endColumn;this.startColumn>0;){var f=r[this.endColumn]+e-r[this.startColumn-1];if((f<=c||!s)&&this.startColumn--,f>c)break}null!==this.startColumn&&a&&a(this),this.startPosition=r[this.startColumn],void 0==this.startPosition&&(this.startPosition=null),null!==this.startColumn&&(this.count=this.endColumn-this.startColumn+1)},refreshStretching:function(e){if("none"!==this.stretch){this.totalTargetWidth=e;for(var t=n.get(this),o=t.totalColumns,r=0,i=0;i0)this.stretchAllRatio=e/r,this.stretchAllColumnsWidth=[],this.needVerifyLastColumnWidth=!0;else if("last"===this.stretch&&e!==1/0){var u=this._getColumnWidth(o-1),c=l+u;this.stretchLastWidth=c>=0?c:u}}},getStretchedColumnWidth:function(e,t){var o=null;return"all"===this.stretch&&0!==this.stretchAllRatio?o=this._getStretchedAllColumnWidth(e,t):"last"===this.stretch&&0!==this.stretchLastWidth&&(o=this._getStretchedLastColumnWidth(e)),o},_getStretchedAllColumnWidth:function(e,t){var o=0,r=n.get(this),i=r.totalColumns;if(!this.stretchAllColumnsWidth[e]){var s=Math.round(t*this.stretchAllRatio),a=r.stretchingColumnWidthFn(s,e);void 0===a?this.stretchAllColumnsWidth[e]=s:this.stretchAllColumnsWidth[e]=isNaN(a)?this._getColumnWidth(e):a}if(this.stretchAllColumnsWidth.length===i&&this.needVerifyLastColumnWidth){this.needVerifyLastColumnWidth=!1;for(var l=0;l=u&&e+p<=u+d-h&&(null===this.startRow&&(this.startRow=f),this.endRow=f),o.push(e),e+=p,s||(this.endRow=f),e>=u+d-h){t=!1;break}}if(this.endRow===c-1&&t)for(this.startRow=this.endRow;this.startRow>0;){var g=o[this.endRow]+p-o[this.startRow-1];if((g<=d-h||!s)&&this.startRow--,g>=d-h)break}null!==this.startRow&&a&&a(this),this.startPosition=o[this.startRow],void 0==this.startPosition&&(this.startPosition=null),null!==this.startRow&&(this.count=this.endRow-this.startRow+1)}},{get DEFAULT_HEIGHT(){return 23}}),window.WalkontableViewportRowsCalculator=r},{}],6:[function(e,t,o){"use strict";Object.defineProperties(o,{WalkontableCellCoords:{get:function(){return n}},__esModule:{value:!0}});var n=function(e,t){"undefined"!=typeof e&&"undefined"!=typeof t?(this.row=e,this.col=t):(this.row=null,this.col=null)};$traceurRuntime.createClass(n,{isValid:function(e){return!(this.row<0||this.col<0)&&!(this.row>=e.getSetting("totalRows")||this.col>=e.getSetting("totalColumns"))},isEqual:function(e){return e===this||this.row===e.row&&this.col===e.col},isSouthEastOf:function(e){return this.row>=e.row&&this.col>=e.col},isNorthWestOf:function(e){return this.row<=e.row&&this.col<=e.col},isSouthWestOf:function(e){return this.row>=e.row&&this.col<=e.col},isNorthEastOf:function(e){return this.row<=e.row&&this.col>=e.col}},{}),window.WalkontableCellCoords=n},{}],7:[function(e,t,o){"use strict";Object.defineProperties(o,{WalkontableCellRange:{get:function(){return i}},__esModule:{value:!0}});var n,r=(n=e("cell/coords"),n&&n.__esModule&&n||{default:n}).WalkontableCellCoords,i=function(e,t,o){this.highlight=e,this.from=t,this.to=o},s=i;$traceurRuntime.createClass(i,{isValid:function(e){return this.from.isValid(e)&&this.to.isValid(e)},isSingle:function(){return this.from.row===this.to.row&&this.from.col===this.to.col},getHeight:function(){return Math.max(this.from.row,this.to.row)-Math.min(this.from.row,this.to.row)+1},getWidth:function(){return Math.max(this.from.col,this.to.col)-Math.min(this.from.col,this.to.col)+1},includes:function(e){var t=e,o=t.row,n=t.col,r=this.getTopLeftCorner(),i=this.getBottomRightCorner();return r.row<=o&&i.row>=o&&r.col<=n&&i.col>=n},includesRange:function(e){return this.includes(e.getTopLeftCorner())&&this.includes(e.getBottomRightCorner())},isEqual:function(e){return Math.min(this.from.row,this.to.row)==Math.min(e.from.row,e.to.row)&&Math.max(this.from.row,this.to.row)==Math.max(e.from.row,e.to.row)&&Math.min(this.from.col,this.to.col)==Math.min(e.from.col,e.to.col)&&Math.max(this.from.col,this.to.col)==Math.max(e.from.col,e.to.col)},overlaps:function(e){return e.isSouthEastOf(this.getTopLeftCorner())&&e.isNorthWestOf(this.getBottomRightCorner())},isSouthEastOf:function(e){return this.getTopLeftCorner().isSouthEastOf(e)||this.getBottomRightCorner().isSouthEastOf(e)},isNorthWestOf:function(e){return this.getTopLeftCorner().isNorthWestOf(e)||this.getBottomRightCorner().isNorthWestOf(e)},expand:function(e){var t=this.getTopLeftCorner(),o=this.getBottomRightCorner();return(e.rowo.row||e.col>o.col)&&(this.from=new r(Math.min(t.row,e.row),Math.min(t.col,e.col)),this.to=new r(Math.max(o.row,e.row),Math.max(o.col,e.col)),!0)},expandByRange:function(e){if(this.includesRange(e)||!this.overlaps(e))return!1;var t=this.getTopLeftCorner(),o=this.getBottomRightCorner(),n=(this.getTopRightCorner(),this.getBottomLeftCorner(),e.getTopLeftCorner()),i=e.getBottomRightCorner(),a=Math.min(t.row,n.row),l=Math.min(t.col,n.col),u=Math.max(o.row,i.row),c=Math.max(o.col,i.col),d=new r(a,l),h=new r(u,c),f=new s(d,d,h).isCorner(this.from,e),p=e.isEqual(new s(d,d,h));return f&&!p&&(this.from.col>d.col&&(d.col=c,h.col=l),this.from.row>d.row&&(d.row=u,h.row=a)),this.from=d,this.to=h,!0},getDirection:function(){return this.from.isNorthWestOf(this.to)?"NW-SE":this.from.isNorthEastOf(this.to)?"NE-SW":this.from.isSouthEastOf(this.to)?"SE-NW":this.from.isSouthWestOf(this.to)?"SW-NE":void 0},setDirection:function(e){var t,o,n,r;switch(e){case"NW-SE":t=[this.getTopLeftCorner(),this.getBottomRightCorner()],this.from=t[0],this.to=t[1],t;break;case"NE-SW":o=[this.getTopRightCorner(),this.getBottomLeftCorner()],this.from=o[0],this.to=o[1],o;break;case"SE-NW":n=[this.getBottomRightCorner(),this.getTopLeftCorner()],this.from=n[0],this.to=n[1],n;break;case"SW-NE":r=[this.getBottomLeftCorner(),this.getTopRightCorner()],this.from=r[0],this.to=r[1],r}},getTopLeftCorner:function(){return new r(Math.min(this.from.row,this.to.row),Math.min(this.from.col,this.to.col))},getBottomRightCorner:function(){return new r(Math.max(this.from.row,this.to.row),Math.max(this.from.col,this.to.col))},getTopRightCorner:function(){return new r(Math.min(this.from.row,this.to.row),Math.max(this.from.col,this.to.col))},getBottomLeftCorner:function(){return new r(Math.max(this.from.row,this.to.row),Math.min(this.from.col,this.to.col))},isCorner:function(e,t){return!!(t&&t.includes(e)&&(this.getTopLeftCorner().isEqual(new r(t.from.row,t.from.col))||this.getTopRightCorner().isEqual(new r(t.from.row,t.to.col))||this.getBottomLeftCorner().isEqual(new r(t.to.row,t.from.col))||this.getBottomRightCorner().isEqual(new r(t.to.row,t.to.col))))||(e.isEqual(this.getTopLeftCorner())||e.isEqual(this.getTopRightCorner())||e.isEqual(this.getBottomLeftCorner())||e.isEqual(this.getBottomRightCorner()))},getOppositeCorner:function(e,t){if(!(e instanceof r))return!1;if(t&&t.includes(e)){if(this.getTopLeftCorner().isEqual(new r(t.from.row,t.from.col)))return this.getBottomRightCorner();if(this.getTopRightCorner().isEqual(new r(t.from.row,t.to.col)))return this.getBottomLeftCorner();if(this.getBottomLeftCorner().isEqual(new r(t.to.row,t.from.col)))return this.getTopRightCorner();if(this.getBottomRightCorner().isEqual(new r(t.to.row,t.to.col)))return this.getTopLeftCorner()}return e.isEqual(this.getBottomRightCorner())?this.getTopLeftCorner():e.isEqual(this.getTopLeftCorner())?this.getBottomRightCorner():e.isEqual(this.getTopRightCorner())?this.getBottomLeftCorner():e.isEqual(this.getBottomLeftCorner())?this.getTopRightCorner():void 0},getBordersSharedWith:function(e){if(!this.includesRange(e))return[];var t={top:Math.min(this.from.row,this.to.row),bottom:Math.max(this.from.row,this.to.row),left:Math.min(this.from.col,this.to.col),right:Math.max(this.from.col,this.to.col)},o={top:Math.min(e.from.row,e.to.row),bottom:Math.max(e.from.row,e.to.row),left:Math.min(e.from.col,e.to.col),right:Math.max(e.from.col,e.to.col)},n=[];return t.top==o.top&&n.push("top"),t.right==o.right&&n.push("right"),t.bottom==o.bottom&&n.push("bottom"),t.left==o.left&&n.push("left"),n},getInner:function(){for(var e=this.getTopLeftCorner(),t=this.getBottomRightCorner(),o=[],n=e.row;n<=t.row;n++)for(var i=e.col;i<=t.col;i++)this.from.row===n&&this.from.col===i||this.to.row===n&&this.to.col===i||o.push(new r(n,i));return o},getAll:function(){for(var e=this.getTopLeftCorner(),t=this.getBottomRightCorner(),o=[],n=e.row;n<=t.row;n++)for(var i=e.col;i<=t.col;i++)e.row===n&&e.col===i?o.push(e):t.row===n&&t.col===i?o.push(t):o.push(new r(n,i));return o},forAll:function(e){for(var t=this.getTopLeftCorner(),o=this.getBottomRightCorner(),n=t.row;n<=o.row;n++)for(var r=t.col;r<=o.col;r++){var i=e(n,r);if(i===!1)return}}},{}),window.WalkontableCellRange=i},{"cell/coords":6}],8:[function(e,t,o){"use strict";Object.defineProperties(o,{Walkontable:{get:function(){return H}},__esModule:{value:!0}});var n,r,i,s,a,l,u,c,d,h,f,p,g,m,w=(n=e("helpers/dom/element"),n&&n.__esModule&&n||{default:n}),v=w.addClass,y=w.fastInnerText,b=w.isVisible,C=w.removeClass,_=(r=e("helpers/object"),r&&r.__esModule&&r||{default:r}).objectEach,R=(i=e("helpers/string"),i&&i.__esModule&&i||{default:i}),M=R.toUpperCaseFirst,S=R.randomString,E=(s=e("event"),s&&s.__esModule&&s||{default:s}).WalkontableEvent,O=(a=e("overlays"),a&&a.__esModule&&a||{default:a}).WalkontableOverlays,T=(l=e("scroll"),l&&l.__esModule&&l||{default:l}).WalkontableScroll,k=(u=e("settings"),u&&u.__esModule&&u||{default:u}).WalkontableSettings,D=(c=e("table"),c&&c.__esModule&&c||{default:c}).WalkontableTable,x=(d=e("viewport"),d&&d.__esModule&&d||{default:d}).WalkontableViewport,H=((h=e("overlay/_base.js"),h&&h.__esModule&&h||{default:h}).WalkontableOverlay,(f=e("overlay/top.js"),f&&f.__esModule&&f||{default:f}).WalkontableTopOverlay,(p=e("overlay/left.js"),p&&p.__esModule&&p||{default:p}).WalkontableLeftOverlay,(g=e("overlay/debug.js"),g&&g.__esModule&&g||{default:g}).WalkontableDebugOverlay,(m=e("overlay/topLeftCorner.js"),m&&m.__esModule&&m||{default:m}).WalkontableTopLeftCornerOverlay,function(e){var t=[];if(this.guid="wt_"+S(),e.cloneSource?(this.cloneSource=e.cloneSource,this.cloneOverlay=e.cloneOverlay,this.wtSettings=e.cloneSource.wtSettings,this.wtTable=new D(this,e.table,e.wtRootElement),this.wtScroll=new T(this),this.wtViewport=e.cloneSource.wtViewport,this.wtEvent=new E(this),this.selections=this.cloneSource.selections):(this.wtSettings=new k(this,e),this.wtTable=new D(this,e.table),this.wtScroll=new T(this),this.wtViewport=new x(this),this.wtEvent=new E(this),this.selections=this.getSetting("selections"),this.wtOverlays=new O(this),this.exportSettingsAsClassNames()),this.wtTable.THEAD.childNodes.length&&this.wtTable.THEAD.childNodes[0].childNodes.length){for(var o=0,n=this.wtTable.THEAD.childNodes[0].childNodes.length;o=o-r){if(this.wtOverlays.bottomLeftCornerOverlay&&this.wtOverlays.bottomLeftCornerOverlay.clone)return this.wtOverlays.bottomLeftCornerOverlay.clone.wtTable.getCell(e)}else{if(e.colo-r&&this.wtOverlays.bottomOverlay&&this.wtOverlays.bottomOverlay.clone)return this.wtOverlays.bottomOverlay.clone.wtTable.getCell(e)}return this.wtTable.getCell(e)},update:function(e,t){return this.wtSettings.update(e,t)},scrollVertical:function(e){return this.wtOverlays.topOverlay.scrollTo(e),this.getSetting("onScrollVertically"),this},scrollHorizontal:function(e){return this.wtOverlays.leftOverlay.scrollTo(e),this.getSetting("onScrollHorizontally"),this},scrollViewport:function(e){return this.wtScroll.scrollViewport(e),this},getViewport:function(){return[this.wtTable.getFirstVisibleRow(),this.wtTable.getFirstVisibleColumn(),this.wtTable.getLastVisibleRow(),this.wtTable.getLastVisibleColumn()]},getOverlayName:function(){return this.cloneOverlay?this.cloneOverlay.type:"master"},isOverlayName:function(e){return!!this.cloneOverlay&&this.cloneOverlay.type===e},exportSettingsAsClassNames:function(){var e=this,t={rowHeaders:["array"],columnHeaders:["array"]},o=[],n=[];_(t,function(t,r){t.indexOf("array")>-1&&e.getSetting(r).length&&n.push("ht"+M(r)),o.push("ht"+M(r))}),C(this.wtTable.wtRootElement.parentNode,o),v(this.wtTable.wtRootElement.parentNode,n)},getSetting:function(e,t,o,n,r){return this.wtSettings.getSetting(e,t,o,n,r)},hasSetting:function(e){return this.wtSettings.has(e)},destroy:function(){this.wtOverlays.destroy(),this.wtEvent.destroy()}},{}),window.Walkontable=H},{event:9,"helpers/dom/element":47,"helpers/object":53,"helpers/string":55,"overlay/_base.js":12,"overlay/debug.js":13,"overlay/left.js":14,"overlay/top.js":15,"overlay/topLeftCorner.js":16,overlays:17,scroll:18,settings:20,table:21,viewport:23}],9:[function(e,t,o){"use strict";function n(e){var t=this,o=g(e);this.instance=e;var n=[null,null];this.dblClickTimeout=[null,null];var r,i=function(e){var o=document.activeElement,r=f(h,e.realTarget),i=e.realTarget;if(i!==o&&r(0)!==o&&r(1)!==o){var s=t.parentCell(i);c(i,"corner")?t.instance.getSetting("onCellCornerMouseDown",e,i):s.TD&&t.instance.hasSetting("onCellMouseDown")&&t.instance.getSetting("onCellMouseDown",e,s.coords,s.TD,t.instance),2!==e.button&&s.TD&&(n[0]=s.TD,clearTimeout(t.dblClickTimeout[0]),t.dblClickTimeout[0]=setTimeout(function(){n[0]=null},1e3))}},s=function(e){t.instance.touchMoving=!0},a=function(e){o.addEventListener(this,"touchmove",s),t.checkIfTouchMove=setTimeout(function(){return t.instance.touchMoving===!0?(t.instance.touchMoving=void 0,void o.removeEventListener("touchmove",s,!1)):void i(e)},30)},l=function(e){var o,n,r;t.instance.hasSetting("onCellMouseOver")&&(o=t.instance.wtTable.TABLE,n=u(e.realTarget,["TD","TH"],o),r=t.instance.cloneSource||t.instance,n&&n!==r.lastMouseOver&&d(n,o)&&(r.lastMouseOver=n,t.instance.getSetting("onCellMouseOver",e,t.instance.wtTable.getCoords(n),n,t.instance)))},m=function(e){if(2!==e.button){var o=t.parentCell(e.realTarget);o.TD===n[0]&&o.TD===n[1]?(c(e.realTarget,"corner")?t.instance.getSetting("onCellCornerDblClick",e,o.coords,o.TD,t.instance):t.instance.getSetting("onCellDblClick",e,o.coords,o.TD,t.instance),n[0]=null,n[1]=null):o.TD===n[0]?(t.instance.getSetting("onCellMouseUp",e,o.coords,o.TD,t.instance),n[1]=o.TD,clearTimeout(t.dblClickTimeout[1]),t.dblClickTimeout[1]=setTimeout(function(){n[1]=null},500)):o.TD&&t.instance.hasSetting("onCellMouseUp")&&t.instance.getSetting("onCellMouseUp",e,o.coords,o.TD,t.instance)}},w=function(e){clearTimeout(r),e.preventDefault(),m(e)};if(o.addEventListener(this.instance.wtTable.holder,"mousedown",i),o.addEventListener(this.instance.wtTable.TABLE,"mouseover",l),o.addEventListener(this.instance.wtTable.holder,"mouseup",m),this.instance.wtTable.holder.parentNode.parentNode&&p()&&!t.instance.wtTable.isWorkingOnClone()){var v="."+this.instance.wtTable.holder.parentNode.className.split(" ").join(".");o.addEventListener(this.instance.wtTable.holder,"touchstart",function(e){t.instance.touchApplied=!0,d(e.target,v)&&a.call(e.target,e)}),o.addEventListener(this.instance.wtTable.holder,"touchend",function(e){t.instance.touchApplied=!1,d(e.target,v)&&w.call(e.target,e)}),t.instance.momentumScrolling||(t.instance.momentumScrolling={}),o.addEventListener(this.instance.wtTable.holder,"scroll",function(e){clearTimeout(t.instance.momentumScrolling._timeout),t.instance.momentumScrolling.ongoing||t.instance.getSetting("onBeforeTouchScroll"),t.instance.momentumScrolling.ongoing=!0,t.instance.momentumScrolling._timeout=setTimeout(function(){t.instance.touchApplied||(t.instance.momentumScrolling.ongoing=!1,t.instance.getSetting("onAfterMomentumScroll"))},200)})}o.addEventListener(window,"resize",function(){"none"!==t.instance.getSetting("stretchH")&&t.instance.draw()}),this.destroy=function(){clearTimeout(this.dblClickTimeout[0]),clearTimeout(this.dblClickTimeout[1]),o.destroy()}}Object.defineProperties(o,{WalkontableEvent:{get:function(){return n}},__esModule:{value:!0}});var r,i,s,a,l=(r=e("helpers/dom/element"),r&&r.__esModule&&r||{default:r}),u=l.closestDown,c=l.hasClass,d=l.isChildOf,h=l.getParent,f=(i=e("helpers/function"),i&&i.__esModule&&i||{default:i}).partial,p=(s=e("helpers/browser"),s&&s.__esModule&&s||{default:s}).isMobileBrowser,g=(a=e("eventManager"),a&&a.__esModule&&a||{default:a}).eventManager;n.prototype.parentCell=function(e){var t={},o=this.instance.wtTable.TABLE,n=u(e,["TD","TH"],o);return n?(t.coords=this.instance.wtTable.getCoords(n),t.TD=n):c(e,"wtBorder")&&c(e,"current")?(t.coords=this.instance.selections.current.cellRange.highlight,t.TD=this.instance.wtTable.getCell(t.coords)):c(e,"wtBorder")&&c(e,"area")&&this.instance.selections.area.cellRange&&(t.coords=this.instance.selections.area.cellRange.to,t.TD=this.instance.wtTable.getCell(t.coords)),t},window.WalkontableEvent=n},{eventManager:42,"helpers/browser":44,"helpers/dom/element":47,"helpers/function":50}],10:[function(e,t,o){"use strict";Object.defineProperties(o,{ -WalkontableColumnFilter:{get:function(){return n}},__esModule:{value:!0}});var n=function(e,t,o){this.offset=e,this.total=t,this.countTH=o};$traceurRuntime.createClass(n,{offsetted:function(e){return e+this.offset},unOffsetted:function(e){return e-this.offset},renderedToSource:function(e){return this.offsetted(e)},sourceToRendered:function(e){return this.unOffsetted(e)},offsettedTH:function(e){return e-this.countTH},unOffsettedTH:function(e){return e+this.countTH},visibleRowHeadedColumnToSourceColumn:function(e){return this.renderedToSource(this.offsettedTH(e))},sourceColumnToVisibleRowHeadedColumn:function(e){return this.unOffsettedTH(this.sourceToRendered(e))}},{}),window.WalkontableColumnFilter=n},{}],11:[function(e,t,o){"use strict";Object.defineProperties(o,{WalkontableRowFilter:{get:function(){return n}},__esModule:{value:!0}});var n=function(e,t,o){this.offset=e,this.total=t,this.countTH=o};$traceurRuntime.createClass(n,{offsetted:function(e){return e+this.offset},unOffsetted:function(e){return e-this.offset},renderedToSource:function(e){return this.offsetted(e)},sourceToRendered:function(e){return this.unOffsetted(e)},offsettedTH:function(e){return e-this.countTH},unOffsettedTH:function(e){return e+this.countTH},visibleColHeadedRowToSourceRow:function(e){return this.renderedToSource(this.offsettedTH(e))},sourceRowToVisibleColHeadedRow:function(e){return this.unOffsettedTH(this.sourceToRendered(e))}},{}),window.WalkontableRowFilter=n},{}],12:[function(e,t,o){"use strict";Object.defineProperties(o,{WalkontableOverlay:{get:function(){return p}},__esModule:{value:!0}});var n,r,i,s,a=(n=e("helpers/dom/element"),n&&n.__esModule&&n||{default:n}),l=a.getScrollableElement,u=a.getTrimmingContainer,c=(r=e("helpers/object"),r&&r.__esModule&&r||{default:r}).defineGetter,d=(i=e("helpers/array"),i&&i.__esModule&&i||{default:i}).arrayEach,h=(s=e("eventManager"),s&&s.__esModule&&s||{default:s}).eventManager,f={},p=function(e){c(this,"wot",e,{writable:!1}),this.instance=this.wot,this.type="",this.mainTableScrollableElement=null,this.TABLE=this.wot.wtTable.TABLE,this.hider=this.wot.wtTable.hider,this.spreader=this.wot.wtTable.spreader,this.holder=this.wot.wtTable.holder,this.wtRootElement=this.wot.wtTable.wtRootElement,this.trimmingContainer=u(this.hider.parentNode.parentNode),this.areElementSizesAdjusted=!1,this.updateStateOfRendering()},g=p;$traceurRuntime.createClass(p,{updateStateOfRendering:function(){var e=this.needFullRender;this.needFullRender=this.shouldBeRendered();var t=e!==this.needFullRender;return t&&!this.needFullRender&&this.reset(),t},shouldBeRendered:function(){return!0},updateTrimmingContainer:function(){this.trimmingContainer=u(this.hider.parentNode.parentNode)},updateMainScrollableElement:function(){this.mainTableScrollableElement=l(this.wot.wtTable.TABLE)},makeClone:function(e){if(g.CLONE_TYPES.indexOf(e)===-1)throw new Error('Clone type "'+e+'" is not supported.');var t=document.createElement("DIV"),o=document.createElement("TABLE");t.className="ht_clone_"+e+" handsontable",t.style.position="absolute",t.style.top=0,t.style.left=0,t.style.overflow="hidden",o.className=this.wot.wtTable.TABLE.className,t.appendChild(o),this.type=e,this.wot.wtTable.wtRootElement.parentNode.appendChild(t);var n=this.wot.getSetting("preventOverflow");return n===!0||"horizontal"===n&&this.type===g.CLONE_TOP||"vertical"===n&&this.type===g.CLONE_LEFT?this.mainTableScrollableElement=window:this.mainTableScrollableElement=l(this.wot.wtTable.TABLE),new Walkontable({cloneSource:this.wot,cloneOverlay:this,table:o})},refresh:function(){var e=void 0!==arguments[0]&&arguments[0],t=this.shouldBeRendered();this.clone&&(this.needFullRender||t)&&this.clone.draw(e),this.needFullRender=t},reset:function(){if(this.clone){var e=this.clone.wtTable.holder,t=this.clone.wtTable.hider,o=e.style,n=t.style,r=e.parentNode.style;d([o,n,r],function(e){e.width="",e.height=""})}},destroy:function(){h(this.clone).destroy()}},{get CLONE_TOP(){return"top"},get CLONE_BOTTOM(){return"bottom"},get CLONE_LEFT(){return"left"},get CLONE_TOP_LEFT_CORNER(){return"top_left_corner"},get CLONE_BOTTOM_LEFT_CORNER(){return"bottom_left_corner"},get CLONE_DEBUG(){return"debug"},get CLONE_TYPES(){return[g.CLONE_TOP,g.CLONE_BOTTOM,g.CLONE_LEFT,g.CLONE_TOP_LEFT_CORNER,g.CLONE_BOTTOM_LEFT_CORNER,g.CLONE_DEBUG]},registerOverlay:function(e,t){if(g.CLONE_TYPES.indexOf(e)===-1)throw new Error("Unsupported overlay ("+e+").");f[e]=t},createOverlay:function(e,t){return new f[e](t)},isOverlayTypeOf:function(e,t){return!(!e||!f[t])&&e instanceof f[t]}}),window.WalkontableOverlay=p},{eventManager:42,"helpers/array":43,"helpers/dom/element":47,"helpers/object":53}],13:[function(e,t,o){"use strict";Object.defineProperties(o,{WalkontableDebugOverlay:{get:function(){return a}},__esModule:{value:!0}});var n,r,i=(n=e("helpers/dom/element"),n&&n.__esModule&&n||{default:n}).addClass,s=(r=e("_base"),r&&r.__esModule&&r||{default:r}).WalkontableOverlay,a=function(e){$traceurRuntime.superConstructor(l).call(this,e),this.clone=this.makeClone(s.CLONE_DEBUG),this.clone.wtTable.holder.style.opacity=.4,this.clone.wtTable.holder.style.textShadow="0 0 2px #ff0000",i(this.clone.wtTable.holder.parentNode,"wtDebugVisible")},l=a;$traceurRuntime.createClass(a,{},{},s),window.WalkontableDebugOverlay=a,s.registerOverlay(s.CLONE_DEBUG,a)},{_base:12,"helpers/dom/element":47}],14:[function(e,t,o){"use strict";Object.defineProperties(o,{WalkontableLeftOverlay:{get:function(){return w}},__esModule:{value:!0}});var n,r,i=(n=e("helpers/dom/element"),n&&n.__esModule&&n||{default:n}),s=i.addClass,a=i.getScrollbarWidth,l=i.getScrollLeft,u=i.getWindowScrollTop,c=i.hasClass,d=i.outerWidth,h=i.innerHeight,f=i.removeClass,p=i.setOverlayPosition,g=i.resetCssTransform,m=(r=e("_base"),r&&r.__esModule&&r||{default:r}).WalkontableOverlay,w=function(e){$traceurRuntime.superConstructor(v).call(this,e),this.clone=this.makeClone(m.CLONE_LEFT)},v=w;$traceurRuntime.createClass(w,{shouldBeRendered:function(){return!(!this.wot.getSetting("fixedColumnsLeft")&&!this.wot.getSetting("rowHeaders").length)},resetFixedPosition:function(){if(this.needFullRender&&this.wot.wtTable.holder.parentNode){var e=this.clone.wtTable.holder.parentNode,t=0,o=this.wot.getSetting("preventOverflow");if(this.trimmingContainer!==window||o&&"horizontal"===o)t=this.getScrollPosition(),g(e);else{var n,r,i=this.wot.wtTable.hider.getBoundingClientRect(),s=Math.ceil(i.left),a=Math.ceil(i.right);r=this.wot.wtTable.hider.style.top,r=""===r?0:r,n=s<0&&a-e.offsetWidth>0?-s:0,t=n,n+="px",p(e,n,r)}this.adjustHeaderBordersPosition(t),this.adjustElementsSize()}},setScrollPosition:function(e){this.mainTableScrollableElement===window?window.scrollTo(e,u()):this.mainTableScrollableElement.scrollLeft=e},onScroll:function(){this.wot.getSetting("onScrollVertically")},sumCellSizes:function(e,t){for(var o=0,n=this.wot.wtSettings.defaultColumnWidth;e0?-s:0,t=r,r+="px",p(e,n,r)}this.adjustHeaderBordersPosition(t),this.adjustElementsSize()}},setScrollPosition:function(e){this.mainTableScrollableElement===window?window.scrollTo(u(),e):this.mainTableScrollableElement.scrollTop=e},onScroll:function(){this.wot.getSetting("onScrollHorizontally")},sumCellSizes:function(e,t){for(var o=0,n=this.wot.wtSettings.settings.defaultRowHeight;e0){var n=c(t,"innerBorderTop");e||0===this.wot.getSetting("totalRows")?s(t,"innerBorderTop"):f(t,"innerBorderTop"),(!n&&e||n&&!e)&&this.wot.wtOverlays.adjustElementsSize()}if(0===this.wot.getSetting("rowHeaders").length){var r=this.clone.wtTable.THEAD.querySelectorAll("th:nth-of-type(2)");if(r)for(var i=0;i0&&(f=-c+"px"),n&&"horizontal"!==n||i<0&&d-e.offsetHeight>0&&(p=-i+"px"),l(e,f,p)}else u(e);e.style.height=(0===t?t:t+4)+"px",e.style.width=(0===o?o:o+4)+"px"}}},{},c),window.WalkontableTopLeftCornerOverlay=d,c.registerOverlay(c.CLONE_TOP_LEFT_CORNER,d)},{_base:12,"helpers/dom/element":47}],17:[function(e,t,o){"use strict";Object.defineProperties(o,{WalkontableOverlays:{get:function(){return w}},__esModule:{value:!0}});var n,r,i,s,a,l=(n=e("helpers/dom/element"),n&&n.__esModule&&n||{default:n}),u=l.getScrollableElement,c=l.getScrollbarWidth,d=l.getScrollLeft,h=l.getScrollTop,f=(r=e("helpers/array"),r&&r.__esModule&&r||{default:r}).arrayEach,p=(i=e("helpers/unicode"),i&&i.__esModule&&i||{default:i}).isKey,g=(s=e("helpers/browser"),s&&s.__esModule&&s||{default:s}).isMobileBrowser,m=(a=e("eventManager"),a&&a.__esModule&&a||{default:a}).EventManager,w=function(e){this.wot=e,this.instance=this.wot,this.eventManager=new m(this.wot),this.wot.update("scrollbarWidth",c()),this.wot.update("scrollbarHeight",c()),this.scrollableElement=u(this.wot.wtTable.TABLE),this.prepareOverlays(),this.destroyed=!1,this.keyPressed=!1,this.spreaderLastSize={width:null,height:null},this.overlayScrollPositions={master:{top:0,left:0},top:{top:null,left:0},bottom:{top:null,left:0},left:{top:0,left:null}},this.pendingScrollCallbacks={master:{top:0,left:0},top:{left:0},bottom:{left:0},left:{top:0}},this.verticalScrolling=!1,this.horizontalScrolling=!1,this.delegatedScrollCallback=!1,this.registeredListeners=[],this.registerListeners()};$traceurRuntime.createClass(w,{prepareOverlays:function(){var e=!1;return this.topOverlay?e=this.topOverlay.updateStateOfRendering()||e:this.topOverlay=WalkontableOverlay.createOverlay(WalkontableOverlay.CLONE_TOP,this.wot),"undefined"==typeof WalkontableBottomOverlay&&(this.bottomOverlay={needFullRender:!1,updateStateOfRendering:function(){return!1}}),"undefined"==typeof WalkontableBottomLeftCornerOverlay&&(this.bottomLeftCornerOverlay={needFullRender:!1,updateStateOfRendering:function(){return!1}}),this.bottomOverlay?e=this.bottomOverlay.updateStateOfRendering()||e:this.bottomOverlay=WalkontableOverlay.createOverlay(WalkontableOverlay.CLONE_BOTTOM,this.wot),this.leftOverlay?e=this.leftOverlay.updateStateOfRendering()||e:this.leftOverlay=WalkontableOverlay.createOverlay(WalkontableOverlay.CLONE_LEFT,this.wot),this.topOverlay.needFullRender&&this.leftOverlay.needFullRender&&(this.topLeftCornerOverlay?e=this.topLeftCornerOverlay.updateStateOfRendering()||e:this.topLeftCornerOverlay=WalkontableOverlay.createOverlay(WalkontableOverlay.CLONE_TOP_LEFT_CORNER,this.wot)),this.bottomOverlay.needFullRender&&this.leftOverlay.needFullRender&&(this.bottomLeftCornerOverlay?e=this.bottomLeftCornerOverlay.updateStateOfRendering()||e:this.bottomLeftCornerOverlay=WalkontableOverlay.createOverlay(WalkontableOverlay.CLONE_BOTTOM_LEFT_CORNER,this.wot)),this.wot.getSetting("debug")&&!this.debug&&(this.debug=WalkontableOverlay.createOverlay(WalkontableOverlay.CLONE_DEBUG,this.wot)),e},refreshAll:function(){if(this.wot.drawn){if(!this.wot.wtTable.holder.parentNode)return void this.destroy();this.wot.draw(!0),this.verticalScrolling&&this.leftOverlay.onScroll(),this.horizontalScrolling&&this.topOverlay.onScroll(),this.verticalScrolling=!1,this.horizontalScrolling=!1}},registerListeners:function(){var e=this,t=this.topOverlay.mainTableScrollableElement,o=this.leftOverlay.mainTableScrollableElement,n=[];for(n.push([document.documentElement,"keydown",function(t){return e.onKeyDown(t)}]),n.push([document.documentElement,"keyup",function(){return e.onKeyUp()}]),n.push([document,"visibilitychange",function(){return e.onKeyUp()}]),n.push([t,"scroll",function(t){return e.onTableScroll(t)}]),t!==o&&n.push([o,"scroll",function(t){return e.onTableScroll(t)}]),this.topOverlay.needFullRender&&(n.push([this.topOverlay.clone.wtTable.holder,"scroll",function(t){return e.onTableScroll(t)}]),n.push([this.topOverlay.clone.wtTable.holder,"wheel",function(t){return e.onTableScroll(t)}])),this.bottomOverlay.needFullRender&&(n.push([this.bottomOverlay.clone.wtTable.holder,"scroll",function(t){return e.onTableScroll(t)}]),n.push([this.bottomOverlay.clone.wtTable.holder,"wheel",function(t){return e.onTableScroll(t)}])),this.leftOverlay.needFullRender&&(n.push([this.leftOverlay.clone.wtTable.holder,"scroll",function(t){return e.onTableScroll(t)}]),n.push([this.leftOverlay.clone.wtTable.holder,"wheel",function(t){return e.onTableScroll(t)}])),this.topLeftCornerOverlay&&this.topLeftCornerOverlay.needFullRender&&n.push([this.topLeftCornerOverlay.clone.wtTable.holder,"wheel",function(t){return e.onTableScroll(t)}]),this.bottomLeftCornerOverlay&&this.bottomLeftCornerOverlay.needFullRender&&n.push([this.bottomLeftCornerOverlay.clone.wtTable.holder,"wheel",function(t){return e.onTableScroll(t)}]),this.topOverlay.trimmingContainer!==window&&this.leftOverlay.trimmingContainer!==window&&n.push([window,"wheel",function(t){var o,n=t.wheelDeltaY||t.deltaY,r=t.wheelDeltaX||t.deltaX;e.topOverlay.clone.wtTable.holder.contains(t.realTarget)?o="top":e.bottomOverlay.clone&&e.bottomOverlay.clone.wtTable.holder.contains(t.realTarget)?o="bottom":e.leftOverlay.clone.wtTable.holder.contains(t.realTarget)?o="left":e.topLeftCornerOverlay&&e.topLeftCornerOverlay.clone&&e.topLeftCornerOverlay.clone.wtTable.holder.contains(t.realTarget)?o="topLeft":e.bottomLeftCornerOverlay&&e.bottomLeftCornerOverlay.clone&&e.bottomLeftCornerOverlay.clone.wtTable.holder.contains(t.realTarget)&&(o="bottomLeft"),("top"==o&&0!==n||"left"==o&&0!==r||"bottom"==o&&0!==n||("topLeft"===o||"bottomLeft"===o)&&(0!==n||0!==r))&&t.preventDefault()}]);n.length;){var r=n.pop();this.eventManager.addEventListener(r[0],r[1],r[2]),this.registeredListeners.push(r)}},deregisterListeners:function(){for(;this.registeredListeners.length;){var e=this.registeredListeners.pop();this.eventManager.removeEventListener(e[0],e[1],e[2])}},onTableScroll:function(e){if(!g()){var t=this.leftOverlay.mainTableScrollableElement,o=this.topOverlay.mainTableScrollableElement,n=e.target;this.keyPressed&&(o!==window&&n!==window&&!e.target.contains(o)||t!==window&&n!==window&&!e.target.contains(t))||("scroll"===e.type?this.syncScrollPositions(e):this.translateMouseWheelToScroll(e))}},onKeyDown:function(e){this.keyPressed=p(e.keyCode,"ARROW_UP|ARROW_RIGHT|ARROW_DOWN|ARROW_LEFT")},onKeyUp:function(){this.keyPressed=!1},translateMouseWheelToScroll:function(e){var t=this.topOverlay.clone.wtTable.holder,o=this.bottomOverlay.clone?this.bottomOverlay.clone.wtTable.holder:null,n=this.leftOverlay.clone.wtTable.holder,r=this.topLeftCornerOverlay&&this.topLeftCornerOverlay.clone?this.topLeftCornerOverlay.clone.wtTable.holder:null,i=this.bottomLeftCornerOverlay&&this.bottomLeftCornerOverlay.clone?this.bottomLeftCornerOverlay.clone.wtTable.holder:null,s=-.2,a=e.wheelDeltaY||-1*e.deltaY,l=e.wheelDeltaX||-1*e.deltaX,u=null,c={type:"wheel"},d=e.target,h=null;for(1===e.deltaMode&&(a*=120,l*=120);d!=document&&null!=d;){if(d.className.indexOf("wtHolder")>-1){u=d;break}d=d.parentNode}return c.target=u,u===r||u===i?(this.syncScrollPositions(c,s*l,"x"),this.syncScrollPositions(c,s*a,"y")):(u===t||u===o?h=a:u===n&&(h=l),this.syncScrollPositions(c,s*h)),!1},syncScrollPositions:function(e){var t=void 0!==arguments[1]?arguments[1]:null,o=void 0!==arguments[2]?arguments[2]:null;if(!this.destroyed){if(0===arguments.length)return void this.syncScrollWithMaster();var n,r,i,s,a,l=this.leftOverlay.mainTableScrollableElement,u=this.topOverlay.mainTableScrollableElement,c=e.target,f=0,p=!1,g=!1,m=this.wot.getSetting("preventOverflow");this.topOverlay.needFullRender&&(n=this.topOverlay.clone.wtTable.holder),this.bottomOverlay.needFullRender&&(a=this.bottomOverlay.clone.wtTable.holder),this.leftOverlay.needFullRender&&(r=this.leftOverlay.clone.wtTable.holder),this.leftOverlay.needFullRender&&this.topOverlay.needFullRender&&(i=this.topLeftCornerOverlay.clone.wtTable.holder),this.leftOverlay.needFullRender&&this.bottomOverlay.needFullRender&&(s=this.bottomLeftCornerOverlay.clone.wtTable.holder),c===document&&(c=window),c===l||c===u?(f=d(m?this.scrollableElement:c),this.horizontalScrolling=!0,this.overlayScrollPositions.master.left=f,p=!0,this.pendingScrollCallbacks.master.left>0?this.pendingScrollCallbacks.master.left--:(n&&n.scrollLeft!==f&&(null==t&&this.pendingScrollCallbacks.top.left++,n.scrollLeft=f,g=l!==window),a&&a.scrollLeft!==f&&(null==t&&this.pendingScrollCallbacks.bottom.left++,a.scrollLeft=f,g=l!==window)),f=h(c),this.verticalScrolling=!0,this.overlayScrollPositions.master.top=f,p=!0,this.pendingScrollCallbacks.master.top>0?this.pendingScrollCallbacks.master.top--:r&&r.scrollTop!==f&&(null==t&&this.pendingScrollCallbacks.left.top++,r.scrollTop=f,g=u!==window)):c===a?(f=d(c),this.horizontalScrolling=!0,this.overlayScrollPositions.bottom.left=f,p=!0,this.pendingScrollCallbacks.bottom.left>0?this.pendingScrollCallbacks.bottom.left--:(null==t&&this.pendingScrollCallbacks.master.left++,l.scrollLeft=f,n&&n.scrollLeft!==f&&(null==t&&this.pendingScrollCallbacks.top.left++,n.scrollLeft=f,g=u!==window)),null!==t&&(p=!0,u.scrollTop+=t)):c===n?(f=d(c),this.horizontalScrolling=!0,this.overlayScrollPositions.top.left=f,p=!0,this.pendingScrollCallbacks.top.left>0?this.pendingScrollCallbacks.top.left--:(null==t&&this.pendingScrollCallbacks.master.left++,l.scrollLeft=f),null!==t&&(p=!0,u.scrollTop+=t),a&&a.scrollLeft!==f&&(null==t&&this.pendingScrollCallbacks.bottom.left++,a.scrollLeft=f,g=u!==window)):c===r?(f=h(c),this.overlayScrollPositions.left.top!==f&&(this.verticalScrolling=!0,this.overlayScrollPositions.left.top=f,p=!0,this.pendingScrollCallbacks.left.top>0?this.pendingScrollCallbacks.left.top--:(null==t&&this.pendingScrollCallbacks.master.top++,u.scrollTop=f)),null!==t&&(p=!0,u.scrollLeft+=t)):c!==i&&c!==s||null!==t&&(p=!0,"x"===o?u.scrollLeft+=t:"y"===o&&(u.scrollTop+=t)),!this.keyPressed&&p&&"scroll"===e.type&&(this.delegatedScrollCallback?this.delegatedScrollCallback=!1:this.refreshAll(),g&&(this.delegatedScrollCallback=!0))}},syncScrollWithMaster:function(){var e=this.topOverlay.mainTableScrollableElement,t=e,o=t.scrollLeft,n=t.scrollTop;this.topOverlay.needFullRender&&(this.topOverlay.clone.wtTable.holder.scrollLeft=o),this.bottomOverlay.needFullRender&&(this.bottomOverlay.clone.wtTable.holder.scrollLeft=o),this.leftOverlay.needFullRender&&(this.leftOverlay.clone.wtTable.holder.scrollTop=n)},updateMainScrollableElements:function(){this.deregisterListeners(),this.leftOverlay.updateMainScrollableElement(),this.topOverlay.updateMainScrollableElement(),this.bottomOverlay.needFullRender&&this.bottomOverlay.updateMainScrollableElement(),this.scrollableElement=u(this.wot.wtTable.TABLE),this.registerListeners()},destroy:function(){this.eventManager.destroy(),this.topOverlay.destroy(),this.bottomOverlay.clone&&this.bottomOverlay.destroy(),this.leftOverlay.destroy(),this.topLeftCornerOverlay&&this.topLeftCornerOverlay.destroy(),this.bottomLeftCornerOverlay&&this.bottomLeftCornerOverlay.clone&&this.bottomLeftCornerOverlay.destroy(),this.debug&&this.debug.destroy(),this.destroyed=!0},refresh:function(){var e=void 0!==arguments[0]&&arguments[0];if(this.topOverlay.areElementSizesAdjusted&&this.leftOverlay.areElementSizesAdjusted){var t=this.wot.wtTable.wtRootElement.parentNode||this.wot.wtTable.wtRootElement,o=t.clientWidth,n=t.clientHeight;o===this.spreaderLastSize.width&&n===this.spreaderLastSize.height||(this.spreaderLastSize.width=o,this.spreaderLastSize.height=n,this.adjustElementsSize())}this.bottomOverlay.clone&&this.bottomOverlay.refresh(e),this.leftOverlay.refresh(e),this.topOverlay.refresh(e),this.topLeftCornerOverlay&&this.topLeftCornerOverlay.refresh(e),this.bottomLeftCornerOverlay&&this.bottomLeftCornerOverlay.clone&&this.bottomLeftCornerOverlay.refresh(e),this.debug&&this.debug.refresh(e)},adjustElementsSize:function(){var e=void 0!==arguments[0]&&arguments[0],t=this.wot.getSetting("totalColumns"),o=this.wot.getSetting("totalRows"),n=this.wot.wtViewport.getRowHeaderWidth(),r=this.wot.wtViewport.getColumnHeaderHeight(),i=this.wot.wtTable.hider.style;i.width=n+this.leftOverlay.sumCellSizes(0,t)+"px",i.height=r+this.topOverlay.sumCellSizes(0,o)+1+"px",this.topOverlay.adjustElementsSize(e),this.leftOverlay.adjustElementsSize(e),this.bottomOverlay.clone&&this.bottomOverlay.adjustElementsSize(e)},applyToDOM:function(){this.topOverlay.areElementSizesAdjusted&&this.leftOverlay.areElementSizesAdjusted||this.adjustElementsSize(),this.topOverlay.applyToDOM(),this.bottomOverlay.clone&&this.bottomOverlay.applyToDOM(),this.leftOverlay.applyToDOM()},getParentOverlay:function(e){if(!e)return null;var t=[this.topOverlay,this.leftOverlay,this.bottomOverlay,this.topLeftCornerOverlay,this.bottomLeftCornerOverlay],o=null;return f(t,function(t,n){t&&t.clone&&t.clone.wtTable.TABLE.contains(e)&&(o=t.clone)}),o}},{}),window.WalkontableOverlays=w},{eventManager:42,"helpers/array":43,"helpers/browser":44,"helpers/dom/element":47,"helpers/unicode":56}],18:[function(e,t,o){"use strict";Object.defineProperties(o,{WalkontableScroll:{get:function(){return p}},__esModule:{value:!0}});var n,r,i=(n=e("helpers/dom/element"),n&&n.__esModule&&n||{default:n}),s=i.innerHeight,a=i.innerWidth,l=i.getScrollLeft,u=i.getScrollTop,c=i.offset,d=(r=e("helpers/number"),r&&r.__esModule&&r||{default:r}),h=d.rangeEach,f=d.rangeEachReverse,p=function(e){this.wot=e,this.instance=e};$traceurRuntime.createClass(p,{scrollViewport:function(e){if(this.wot.drawn){var t=this._getVariables(),o=t.topOverlay,n=t.leftOverlay,r=t.totalRows,i=t.totalColumns,s=t.fixedRowsTop,a=t.fixedRowsBottom,l=t.fixedColumnsLeft;if(e.row<0||e.row>Math.max(r-1,0))throw new Error("row "+e.row+" does not exist");if(e.col<0||e.col>Math.max(i-1,0))throw new Error("column "+e.col+" does not exist");e.row>=s&&e.rowthis.getLastVisibleRow()&&e.row=l&&e.colthis.getLastVisibleColumn()&&n.scrollTo(e.col,!0)}},getFirstVisibleRow:function(){var e=this._getVariables(),t=e.topOverlay,o=e.wtTable,n=e.wtViewport,r=e.totalRows,i=e.fixedRowsTop,a=o.getFirstVisibleRow();if(t.mainTableScrollableElement===window){var l=c(o.wtRootElement),d=s(o.hider),h=s(window),p=u(window);if(l.top+d-h<=p){var g=n.getColumnHeaderHeight();g+=t.sumCellSizes(0,i),f(r,1,function(e){if(g+=t.sumCellSizes(e-1,e),l.top+d-g<=p)return a=e,!1})}}return a},getLastVisibleRow:function(){var e=this._getVariables(),t=e.topOverlay,o=e.wtTable,n=e.wtViewport,r=e.totalRows,i=o.getLastVisibleRow();if(t.mainTableScrollableElement===window){var a=c(o.wtRootElement),l=s(window),d=u(window);if(a.top>d){var f=n.getColumnHeaderHeight();h(1,r,function(e){if(f+=t.sumCellSizes(e-1,e),a.top+f-d>=l)return i=e-2,!1})}}return i},getFirstVisibleColumn:function(){var e=this._getVariables(),t=e.leftOverlay,o=e.wtTable,n=e.wtViewport,r=e.totalColumns,i=(e.fixedColumnsLeft,o.getFirstVisibleColumn());if(t.mainTableScrollableElement===window){var s=c(o.wtRootElement),u=a(o.hider),d=a(window),h=l(window);if(s.left+u-d<=h){var p=n.getRowHeaderWidth();f(r,1,function(e){if(p+=t.sumCellSizes(e-1,e),s.left+u-p<=h)return i=e,!1})}}return i},getLastVisibleColumn:function(){var e=this._getVariables(),t=e.leftOverlay,o=e.wtTable,n=e.wtViewport,r=e.totalColumns,i=o.getLastVisibleColumn();if(t.mainTableScrollableElement===window){var s=c(o.wtRootElement),u=a(window),d=l(window);if(s.left>d){var f=n.getRowHeaderWidth();h(1,r,function(e){if(f+=t.sumCellSizes(e-1,e),s.left+f-d>=u)return i=e-2,!1})}}return i},_getVariables:function(){var e=this.wot,t=e.wtOverlays.topOverlay,o=e.wtOverlays.leftOverlay,n=e.wtTable,r=e.wtViewport,i=e.getSetting("totalRows"),s=e.getSetting("totalColumns"),a=e.getSetting("fixedRowsTop"),l=e.getSetting("fixedRowsBottom"),u=e.getSetting("fixedColumnsLeft");return{topOverlay:t,leftOverlay:o,wtTable:n,wtViewport:r,totalRows:i,totalColumns:s,fixedRowsTop:a,fixedRowsBottom:l,fixedColumnsLeft:u}}},{}),window.WalkontableScroll=p},{"helpers/dom/element":47,"helpers/number":52}],19:[function(e,t,o){"use strict";Object.defineProperties(o,{WalkontableSelection:{get:function(){return d}},__esModule:{value:!0}});var n,r,i,s,a=(n=e("helpers/dom/element"), -n&&n.__esModule&&n||{default:n}).addClass,l=(r=e("border"),r&&r.__esModule&&r||{default:r}).WalkontableBorder,u=(i=e("cell/coords"),i&&i.__esModule&&i||{default:i}).WalkontableCellCoords,c=(s=e("cell/range"),s&&s.__esModule&&s||{default:s}).WalkontableCellRange,d=function(e,t){this.settings=e,this.cellRange=t||null,this.instanceBorders={}};$traceurRuntime.createClass(d,{getBorder:function(e){return this.instanceBorders[e.guid]?this.instanceBorders[e.guid]:void(this.instanceBorders[e.guid]=new l(e,this.settings))},isEmpty:function(){return null===this.cellRange},add:function(e){this.isEmpty()?this.cellRange=new c(e,e,e):this.cellRange.expand(e)},replace:function(e,t){if(!this.isEmpty()){if(this.cellRange.from.isEqual(e))return this.cellRange.from=t,!0;if(this.cellRange.to.isEqual(e))return this.cellRange.to=t,!0}return!1},clear:function(){this.cellRange=null},getCorners:function(){var e=this.cellRange.getTopLeftCorner(),t=this.cellRange.getBottomRightCorner();return[e.row,e.col,t.row,t.col]},addClassAtCoords:function(e,t,o,n){var r=e.wtTable.getCell(new u(t,o));"object"==typeof r&&a(r,n)},draw:function(e){if(this.isEmpty()){if(this.settings.border){var t=this.getBorder(e);t&&t.disappear()}}else{for(var o,n,r,i=e.wtTable.getRenderedRowsCount(),s=e.wtTable.getRenderedColumnsCount(),l=this.getCorners(),u=0;u=l[1]&&n<=l[3]&&(r=e.wtTable.getColumnHeader(n))){var c=[];this.settings.highlightHeaderClassName&&c.push(this.settings.highlightHeaderClassName),this.settings.highlightColumnClassName&&c.push(this.settings.highlightColumnClassName),a(r,c)}for(var d=0;d=l[0]&&o<=l[2]&&(r=e.wtTable.getRowHeader(o))){var h=[];this.settings.highlightHeaderClassName&&h.push(this.settings.highlightHeaderClassName),this.settings.highlightRowClassName&&h.push(this.settings.highlightRowClassName),a(r,h)}for(var f=0;f=l[0]&&o<=l[2]&&n>=l[1]&&n<=l[3]?this.settings.className&&this.addClassAtCoords(e,o,n,this.settings.className):o>=l[0]&&o<=l[2]?this.settings.highlightRowClassName&&this.addClassAtCoords(e,o,n,this.settings.highlightRowClassName):n>=l[1]&&n<=l[3]&&this.settings.highlightColumnClassName&&this.addClassAtCoords(e,o,n,this.settings.highlightColumnClassName)}if(e.getSetting("onBeforeDrawBorders",l,this.settings.className),this.settings.border){var p=this.getBorder(e);p&&p.appear(l)}}}},{}),window.WalkontableSelection=d},{border:3,"cell/coords":6,"cell/range":7,"helpers/dom/element":47}],20:[function(e,t,o){"use strict";Object.defineProperties(o,{WalkontableSettings:{get:function(){return i}},__esModule:{value:!0}});var n,r=(n=e("helpers/dom/element"),n&&n.__esModule&&n||{default:n}).fastInnerText,i=function(e,t){var o=this;this.wot=e,this.instance=e,this.defaults={table:void 0,debug:!1,externalRowCalculator:!1,stretchH:"none",currentRowClassName:null,currentColumnClassName:null,preventOverflow:function(){return!1},data:void 0,fixedColumnsLeft:0,fixedRowsTop:0,fixedRowsBottom:0,minSpareRows:0,rowHeaders:function(){return[]},columnHeaders:function(){return[]},totalRows:void 0,totalColumns:void 0,cellRenderer:function(e,t,n){var i=o.getSetting("data",e,t);r(n,void 0===i||null===i?"":i)},columnWidth:function(e){},rowHeight:function(e){},defaultRowHeight:23,defaultColumnWidth:50,selections:null,hideBorderOnMouseDownOver:!1,viewportRowCalculatorOverride:null,viewportColumnCalculatorOverride:null,onCellMouseDown:null,onCellMouseOver:null,onCellMouseUp:null,onCellDblClick:null,onCellCornerMouseDown:null,onCellCornerDblClick:null,beforeDraw:null,onDraw:null,onBeforeDrawBorders:null,onScrollVertically:null,onScrollHorizontally:null,onBeforeTouchScroll:null,onAfterMomentumScroll:null,onBeforeStretchingColumnWidth:function(e){return e},onModifyRowHeaderWidth:null,scrollbarWidth:10,scrollbarHeight:10,renderAllRows:!1,groups:!1,rowHeaderWidth:null,columnHeaderHeight:null,headerClassName:null},this.settings={};for(var n in this.defaults)if(this.defaults.hasOwnProperty(n))if(void 0!==t[n])this.settings[n]=t[n];else{if(void 0===this.defaults[n])throw new Error('A required setting "'+n+'" was not provided');this.settings[n]=this.defaults[n]}};$traceurRuntime.createClass(i,{update:function(e,t){if(void 0===t)for(var o in e)e.hasOwnProperty(o)&&(this.settings[o]=e[o]);else this.settings[e]=t;return this.wot},getSetting:function(e,t,o,n,r){return"function"==typeof this.settings[e]?this.settings[e](t,o,n,r):void 0!==t&&Array.isArray(this.settings[e])?this.settings[e][t]:this.settings[e]},has:function(e){return!!this.settings[e]}},{}),window.WalkontableSettings=i},{"helpers/dom/element":47}],21:[function(e,t,o){"use strict";Object.defineProperties(o,{WalkontableTable:{get:function(){return S}},__esModule:{value:!0}});var n,r,i,s,a,l,u,c=(n=e("helpers/dom/element"),n&&n.__esModule&&n||{default:n}),d=c.getStyle,h=c.getTrimmingContainer,f=c.hasClass,p=c.index,g=c.offset,m=c.removeClass,w=c.removeTextNodes,v=c.overlayContainsElement,y=c.closest,b=(r=e("helpers/function"),r&&r.__esModule&&r||{default:r}).isFunction,C=(i=e("cell/coords"),i&&i.__esModule&&i||{default:i}).WalkontableCellCoords,_=((s=e("cell/range"),s&&s.__esModule&&s||{default:s}).WalkontableCellRange,(a=e("filter/column"),a&&a.__esModule&&a||{default:a}).WalkontableColumnFilter),R=(l=e("filter/row"),l&&l.__esModule&&l||{default:l}).WalkontableRowFilter,M=(u=e("tableRenderer"),u&&u.__esModule&&u||{default:u}).WalkontableTableRenderer,S=function(e,t){var o=this;this.wot=e,this.instance=this.wot,this.TABLE=t,this.TBODY=null,this.THEAD=null,this.COLGROUP=null,this.tableOffset=0,this.holderOffset=0,w(this.TABLE),this.spreader=this.createSpreader(this.TABLE),this.hider=this.createHider(this.spreader),this.holder=this.createHolder(this.hider),this.wtRootElement=this.holder.parentNode,this.alignOverlaysWithTrimmingContainer(),this.fixTableDomTree(),this.colgroupChildrenLength=this.COLGROUP.childNodes.length,this.theadChildrenLength=this.THEAD.firstChild?this.THEAD.firstChild.childNodes.length:0,this.tbodyChildrenLength=this.TBODY.childNodes.length,this.rowFilter=null,this.columnFilter=null,this.correctHeaderWidth=!1;var n=this.wot.wtSettings.settings.rowHeaderWidth;this.wot.wtSettings.settings.rowHeaderWidth=function(){return o._modifyRowHeaderWidth(n)}};$traceurRuntime.createClass(S,{fixTableDomTree:function(){this.TBODY=this.TABLE.querySelector("tbody"),this.TBODY||(this.TBODY=document.createElement("tbody"),this.TABLE.appendChild(this.TBODY)),this.THEAD=this.TABLE.querySelector("thead"),this.THEAD||(this.THEAD=document.createElement("thead"),this.TABLE.insertBefore(this.THEAD,this.TBODY)),this.COLGROUP=this.TABLE.querySelector("colgroup"),this.COLGROUP||(this.COLGROUP=document.createElement("colgroup"),this.TABLE.insertBefore(this.COLGROUP,this.THEAD)),this.wot.getSetting("columnHeaders").length&&!this.THEAD.childNodes.length&&this.THEAD.appendChild(document.createElement("TR"))},createSpreader:function(e){var t,o=e.parentNode;return o&&1===o.nodeType&&f(o,"wtHolder")||(t=document.createElement("div"),t.className="wtSpreader",o&&o.insertBefore(t,e),t.appendChild(e)),t.style.position="relative",t},createHider:function(e){var t,o=e.parentNode;return o&&1===o.nodeType&&f(o,"wtHolder")||(t=document.createElement("div"),t.className="wtHider",o&&o.insertBefore(t,e),t.appendChild(e)),t},createHolder:function(e){var t,o=e.parentNode;return o&&1===o.nodeType&&f(o,"wtHolder")||(t=document.createElement("div"),t.style.position="relative",t.className="wtHolder",o&&o.insertBefore(t,e),this.isWorkingOnClone()||(t.parentNode.className+="ht_master handsontable"),t.appendChild(e)),t},alignOverlaysWithTrimmingContainer:function(){var e=h(this.wtRootElement);if(!this.isWorkingOnClone())if(this.holder.parentNode.style.position="relative",e===window){var t=this.wot.getSetting("preventOverflow");t||(this.holder.style.overflow="visible",this.wtRootElement.style.overflow="visible")}else this.holder.style.width=d(e,"width"),this.holder.style.height=d(e,"height"),this.holder.style.overflow=""},isWorkingOnClone:function(){return!!this.wot.cloneSource},draw:function(e){var t=this.wot,o=t.wtOverlays,n=t.wtViewport,r=this.instance.getSetting("totalRows"),i=this.wot.getSetting("rowHeaders").length,s=this.wot.getSetting("columnHeaders").length,a=!1;if(!this.isWorkingOnClone()&&(this.holderOffset=g(this.holder),e=n.createRenderCalculators(e),i&&!this.wot.getSetting("fixedColumnsLeft"))){var l=o.leftOverlay.getScrollPosition(),u=this.correctHeaderWidth;this.correctHeaderWidth=l>0,u!==this.correctHeaderWidth&&(e=!1)}if(this.isWorkingOnClone()||(a=o.prepareOverlays()),e)this.isWorkingOnClone()||n.createVisibleCalculators(),o&&o.refresh(!0);else{this.isWorkingOnClone()?this.tableOffset=this.wot.cloneSource.wtTable.tableOffset:this.tableOffset=g(this.TABLE);var c;c=WalkontableOverlay.isOverlayTypeOf(this.wot.cloneOverlay,WalkontableOverlay.CLONE_DEBUG)||WalkontableOverlay.isOverlayTypeOf(this.wot.cloneOverlay,WalkontableOverlay.CLONE_TOP)||WalkontableOverlay.isOverlayTypeOf(this.wot.cloneOverlay,WalkontableOverlay.CLONE_TOP_LEFT_CORNER)?0:WalkontableOverlay.isOverlayTypeOf(this.instance.cloneOverlay,WalkontableOverlay.CLONE_BOTTOM)||WalkontableOverlay.isOverlayTypeOf(this.instance.cloneOverlay,WalkontableOverlay.CLONE_BOTTOM_LEFT_CORNER)?Math.max(r-this.wot.getSetting("fixedRowsBottom"),0):n.rowsRenderCalculator.startRow;var d;d=WalkontableOverlay.isOverlayTypeOf(this.wot.cloneOverlay,WalkontableOverlay.CLONE_DEBUG)||WalkontableOverlay.isOverlayTypeOf(this.wot.cloneOverlay,WalkontableOverlay.CLONE_LEFT)||WalkontableOverlay.isOverlayTypeOf(this.wot.cloneOverlay,WalkontableOverlay.CLONE_TOP_LEFT_CORNER)||WalkontableOverlay.isOverlayTypeOf(this.wot.cloneOverlay,WalkontableOverlay.CLONE_BOTTOM_LEFT_CORNER)?0:n.columnsRenderCalculator.startColumn,this.rowFilter=new R(c,r,s),this.columnFilter=new _(d,this.wot.getSetting("totalColumns"),i),this.alignOverlaysWithTrimmingContainer(),this._doDraw()}return this.refreshSelections(e),this.isWorkingOnClone()||(o.topOverlay.resetFixedPosition(),o.bottomOverlay.clone&&o.bottomOverlay.resetFixedPosition(),o.leftOverlay.resetFixedPosition(),o.topLeftCornerOverlay&&o.topLeftCornerOverlay.resetFixedPosition(),o.bottomLeftCornerOverlay&&o.bottomLeftCornerOverlay.clone&&o.bottomLeftCornerOverlay.resetFixedPosition()),a&&o.syncScrollWithMaster(),this.wot.drawn=!0,this},_doDraw:function(){var e=new M(this);e.render()},removeClassFromCells:function(e){for(var t=this.TABLE.querySelectorAll("."+e),o=0,n=t.length;o=0},isRowAfterViewport:function(e){return this.rowFilter&&this.rowFilter.sourceToRendered(e)>this.getLastVisibleRow()},isRowAfterRenderedRows:function(e){return this.rowFilter&&this.rowFilter.sourceToRendered(e)>this.getLastRenderedRow()},isColumnBeforeViewport:function(e){return this.columnFilter&&this.columnFilter.sourceToRendered(e)<0&&e>=0},isColumnAfterViewport:function(e){return this.columnFilter&&this.columnFilter.sourceToRendered(e)>this.getLastVisibleColumn()},isLastRowFullyVisible:function(){return this.getLastVisibleRow()===this.getLastRenderedRow()},isLastColumnFullyVisible:function(){return this.getLastVisibleColumn()===this.getLastRenderedColumn()},getRenderedColumnsCount:function(){var e=this.wot.wtViewport.columnsRenderCalculator.count,t=this.wot.getSetting("totalColumns");if(this.wot.isOverlayName(WalkontableOverlay.CLONE_DEBUG))e=t;else if(this.wot.isOverlayName(WalkontableOverlay.CLONE_LEFT)||this.wot.isOverlayName(WalkontableOverlay.CLONE_TOP_LEFT_CORNER)||this.wot.isOverlayName(WalkontableOverlay.CLONE_BOTTOM_LEFT_CORNER))return Math.min(this.wot.getSetting("fixedColumnsLeft"),t);return e},getRenderedRowsCount:function(){var e=this.wot.wtViewport.rowsRenderCalculator.count,t=this.wot.getSetting("totalRows");return this.wot.isOverlayName(WalkontableOverlay.CLONE_DEBUG)?e=t:this.wot.isOverlayName(WalkontableOverlay.CLONE_TOP)||this.wot.isOverlayName(WalkontableOverlay.CLONE_TOP_LEFT_CORNER)?e=Math.min(this.wot.getSetting("fixedRowsTop"),t):(this.wot.isOverlayName(WalkontableOverlay.CLONE_BOTTOM)||this.wot.isOverlayName(WalkontableOverlay.CLONE_BOTTOM_LEFT_CORNER))&&(e=Math.min(this.wot.getSetting("fixedRowsBottom"),t)),e},getVisibleRowsCount:function(){return this.wot.wtViewport.rowsVisibleCalculator.count},allRowsInViewport:function(){return this.wot.getSetting("totalRows")==this.getVisibleRowsCount()},getRowHeight:function(e){var t=this.wot.wtSettings.settings.rowHeight(e),o=this.wot.wtViewport.oversizedRows[e];return void 0!==o&&(t=void 0===t?o:Math.max(t,o)),t},getColumnHeaderHeight:function(e){var t=this.wot.wtSettings.settings.defaultRowHeight,o=this.wot.wtViewport.oversizedColumnHeaders[e];return void 0!==o&&(t=t?Math.max(t,o):o),t},getVisibleColumnsCount:function(){return this.wot.wtViewport.columnsVisibleCalculator.count},allColumnsInViewport:function(){return this.wot.getSetting("totalColumns")==this.getVisibleColumnsCount()},getColumnWidth:function(e){var t=this.wot.wtSettings.settings.columnWidth;return"function"==typeof t?t=t(e):"object"==typeof t&&(t=t[e]),t||this.wot.wtSettings.settings.defaultColumnWidth},getStretchedColumnWidth:function(e){var t=this.getColumnWidth(e),o=null==t?this.instance.wtSettings.settings.defaultColumnWidth:t,n=this.wot.wtViewport.columnsRenderCalculator;if(n){var r=n.getStretchedColumnWidth(e,o);r&&(o=r)}return o},_modifyRowHeaderWidth:function(e){var t=b(e)?e():null;return Array.isArray(t)?(t=$traceurRuntime.spread(t),t[t.length-1]=this._correctRowHeaderWidth(t[t.length-1])):t=this._correctRowHeaderWidth(t),t},_correctRowHeaderWidth:function(e){return"number"!=typeof e&&(e=this.wot.getSetting("defaultColumnWidth")),this.correctHeaderWidth&&e++,e}},{}),window.WalkontableTable=S},{"cell/coords":6,"cell/range":7,"filter/column":10,"filter/row":11,"helpers/dom/element":47,"helpers/function":50,tableRenderer:22}],22:[function(e,t,o){"use strict";function n(e,t){var o=document.createElement("TH");return t.insertBefore(o,e),t.removeChild(e),o}function r(e,t){var o=document.createElement("TD");return t.insertBefore(o,e),t.removeChild(e),o}Object.defineProperties(o,{WalkontableTableRenderer:{get:function(){return p}},__esModule:{value:!0}});var i,s=(i=e("helpers/dom/element"),i&&i.__esModule&&i||{default:i}),a=s.addClass,l=s.empty,u=s.getScrollbarWidth,c=s.hasClass,d=s.innerHeight,h=s.outerWidth,f=!1,p=function(e){this.wtTable=e,this.wot=e.instance,this.instance=e.instance,this.rowFilter=e.rowFilter,this.columnFilter=e.columnFilter,this.TABLE=e.TABLE,this.THEAD=e.THEAD,this.TBODY=e.TBODY,this.COLGROUP=e.COLGROUP,this.rowHeaders=[],this.rowHeaderCount=0,this.columnHeaders=[],this.columnHeaderCount=0,this.fixedRowsTop=0,this.fixedRowsBottom=0};$traceurRuntime.createClass(p,{render:function(){if(!this.wtTable.isWorkingOnClone()){var e={};if(this.wot.getSetting("beforeDraw",!0,e),e.skipRender===!0)return}this.rowHeaders=this.wot.getSetting("rowHeaders"),this.rowHeaderCount=this.rowHeaders.length,this.fixedRowsTop=this.wot.getSetting("fixedRowsTop"),this.fixedRowsBottom=this.wot.getSetting("fixedRowsBottom"),this.columnHeaders=this.wot.getSetting("columnHeaders"),this.columnHeaderCount=this.columnHeaders.length;var t,o=this.wtTable.getRenderedColumnsCount(),n=this.wtTable.getRenderedRowsCount(),r=this.wot.getSetting("totalColumns"),i=this.wot.getSetting("totalRows"),s=!1;if((WalkontableOverlay.isOverlayTypeOf(this.wot.cloneOverlay,WalkontableOverlay.CLONE_BOTTOM)||WalkontableOverlay.isOverlayTypeOf(this.wot.cloneOverlay,WalkontableOverlay.CLONE_BOTTOM_LEFT_CORNER))&&(this.columnHeaders=[],this.columnHeaderCount=0),r>=0&&(this.adjustAvailableNodes(),s=!0,this.renderColumnHeaders(),this.renderRows(i,n,o),this.wtTable.isWorkingOnClone()||(t=this.wot.wtViewport.getWorkspaceWidth(),this.wot.wtViewport.containerWidth=null),this.adjustColumnWidths(o),this.markOversizedColumnHeaders(),this.adjustColumnHeaderHeights()),s||this.adjustAvailableNodes(),this.removeRedundantRows(n),this.wtTable.isWorkingOnClone()&&!this.wot.isOverlayName(WalkontableOverlay.CLONE_BOTTOM)||this.markOversizedRows(),this.wtTable.isWorkingOnClone())this.wot.isOverlayName(WalkontableOverlay.CLONE_BOTTOM)&&this.wot.cloneSource.wtOverlays.adjustElementsSize();else{this.wot.wtViewport.createVisibleCalculators(),this.wot.wtOverlays.refresh(!1),this.wot.wtOverlays.applyToDOM();var a=h(this.wtTable.hider),l=h(this.wtTable.TABLE);if(0!==a&&l!==a&&this.adjustColumnWidths(o),t!==this.wot.wtViewport.getWorkspaceWidth()){this.wot.wtViewport.containerWidth=null;var u=this.wtTable.getFirstRenderedColumn(),c=this.wtTable.getLastRenderedColumn(),d=this.wot.getSetting("defaultColumnWidth"),f=this.wot.getSetting("rowHeaderWidth");if(f=this.instance.getSetting("onModifyRowHeaderWidth",f),null!=f)for(var p=0;pe;)this.TBODY.removeChild(this.TBODY.lastChild),this.wtTable.tbodyChildrenLength--},renderRows:function(e,t,o){for(var n,r,i=0,s=this.rowFilter.renderedToSource(i),a=this.wtTable.isWorkingOnClone();s=0&&(!f&&i>1e3&&(f=!0,console.warn('Performance tip: Handsontable rendered more than 1000 visible rows. Consider limiting the number of rendered rows by specifying the table height and/or turning off the "renderAllRows" option.')),void 0===t||i!==t);){if(r=this.getOrCreateTrForRow(i,r),this.renderRowHeaders(s,r),this.adjustColumns(r,o+this.rowHeaderCount),n=this.renderCells(s,r,o),a&&!this.wot.isOverlayName(WalkontableOverlay.CLONE_BOTTOM)||this.resetOversizedRow(s),r.firstChild){var l=this.wot.wtTable.getRowHeight(s);l?(l--,r.firstChild.style.height=l+"px"):r.firstChild.style.height=""}i++,s=this.rowFilter.renderedToSource(i)}},resetOversizedRow:function(e){this.wot.getSetting("externalRowCalculator")||this.wot.wtViewport.oversizedRows&&this.wot.wtViewport.oversizedRows[e]&&(this.wot.wtViewport.oversizedRows[e]=void 0)},markOversizedRows:function(){if(!this.wot.getSetting("externalRowCalculator")){var e,t,o,n,r,i=this.instance.wtTable.TBODY.childNodes.length,s=i*this.instance.wtSettings.settings.defaultRowHeight,a=d(this.instance.wtTable.TBODY)-1;this.instance.getSetting("totalRows");if(s!==a||this.instance.getSetting("fixedRowsBottom"))for(;i;)i--,o=this.instance.wtTable.rowFilter.renderedToSource(i),e=this.instance.wtTable.getRowHeight(o),n=this.instance.wtTable.getTrForRow(o),r=n.querySelector("th"),t=r?d(r):d(n)-1,(!e&&this.instance.wtSettings.settings.defaultRowHeight=this.wtTable.tbodyChildrenLength?(o=this.createRow(),this.appendToTbody(o)):o=0===e?this.TBODY.firstChild:t.nextSibling,o.className&&o.removeAttribute("class"),o},createRow:function(){for(var e=document.createElement("TR"),t=0;te+this.rowHeaderCount;)this.COLGROUP.removeChild(this.COLGROUP.lastChild),this.wtTable.colgroupChildrenLength--;this.rowHeaderCount&&a(this.COLGROUP.childNodes[0],"rowHeader")},adjustThead:function(){var e=this.wtTable.getRenderedColumnsCount(),t=this.THEAD.firstChild;if(this.columnHeaders.length){for(var o=0,n=this.columnHeaders.length;oe+this.rowHeaderCount;)t.removeChild(t.lastChild),this.theadChildrenLength--}var r=this.THEAD.childNodes.length;if(r>this.columnHeaders.length)for(var i=this.columnHeaders.length;it;)e.removeChild(e.lastChild),o--},removeRedundantColumns:function(e){for(;this.wtTable.tbodyChildrenLength>e;)this.TBODY.removeChild(this.TBODY.lastChild),this.wtTable.tbodyChildrenLength--}},{}),window.WalkontableTableRenderer=p},{"helpers/dom/element":47}],23:[function(e,t,o){"use strict";Object.defineProperties(o,{WalkontableViewport:{get:function(){return v}},__esModule:{value:!0}});var n,r,i,s,a,l=(n=e("browser"),n&&n.__esModule&&n||{default:n}).default,u=(r=e("helpers/dom/element"),r&&r.__esModule&&r||{default:r}),c=u.getScrollbarWidth,d=(u.getScrollTop,u.getStyle),h=u.offset,f=u.outerHeight,p=u.outerWidth,g=(i=e("eventManager"),i&&i.__esModule&&i||{default:i}).EventManager,m=(s=e("calculator/viewportColumns"),s&&s.__esModule&&s||{default:s}).WalkontableViewportColumnsCalculator,w=(a=e("calculator/viewportRows"),a&&a.__esModule&&a||{default:a}).WalkontableViewportRowsCalculator,v=function(e){var t=this;this.wot=e,this.instance=this.wot,this.oversizedRows=[],this.oversizedColumnHeaders=[],this.hasOversizedColumnHeadersMarked={},this.clientHeight=0,this.containerWidth=NaN,this.rowHeaderWidth=NaN,this.rowsVisibleCalculator=null,this.columnsVisibleCalculator=null,this.eventManager=new g(this.wot),this.eventManager.addEventListener(window,"resize",function(){t.clientHeight=t.getWorkspaceHeight()})};$traceurRuntime.createClass(v,{getWorkspaceHeight:function(){var e,t=this.instance.wtOverlays.topOverlay.trimmingContainer,o=0;return t===window?o=document.documentElement.clientHeight:(e=f(t),o=e>0&&t.clientHeight>0?t.clientHeight:1/0),o},getWorkspaceWidth:function(){var e,t,o=this.wot.getSetting("totalColumns"),n=this.instance.wtOverlays.leftOverlay.trimmingContainer,r=this.wot.getSetting("stretchH"),i=document.documentElement.offsetWidth,s=this.wot.getSetting("preventOverflow");return s?p(this.instance.wtTable.wtRootElement):(e=l.freezeOverlays?Math.min(i-this.getWorkspaceOffset().left,i):Math.min(this.getContainerFillWidth(),i-this.getWorkspaceOffset().left,i),n===window&&o>0&&this.sumColumnWidths(0,o-1)>e?document.documentElement.clientWidth:n!==window&&(t=d(this.instance.wtOverlays.leftOverlay.trimmingContainer,"overflow"),"scroll"==t||"hidden"==t||"auto"==t)?Math.max(e,n.clientWidth):"none"!==r&&r?e:Math.max(e,p(this.instance.wtTable.TABLE)))},hasVerticalScroll:function(){return this.getWorkspaceActualHeight()>this.getWorkspaceHeight()},hasHorizontalScroll:function(){return this.getWorkspaceActualWidth()>this.getWorkspaceWidth()},sumColumnWidths:function(e,t){for(var o=0;e0&&(t-=e),t)},getRowHeaderWidth:function(){var e=this.instance.getSetting("rowHeaderWidth"),t=this.instance.getSetting("rowHeaders");if(e){this.rowHeaderWidth=0;for(var o=0,n=t.length;o0?t-e:t)},createRowsCalculator:function(){var e,t,o,n,r,i,s,a=void 0!==arguments[0]&&arguments[0],l=this;return this.rowHeaderWidth=NaN,e=this.wot.wtSettings.settings.renderAllRows?1/0:this.getViewportHeight(),t=this.wot.wtOverlays.topOverlay.getScrollPosition()-this.wot.wtOverlays.topOverlay.getTableParentOffset(),t<0&&(t=0),o=this.wot.getSetting("fixedRowsTop"),r=this.wot.getSetting("fixedRowsBottom"),s=this.wot.getSetting("totalRows"),o&&(i=this.wot.wtOverlays.topOverlay.sumCellSizes(0,o),t+=i,e-=i),r&&this.wot.wtOverlays.bottomOverlay.clone&&(i=this.wot.wtOverlays.bottomOverlay.sumCellSizes(s-r,s),e-=i),n=this.wot.wtTable.holder.clientHeight===this.wot.wtTable.holder.offsetHeight?0:c(),new w(e,t,this.wot.getSetting("totalRows"),function(e){return l.wot.wtTable.getRowHeight(e)},a?null:this.wot.wtSettings.settings.viewportRowCalculatorOverride,a,n)},createColumnsCalculator:function(){var e,t,o=void 0!==arguments[0]&&arguments[0],n=this,r=this.getViewportWidth();if(this.columnHeaderHeight=NaN,e=this.wot.wtOverlays.leftOverlay.getScrollPosition()-this.wot.wtOverlays.leftOverlay.getTableParentOffset(), -e<0&&(e=0),t=this.wot.getSetting("fixedColumnsLeft")){var i=this.wot.wtOverlays.leftOverlay.sumCellSizes(0,t);e+=i,r-=i}return this.wot.wtTable.holder.clientWidth!==this.wot.wtTable.holder.offsetWidth&&(r-=c()),new m(r,e,this.wot.getSetting("totalColumns"),function(e){return n.wot.wtTable.getColumnWidth(e)},o?null:this.wot.wtSettings.settings.viewportColumnCalculatorOverride,o,this.wot.getSetting("stretchH"),function(e,t){return n.wot.getSetting("onBeforeStretchingColumnWidth",e,t)})},createRenderCalculators:function(){var e=void 0!==arguments[0]&&arguments[0];if(e){var t=this.createRowsCalculator(!0),o=this.createColumnsCalculator(!0);this.areAllProposedVisibleRowsAlreadyRendered(t)&&this.areAllProposedVisibleColumnsAlreadyRendered(o)||(e=!1)}return e||(this.rowsRenderCalculator=this.createRowsCalculator(),this.columnsRenderCalculator=this.createColumnsCalculator()),this.rowsVisibleCalculator=null,this.columnsVisibleCalculator=null,e},createVisibleCalculators:function(){this.rowsVisibleCalculator=this.createRowsCalculator(!0),this.columnsVisibleCalculator=this.createColumnsCalculator(!0)},areAllProposedVisibleRowsAlreadyRendered:function(e){return!!this.rowsVisibleCalculator&&(!(e.startRow0)&&!(e.endRow>this.rowsRenderCalculator.endRow||e.endRow===this.rowsRenderCalculator.endRow&&e.endRow0)&&!(e.endColumn>this.columnsRenderCalculator.endColumn||e.endColumn===this.columnsRenderCalculator.endColumn&&e.endColumn=0;s--)if(null===e[s])e.splice(s,1);else{var a=e[s][0],l=u.propToCol(e[s][1]),c=p.getCellMeta(a,l);if("numeric"===c.type&&"string"==typeof e[s][3]&&e[s][3].length>0&&(/^-?[\d\s]*(\.|\,)?\d*$/.test(e[s][3])||c.format)){var d=e[s][3].length;I(c.language)?O.culture("en-US"):e[s][3].indexOf(".")===d-3&&e[s][3].indexOf(",")===-1?O.culture("en-US"):O.culture(c.language);O.cultureData(O.culture()).delimiters;O.validate(e[s][3])&&!isNaN(e[s][3])?e[s][3]=parseFloat(e[s][3]):e[s][3]=O().unformat(e[s][3])||e[s][3]}p.getCellValidator(c)&&(i.addValidatorToQueue(),p.validateCell(e[s][3],c,function(t,o){return function(n){if("boolean"!=typeof n)throw new Error("Validation error: result is not boolean");n===!1&&o.allowInvalid===!1&&(e.splice(t,1),o.valid=!0,--t),i.removeValidatorFormQueue()}}(s,c),t))}i.checkIfQueueIsEmpty()}function r(e,t){var o=e.length-1;if(!(o<0)){for(;0<=o;o--){var n=!1;if(null!==e[o]){if(null!=e[o][2]||null!=e[o][3]){if(l.settings.allowInsertRow)for(;e[o][0]>p.countRows()-1;){var r=u.createRow();if(0===r){n=!0;break}}if(!n){if("array"===p.dataType&&(!l.settings.columns||0===l.settings.columns.length)&&l.settings.allowInsertColumn)for(;u.propToCol(e[o][1])>p.countCols()-1;)u.createCol();u.set(e[o][0],e[o][1],e[o][3])}}}else e.splice(o,1)}p.forceFullRender=!0,d.adjustRowsAndCols(),E.hooks.run(p,"beforeChangeRender",e,t),h.refreshBorders(null,!0),p.view.wt.wtOverlays.adjustElementsSize(),E.hooks.run(p,"afterChange",e,t||"edit");var i=p.getActiveEditor();i&&L(i.refreshValue)&&i.refreshValue()}}function i(e,t,o){return"object"==typeof e?e:[[e,t,o]]}function s(e){if(e.hasOwnProperty("type")){var t,o={};if("object"==typeof e.type)t=e.type;else if("string"==typeof e.type&&(t=E.cellTypes[e.type],void 0===t))throw new Error('You declared cell type "'+e.type+'" as a string that is not mapped to a known object. Cell type must be an object or a string mapped to an object in Handsontable.cellTypes');for(var n in t)t.hasOwnProperty(n)&&!e.hasOwnProperty(n)&&(o[n]=t[n]);return o}}function a(){throw new Error("This method cannot be called because this Handsontable instance has been destroyed")}var l,u,c,d,h,f,p=this,g=function(){},m=B(p),w=le(p);U(g.prototype,he.prototype),U(g.prototype,t),U(g.prototype,s(t)),this.rootElement=e,this.isHotTableEnv=x(this.rootElement),E.eventManager.isHotTableEnv=this.isHotTableEnv,this.container=document.createElement("DIV"),this.renderCall=!1,e.insertBefore(this.container,e.firstChild),this.guid="ht_"+ee(),c=new ne(p),this.rootElement.id&&"ht_"!==this.rootElement.id.substring(0,3)||(this.rootElement.id=this.guid),l={cellSettings:[],columnSettings:[],columnsSettingConflicts:["data","width"],settings:new g,selRange:null,isPopulated:null,scrollable:null,firstRun:!0},d={alter:function(e,t,o,n,r){function i(e,t,o,n){var r=function(){var e;return"array"===n?e=[]:"object"===n&&(e={}),e},i=Z(new Array(o),function(){return r()});i.unshift(t,0),e.splice.apply(e,i)}var s;switch(o=o||1,e){case"insert_row":var a=p.countSourceRows();if(p.getSettings().maxRows===a)return;t=L(t)?t:a,s=u.createRow(t,o,n),i(l.cellSettings,t,o,"array"),s&&(h.isSelected()&&l.selRange.from.row>=t?(l.selRange.from.row=l.selRange.from.row+s,h.transformEnd(s,0)):h.refreshBorders());break;case"insert_col":s=u.createCol(t,o,n);for(var c=0,f=p.countSourceRows();c=t?(l.selRange.from.col=l.selRange.from.col+s,h.transformEnd(0,s)):h.refreshBorders()}break;case"remove_row":u.removeRow(t,o,n),l.cellSettings.splice(t,o);var m=p.countRows(),v=p.getSettings().fixedRowsTop;v>=t+1&&(p.getSettings().fixedRowsTop-=Math.min(o,v-t));var y=p.getSettings().fixedRowsBottom;y&&t>=m-y&&(p.getSettings().fixedRowsBottom-=Math.min(o,y)),d.adjustRowsAndCols(),h.refreshBorders();break;case"remove_col":var b=w.toPhysicalColumn(t);u.removeCol(t,o,n);for(var C=0,_=p.countSourceRows();C<_;C++)l.cellSettings[C]&&l.cellSettings[C].splice(b,o);var R=p.getSettings().fixedColumnsLeft;R>=t+1&&(p.getSettings().fixedColumnsLeft-=Math.min(o,R-t)),Array.isArray(p.getSettings().colHeaders)&&("undefined"==typeof b&&(b=-1),p.getSettings().colHeaders.splice(b,o)),d.adjustRowsAndCols(),h.refreshBorders();break;default:throw new Error('There is no such action "'+e+'"')}r||d.adjustRowsAndCols()},adjustRowsAndCols:function(){if(l.settings.minRows){var e=p.countRows();if(ei-1?(c=i-1,a=!0,f>c&&(f=c)):f>i-1&&(f=i-1,a=!0,c>f&&(c=f)),d>s-1?(d=s-1,a=!0,g>d&&(g=d)):g>s-1&&(g=s-1,a=!0,d>g&&(d=g)),a&&p.selectCell(c,d,f,g)}p.view&&p.view.wt.wtOverlays.adjustElementsSize()},populateFromArray:function(e,t,o,n,r,i,s){var a,u,c,d,h=[],f={};if(u=t.length,0===u)return!1;var g,m,w,v;({row:null===o?null:o.row,col:null===o?null:o.col});switch(r){case"shift_down":for(g=o?o.col-e.col+1:0,m=o?o.row-e.row+1:0,t=ie(t),c=0,d=t.length,w=Math.max(d,g);co.row&&E>S||!l.settings.allowInsertRow&&f.row>p.countRows()-1||f.row>=l.settings.maxRows);a++){var O=a-C,T=M(O).length,k=o?o.col-e.col+1:0;if(d=o?k:Math.max(T,k),f.col=e.col,y=p.getCellMeta(f.row,f.col),"paste"!==n&&"autofill"!==n||!y.skipRowOnPaste){for(_=0,c=0;co.col&&k>T||!l.settings.allowInsertColumn&&f.col>p.countCols()-1||f.col>=l.settings.maxCols);c++)if(y=p.getCellMeta(f.row,f.col),"paste"!==n&&"autofill"!==n||!y.skipColumnOnPaste)if(y.readOnly)f.col++;else{var D=c-_,x=M(O,D),H=p.getDataAtCell(f.row,f.col),A={row:O,col:D};if("autofill"===n){var P=p.runHooks("beforeAutofillInsidePopulate",A,i,t,s,{},b);P&&(x=I(P.value)?x:P.value)}if(null!==x&&"object"==typeof x)if(null===H||"object"!=typeof H)R=!1;else{var N=Y(H[0]||H),L=Y(x[0]||x);$(N,L)?x=z(x):R=!1}else null!==H&&"object"==typeof H&&(R=!1);R&&h.push([f.row,f.col,x]),R=!0,f.col++}else _++,f.col++,d++;f.row++}else C++,f.row++,u++}p.setDataAtCell(h,null,null,n||"populateFromArray")}}},this.selection=h={inProgress:!1,selectedHeader:{cols:!1,rows:!1},setSelectedHeaders:function(){var e=void 0!==arguments[0]&&arguments[0],t=void 0!==arguments[1]&&arguments[1],o=void 0!==arguments[2]&&arguments[2];p.selection.selectedHeader.rows=e,p.selection.selectedHeader.cols=t,p.selection.selectedHeader.corner=o},begin:function(){p.selection.inProgress=!0},finish:function(){var e=p.getSelected();E.hooks.run(p,"afterSelectionEnd",e[0],e[1],e[2],e[3]),E.hooks.run(p,"afterSelectionEndByProp",e[0],p.colToProp(e[1]),e[2],p.colToProp(e[3])),p.selection.inProgress=!1},isInProgress:function(){return p.selection.inProgress},setRangeStart:function(e,t){E.hooks.run(p,"beforeSetRangeStart",e),l.selRange=new ce(e,e,e),h.setRangeEnd(e,null,t)},setRangeStartOnly:function(e){E.hooks.run(p,"beforeSetRangeStartOnly",e),l.selRange=new ce(e,e,e)},setRangeEnd:function(e,t,o){if(null!==l.selRange){var n,r=!1,i=!0,s=p.view.wt.wtTable.getFirstVisibleRow(),a=p.view.wt.wtTable.getFirstVisibleColumn(),c={row:null,col:null};E.hooks.run(p,"beforeSetRangeEnd",e),p.selection.begin(),c.row=e.row<0?s:e.row,c.col=e.col<0?a:e.col,l.selRange.to=new ue(c.row,c.col),l.settings.multiSelect||(l.selRange.from=e),p.view.wt.selections.current.clear(),n=p.getCellMeta(l.selRange.highlight.row,l.selRange.highlight.col).disableVisualSelection,"string"==typeof n&&(n=[n]),(n===!1||Array.isArray(n)&&n.indexOf("current")===-1)&&p.view.wt.selections.current.add(l.selRange.highlight),p.view.wt.selections.area.clear(),(n===!1||Array.isArray(n)&&n.indexOf("area")===-1)&&h.isMultiple()&&(p.view.wt.selections.area.add(l.selRange.from),p.view.wt.selections.area.add(l.selRange.to)),(l.settings.currentHeaderClassName||l.settings.currentRowClassName||l.settings.currentColClassName)&&(p.view.wt.selections.highlight.clear(),p.view.wt.selections.highlight.add(l.selRange.from),p.view.wt.selections.highlight.add(l.selRange.to)),E.hooks.run(p,"afterSelection",l.selRange.from.row,l.selRange.from.col,l.selRange.to.row,l.selRange.to.col),E.hooks.run(p,"afterSelectionByProp",l.selRange.from.row,u.colToProp(l.selRange.from.col),l.selRange.to.row,u.colToProp(l.selRange.to.col)),(0===l.selRange.from.row&&l.selRange.to.row===p.countRows()-1&&p.countRows()>1||0===l.selRange.from.col&&l.selRange.to.col===p.countCols()-1&&p.countCols()>1)&&(r=!0),(e.row<0||e.col<0)&&(i=!1),t!==!1&&!r&&i&&(l.selRange.from&&!h.isMultiple()?p.view.scrollViewport(l.selRange.from):p.view.scrollViewport(e)),h.refreshBorders(null,o)}},refreshBorders:function(e,t){t||f.destroyEditor(e),p.view.render(),h.isSelected()&&!t&&f.prepareEditor()},isMultiple:function(){var e=!(l.selRange.to.col===l.selRange.from.col&&l.selRange.to.row===l.selRange.from.row),t=E.hooks.run(p,"afterIsMultipleSelection",e);if(e)return t},transformStart:function(e,t,o,n){var r,i,s,a,u=new ue(e,t),c=0,d=0;p.runHooks("modifyTransformStart",u),r=p.countRows(),i=p.countCols(),a=p.getSettings().fixedRowsBottom,l.selRange.highlight.row+e>r-1?o&&l.settings.minSpareRows>0&&!(a&&l.selRange.highlight.row>=r-a-1)?(p.alter("insert_row",r),r=p.countRows()):l.settings.autoWrapCol&&(u.row=1-r,u.col=l.selRange.highlight.col+u.col==i-1?1-i:1):l.settings.autoWrapCol&&l.selRange.highlight.row+u.row<0&&l.selRange.highlight.col+u.col>=0&&(u.row=r-1,u.col=l.selRange.highlight.col+u.col==0?i-1:-1),l.selRange.highlight.col+u.col>i-1?o&&l.settings.minSpareCols>0?(p.alter("insert_col",i),i=p.countCols()):l.settings.autoWrapRow&&(u.row=l.selRange.highlight.row+u.row==r-1?1-r:1,u.col=1-i):l.settings.autoWrapRow&&l.selRange.highlight.col+u.col<0&&l.selRange.highlight.row+u.row>=0&&(u.row=l.selRange.highlight.row+u.row==0?r-1:-1,u.col=i-1),s=new ue(l.selRange.highlight.row+u.row,l.selRange.highlight.col+u.col),s.row<0?(c=-1,s.row=0):s.row>0&&s.row>=r&&(c=1,s.row=r-1),s.col<0?(d=-1,s.col=0):s.col>0&&s.col>=i&&(d=1,s.col=i-1),p.runHooks("afterModifyTransformStart",s,c,d),h.setRangeStart(s,n)},transformEnd:function(e,t){var o,n,r,i=new ue(e,t),s=0,a=0;p.runHooks("modifyTransformEnd",i),o=p.countRows(),n=p.countCols(),r=new ue(l.selRange.to.row+i.row,l.selRange.to.col+i.col),r.row<0?(s=-1,r.row=0):r.row>0&&r.row>=o&&(s=1,r.row=o-1),r.col<0?(a=-1,r.col=0):r.col>0&&r.col>=n&&(a=1,r.col=n-1),p.runHooks("afterModifyTransformEnd",r,s,a),h.setRangeEnd(r,!0)},isSelected:function(){return null!==l.selRange},inInSelection:function(e){return!!h.isSelected()&&l.selRange.includes(e)},deselect:function(){h.isSelected()&&(p.selection.inProgress=!1,l.selRange=null,p.view.wt.selections.current.clear(),p.view.wt.selections.area.clear(),(l.settings.currentHeaderClassName||l.settings.currentRowClassName||l.settings.currentColClassName)&&p.view.wt.selections.highlight.clear(),f.destroyEditor(),h.refreshBorders(),H(p.rootElement,["ht__selection--rows","ht__selection--columns"]),E.hooks.run(p,"afterDeselect"))},selectAll:function(){l.settings.multiSelect&&(h.setRangeStart(new ue(0,0)),h.setRangeEnd(new ue(p.countRows()-1,p.countCols()-1),!1))},empty:function(){if(h.isSelected()){var e,t,o=l.selRange.getTopLeftCorner(),n=l.selRange.getBottomRightCorner(),r=[];for(e=o.row;e<=n.row;e++)for(t=o.col;t<=n.col;t++)p.getCellMeta(e,t).readOnly||r.push([e,t,""]);p.setDataAtCell(r)}}},this.init=function(){c.setData(l.settings.data),E.hooks.run(p,"beforeInit"),W()&&k(p.rootElement,"mobile"),this.updateSettings(l.settings,!0),this.view=new oe(this),f=new V(p,l,h,u),this.forceFullRender=!0,E.hooks.run(p,"init"),this.view.render(),"object"==typeof l.firstRun&&(E.hooks.run(p,"afterChange",l.firstRun[0],l.firstRun[1]),l.firstRun=!1),E.hooks.run(p,"afterInit")},this.validateCell=function(e,t,o,n){function r(e){var n=t.visualCol,r=t.visualRow,i=p.getCell(r,n,!0);i&&"TH"!=i.nodeName&&p.view.wt.wtSettings.settings.cellRenderer(r,n,i),o(e)}var i=p.getCellValidator(t);"[object RegExp]"===Object.prototype.toString.call(i)&&(i=function(e){return function(t,o){o(e.test(t))}}(i)),P(i)?(e=E.hooks.run(p,"beforeValidate",e,t.visualRow,t.prop,n),p._registerTimeout(setTimeout(function(){i.call(t,e,function(o){o=E.hooks.run(p,"afterValidate",o,e,t.visualRow,t.prop,n),t.valid=o,r(o),E.hooks.run(p,"postAfterValidate",o,e,t.visualRow,t.prop,n)})},0))):p._registerTimeout(setTimeout(function(){t.valid=!0,r(t.valid)},0))},this.setDataAtCell=function(e,t,o,s){var a,l,d,h=i(e,t,o),f=[];for(a=0,l=h.length;a-1?(P(e[o])||Array.isArray(e[o]))&&p.addHook(o,e[o]):!t&&e.hasOwnProperty(o)&&(g.prototype[o]=e[o]));if(void 0===e.data&&void 0===l.settings.data?p.loadData(null):void 0!==e.data?p.loadData(e.data):void 0!==e.columns&&u.createMap(),r=p.countCols(),e.columns&&P(e.columns)&&(r=p.countSourceCols(),i=!0),void 0===e.cell&&void 0===e.cells&&void 0===e.columns||(l.cellSettings.length=0),r>0){var a,c;for(o=0,n=0;o-1||b.indexOf("overflow")>-1)?p.rootElement.setAttribute("style",b):(p.rootElement.style.height="",p.rootElement.style.overflow="")}else void 0!==v&&(p.rootElement.style.height=v+"px",p.rootElement.style.overflow="hidden");if("undefined"!=typeof e.width){var C=e.width;P(C)&&(C=C()),p.rootElement.style.width=C+"px"}t||(u.clearLengthCache(),E.hooks.run(p,"afterUpdateSettings")),d.adjustRowsAndCols(),p.view&&!l.firstRun&&(p.forceFullRender=!0,h.refreshBorders(null,!0)),t||!p.view||""!==w&&""!==v&&void 0!==v||w===v||p.view.wt.wtOverlays.updateMainScrollableElements()},this.getValue=function(){var e=p.getSelected();if(g.prototype.getValue){if(P(g.prototype.getValue))return g.prototype.getValue.call(p);if(e)return p.getData()[e[0]][g.prototype.getValue]}else if(e)return p.getDataAtCell(e[0],e[1])},this.getSettings=function(){return l.settings},this.clear=function(){h.selectAll(),h.empty()},this.alter=function(e,t,o,n,r){d.alter(e,t,o,n,r)},this.getCell=function(e,t,o){return p.view.getCellAtCoords(new ue(e,t),o)},this.getCoords=function(e){return this.view.wt.wtTable.getCoords.call(this.view.wt.wtTable,e)},this.colToProp=function(e){return u.colToProp(e)},this.propToCol=function(e){return u.propToCol(e)},this.toVisualRow=function(e){return w.toVisualRow(e)},this.toVisualColumn=function(e){return w.toVisualColumn(e)},this.toPhysicalRow=function(e){return w.toPhysicalRow(e)},this.toPhysicalColumn=function(e){return w.toPhysicalColumn(e)},this.getDataAtCell=function(e,t){return u.get(e,u.colToProp(t))},this.getDataAtRowProp=function(e,t){return u.get(e,t)},this.getDataAtCol=function(e){var t=[];return t.concat.apply(t,u.getRange(new ue(0,e),new ue(l.settings.data.length-1,e),u.DESTINATION_RENDERER))},this.getDataAtProp=function(e){var t,o=[];return t=u.getRange(new ue(0,u.propToCol(e)),new ue(l.settings.data.length-1,u.propToCol(e)),u.DESTINATION_RENDERER),o.concat.apply(o,t)},this.getSourceData=function(e,t,o,n){var r;return r=void 0===e?c.getData():c.getByRange(new ue(e,t),new ue(o,n))},this.getSourceDataArray=function(e,t,o,n){var r;return r=void 0===e?c.getData(!0):c.getByRange(new ue(e,t),new ue(o,n),!0)},this.getSourceDataAtCol=function(e){return c.getAtColumn(e)},this.getSourceDataAtRow=function(e){ -return c.getAtRow(e)},this.getSourceDataAtCell=function(e,t){return c.getAtCell(e,t)},this.getDataAtRow=function(e){var t=u.getRange(new ue(e,0),new ue(e,this.countCols()-1),u.DESTINATION_RENDERER);return t[0]},this.getDataType=function(e,t,o,n){var r=this,i=null,s=null;void 0===e&&(e=0,o=this.countRows(),t=0,n=this.countCols()),void 0===o&&(o=e),void 0===n&&(n=t);var a="mixed";return te(Math.min(e,o),Math.max(e,o),function(e){var o=!0;return te(Math.min(t,n),Math.max(t,n),function(t){var n=r.getCellMeta(e,t);return s=n.type,i?o=i===s:i=s,o}),a=o?s:"mixed",o}),a},this.removeCellMeta=function(e,t,o){var n=p.getCellMeta(e,t);void 0!=n[o]&&delete l.cellSettings[e][t][o]},this.spliceCellsMeta=function(e,t){for(var o,n=[],r=2;r=0;){for(var r=p.countCols()-1;r>=0;)t.addValidatorToQueue(),p.validateCell(p.getDataAtCell(n,r),p.getCellMeta(n,r),function(e){if("boolean"!=typeof e)throw new Error("Validation error: result is not boolean");e===!1&&(t.valid=!1),t.removeValidatorFormQueue()},"validateCells"),r--;n--}t.checkIfQueueIsEmpty()},this.getRowHeader=function(e){var t=l.settings.rowHeaders;return void 0!==e&&(e=E.hooks.run(p,"modifyRowHeader",e)),void 0===e?(t=[],te(p.countRows()-1,function(e){t.push(p.getRowHeader(e))})):Array.isArray(t)&&void 0!==t[e]?t=t[e]:P(t)?t=t(e):t&&"string"!=typeof t&&"number"!=typeof t&&(t=e+1),t},this.hasRowHeaders=function(){return!!l.settings.rowHeaders},this.hasColHeaders=function(){if(void 0!==l.settings.colHeaders&&null!==l.settings.colHeaders)return!!l.settings.colHeaders;for(var e=0,t=p.countCols();e=0;){if(t=E.hooks.run(this,"modifyRow",o),p.isEmptyRow(t))n++;else if(e)break;o--}return n},this.countEmptyCols=function(e){if(p.countRows()<1)return 0;for(var t=p.countCols()-1,o=0;t>=0;){if(p.isEmptyCol(t))o++;else if(e)break;t--}return o},this.isEmptyRow=function(e){return l.settings.isEmptyRow.call(p,e)},this.isEmptyCol=function(e){return l.settings.isEmptyCol.call(p,e)},this.selectCell=function(e,t,o,n,r,i){var s;if(i=I(i)||i===!0,"number"!=typeof e||e<0||e>=p.countRows())return!1;if("number"!=typeof t||t<0||t>=p.countCols())return!1;if(L(o)){if("number"!=typeof o||o<0||o>=p.countRows())return!1;if("number"!=typeof n||n<0||n>=p.countCols())return!1}return s=new ue(e,t),l.selRange=new ce(s,s,s),i&&p.listen(),I(o)?h.setRangeEnd(l.selRange.from,r):h.setRangeEnd(new ue(o,n),r),p.selection.finish(),!0},this.selectCellByProp=function(e,t,o,n,r){return arguments[1]=u.propToCol(arguments[1]),L(arguments[3])&&(arguments[3]=u.propToCol(arguments[3])),p.selectCell.apply(p,arguments)},this.deselectCell=function(){h.deselect()},this.scrollViewportTo=function(e,t){var o=void 0!==arguments[2]&&arguments[2],n=void 0!==arguments[3]&&arguments[3];if(void 0!==e&&(e<0||e>=p.countRows()))return!1;if(void 0!==t&&(t<0||t>=p.countCols()))return!1;var r=!1;return void 0!==e&&void 0!==t&&(p.view.wt.wtOverlays.topOverlay.scrollTo(e,o),p.view.wt.wtOverlays.leftOverlay.scrollTo(t,n),r=!0),"number"==typeof e&&"number"!=typeof t&&(p.view.wt.wtOverlays.topOverlay.scrollTo(e,o),r=!0),"number"==typeof t&&"number"!=typeof e&&(p.view.wt.wtOverlays.leftOverlay.scrollTo(t,n),r=!0),r},this.destroy=function(){p._clearTimeouts(),p.view&&p.view.destroy(),c&&c.destroy(),c=null,D(p.rootElement),m.destroy(),E.hooks.run(p,"afterDestroy"),E.hooks.destroy(p);for(var e in p)p.hasOwnProperty(e)&&(P(p[e])?p[e]=a:"guid"!==e&&(p[e]=null));u&&u.destroy(),u=null,l=null,d=null,h=null,f=null,p=null,g=null},this.getActiveEditor=function(){return f.getActiveEditor()},this.getPlugin=function(e){return J(this,e)},this.getInstance=function(){return p},this.addHook=function(e,t){E.hooks.add(e,t,p)},this.hasHook=function(e){return E.hooks.has(e,p)},this.addHookOnce=function(e,t){E.hooks.once(e,t,p)},this.removeHook=function(e,t){E.hooks.remove(e,t,p)},this.runHooks=function(e,t,o,n,r,i,s){return E.hooks.run(p,e,t,o,n,r,i,s)},this.timeouts=[],this._registerTimeout=function(e){this.timeouts.push(e)},this._clearTimeouts=function(){for(var e=0,t=this.timeouts.length;e0?s:this.instance.countSourceCols(),i=!0),e=0;e=this.instance.countSourceRows())&&(e=this.instance.countSourceRows()),f.hooks.run(this.instance,"beforeCreateRow",e,t,o),r=e;for(var a=this.instance.getSettings().maxRows;s=this.instance.countCols())&&(e=this.instance.countCols()),f.hooks.run(this.instance,"beforeCreateCol",e,t,o),r=e;for(var l=this.instance.getSettings().maxCols;a=this.instance.countCols()){if(i>0)for(var u=0;u-1){var i=t.split("."),s=o;if(!s)return null;for(var a=0,l=i.length;a-1){for(var a=t.split("."),l=r,u=0,c=a.length-1;uo[2]&&(n=o[0],o[0]=o[2],o[2]=n),o[1]>o[3]&&(n=o[1],o[1]=o[3],o[3]=n)):o=[this.row,this.col,null,null],this.instance.populateFromArray(o[0],o[1],e,o[2],o[3],"edit")},n.prototype.beginEditing=function(e,t){this.state==a.EditorState.VIRGIN&&(this.instance.view.scrollViewport(new u(this.row,this.col)),this.instance.view.render(),this.state=a.EditorState.EDITING,e="string"==typeof e?e:this.originalValue,this.setValue(l(e)),this.open(t),this._opened=!0,this.focus(),this.instance.view.render(),this.instance.runHooks("afterBeginEditing",this.row,this.col))},n.prototype.finishEditing=function(e,t,o){var n,r=this;if(o){var i=this._closeCallback;this._closeCallback=function(e){i&&i(e),o(e),r.instance.view.render()}}if(!this.isWaiting()){if(this.state==a.EditorState.VIRGIN)return void this.instance._registerTimeout(setTimeout(function(){r._fireCallbacks(!0)},0));if(this.state==a.EditorState.EDITING){if(e)return this.cancelChanges(),void this.instance.view.render();var s=this.getValue();n=this.instance.getSettings().trimWhitespace?[["string"==typeof s?String.prototype.trim.call(s||""):s]]:[[s]],this.state=a.EditorState.WAITING,this.saveValue(n,t),this.instance.getCellValidator(this.cellProperties)?this.instance.addHookOnce("postAfterValidate",function(e){r.state=a.EditorState.FINISHED,r.discardEditor(e)}):(this.state=a.EditorState.FINISHED,this.discardEditor(!0))}}},n.prototype.cancelChanges=function(){this.state=a.EditorState.FINISHED,this.discardEditor()},n.prototype.discardEditor=function(e){this.state===a.EditorState.FINISHED&&(e===!1&&this.cellProperties.allowInvalid!==!0?(this.instance.selectCell(this.row,this.col),this.focus(),this.state=a.EditorState.EDITING,this._fireCallbacks(!1)):(this.close(),this._opened=!1,this._fullEditMode=!1,this.state=a.EditorState.VIRGIN,this._fireCallbacks(!0)))},n.prototype.enableFullEditMode=function(){this._fullEditMode=!0},n.prototype.isInFullEditMode=function(){return this._fullEditMode},n.prototype.isOpened=function(){return this._opened},n.prototype.isWaiting=function(){return this.state===a.EditorState.WAITING},n.prototype.checkEditorSection=function(){var e=this.instance.countRows(),t="";return this.row=e-this.instance.getSettings().fixedRowsBottom?t=this.col"+l+""))),e.innerHTML=i},autoColumnSize:!0,modifyColWidth:function(e,t){var n=this.getPlugin("autoColumnSize").widths;return n[t]&&(e=n[t]),o?e:e+15}}),this.htEditor.view.wt.wtTable.holder.parentNode.style["padding-right"]=_()+2+"px",H&&(H=!1),t.instance._registerTimeout(setTimeout(function(){t.queryChoices(t.TEXTAREA.value)},0))},x.prototype.close=function(){D.prototype.close.apply(this,arguments)},x.prototype.queryChoices=function(e){var t=this;this.query=e;var o=this.cellProperties,n=o.source,r=(o.filter,o.filteringCaseSensitive,o.allowHtml),i=function(e){return v(e,function(e){return g(e)})};"function"==typeof n?n.call(this.cellProperties,e,function(e){t.updateChoicesList(r?e:i(e))}):Array.isArray(n)?this.updateChoicesList(r?n:i(n)):this.updateChoicesList([])},x.prototype.updateChoicesList=function(e){var t=C(this.TEXTAREA),o=R(this.TEXTAREA),n=this.cellProperties.sortByRelevance,r=this.cellProperties.filter,i=null,s=null;n&&(i=x.sortByRelevance(this.getValue(),e,this.cellProperties.filteringCaseSensitive));var a=Array.isArray(i)?i.length:0;if(r===!1)a&&(s=i[0]);else{for(var l=[],u=0,c=e.length;ul&&a>l;return u?this.flipDropdown(o):this.unflipDropdown(),this.limitDropdownIfNeeded(u?a:l,o),u},x.prototype.limitDropdownIfNeeded=function(e,t){if(t>e){var o=0,n=0,r=0,i=null;do r=this.htEditor.getRowHeight(n)||this.htEditor.view.wt.wtSettings.settings.defaultRowHeight,o+=r,n++;while(ot.charsLeft?1:0:void 0}),s=0,c=a.length;s=t?t*e:this.choices.length*e+8},x.prototype.allowKeyEventPropagation=function(e){var t={row:this.htEditor.getSelectedRange()?this.htEditor.getSelectedRange().from.row:-1},o=!1;return e===h.ARROW_DOWN&&t.row>0&&t.row-1&&(o=!0),o},x.prototype.discardEditor=function(e){D.prototype.discardEditor.apply(this,arguments),this.instance.view.render()},k("autocomplete",x)},{editors:30,handsontableEditor:36,"helpers/array":43,"helpers/dom/element":47,"helpers/mixed":51,"helpers/string":55,"helpers/unicode":56}],33:[function(e,t,o){"use strict";Object.defineProperties(o,{CheckboxEditor:{get:function(){return u}},__esModule:{value:!0}});var n,r,i,s=(n=e("editors"),n&&n.__esModule&&n||{default:n}).registerEditor,a=(r=e("_baseEditor"),r&&r.__esModule&&r||{default:r}).BaseEditor,l=(i=e("helpers/dom/element"),i&&i.__esModule&&i||{default:i}).hasClass,u=function(){$traceurRuntime.superConstructor(c).apply(this,arguments)},c=u;$traceurRuntime.createClass(u,{beginEditing:function(e,t){if(void 0===t){var o=this.TD.querySelector('input[type="checkbox"]');l(o,"htBadValue")||o.click()}},finishEditing:function(){},init:function(){},open:function(){},close:function(){},getValue:function(){},setValue:function(){},focus:function(){}},{},a),s("checkbox",u)},{_baseEditor:31,editors:30,"helpers/dom/element":47}],34:[function(e,t,o){"use strict";Object.defineProperties(o,{DateEditor:{get:function(){return E}},__esModule:{value:!0}});var n,r,i,s,a,l,u,c,d,h,f=(n=e("browser"),n&&n.__esModule&&n||{default:n}).default,p=(r=e("helpers/dom/element"),r&&r.__esModule&&r||{default:r}),g=p.addClass,m=p.outerHeight,w=(i=e("helpers/object"),i&&i.__esModule&&i||{default:i}).deepExtend,v=(s=e("eventManager"),s&&s.__esModule&&s||{default:s}).EventManager,y=(a=e("editors"),a&&a.__esModule&&a||{default:a}),b=(y.getEditor,y.registerEditor),C=(l=e("helpers/unicode"),l&&l.__esModule&&l||{default:l}).isMetaKey,_=(u=e("helpers/dom/event"),u&&u.__esModule&&u||{default:u}).stopPropagation,R=(c=e("textEditor"),c&&c.__esModule&&c||{default:c}).TextEditor,M=(d=e("moment"),d&&d.__esModule&&d||{default:d}).default,S=(h=e("pikaday"),h&&h.__esModule&&h||{default:h}).default,E=function(e){this.$datePicker=null,this.datePicker=null,this.datePickerStyle=null,this.defaultDateFormat="DD/MM/YYYY",this.isCellEdited=!1,this.parentDestroyed=!1,$traceurRuntime.superConstructor(O).call(this,e)},O=E;$traceurRuntime.createClass(E,{init:function(){var e=this;if("function"!=typeof M)throw new Error("You need to include moment.js to your project.");if("function"!=typeof S)throw new Error("You need to include Pikaday to your project.");$traceurRuntime.superGet(this,O.prototype,"init").call(this),this.instance.addHook("afterDestroy",function(){e.parentDestroyed=!0,e.destroyElements()})},createElements:function(){$traceurRuntime.superGet(this,O.prototype,"createElements").call(this),this.datePicker=document.createElement("DIV"),this.datePickerStyle=this.datePicker.style,this.datePickerStyle.position="absolute",this.datePickerStyle.top=0,this.datePickerStyle.left=0,this.datePickerStyle.zIndex=9999,g(this.datePicker,"htDatepickerHolder"),document.body.appendChild(this.datePicker),this.$datePicker=new S(this.getDatePickerConfig());var e=new v(this);e.addEventListener(this.datePicker,"mousedown",function(e){return _(e)}),this.hideDatepicker()},destroyElements:function(){this.$datePicker.destroy()},prepare:function(e,t,o,n,r,i){this._opened=!1,$traceurRuntime.superGet(this,O.prototype,"prepare").call(this,e,t,o,n,r,i)},open:function(){var e=void 0!==arguments[0]?arguments[0]:null;$traceurRuntime.superGet(this,O.prototype,"open").call(this),this.showDatepicker(e)},close:function(){var e=this;this._opened=!1,this.instance._registerTimeout(setTimeout(function(){e.instance.selection.refreshBorders()},0)),$traceurRuntime.superGet(this,O.prototype,"close").call(this)},finishEditing:function(){var e=void 0!==arguments[0]&&arguments[0],t=void 0!==arguments[1]&&arguments[1];if(e){var o=this.originalValue;void 0!==o&&this.setValue(o)}this.hideDatepicker(),$traceurRuntime.superGet(this,O.prototype,"finishEditing").call(this,e,t)},showDatepicker:function(e){this.$datePicker.config(this.getDatePickerConfig());var t,o=this.TD.getBoundingClientRect(),n=this.cellProperties.dateFormat||this.defaultDateFormat,r=this.$datePicker.config(),i=this.instance.view.isMouseDown(),s=!!e&&C(e.keyCode);this.datePickerStyle.top=window.pageYOffset+o.top+m(this.TD)+"px",this.datePickerStyle.left=window.pageXOffset+o.left+"px",this.$datePicker._onInputFocus=function(){},r.format=n,this.originalValue?(t=this.originalValue,M(t,n,!0).isValid()&&this.$datePicker.setMoment(M(t,n),!0),this.getValue()!==this.originalValue&&this.setValue(this.originalValue),s||i||this.setValue("")):this.cellProperties.defaultDate?(t=this.cellProperties.defaultDate,r.defaultDate=t,M(t,n,!0).isValid()&&this.$datePicker.setMoment(M(t,n),!0),s||i||this.setValue("")):this.$datePicker.gotoToday(),this.datePickerStyle.display="block",this.$datePicker.show()},hideDatepicker:function(){this.datePickerStyle.display="none",this.$datePicker.hide()},getDatePickerConfig:function(){var e=this,t=this.TEXTAREA,o={};this.cellProperties&&this.cellProperties.datePickerConfig&&w(o,this.cellProperties.datePickerConfig);var n=o.onSelect,r=o.onClose;return o.field=t,o.trigger=t,o.container=this.datePicker,o.bound=!1,o.format=o.format||this.defaultDateFormat,o.reposition=o.reposition||!1,o.onSelect=function(t){isNaN(t.getTime())||(t=M(t).format(e.cellProperties.dateFormat||e.defaultDateFormat)),e.setValue(t),e.hideDatepicker(),n&&n()},o.onClose=function(){e.parentDestroyed||e.finishEditing(!1),r&&r()},o}},{},R),f.editors=f.editors||{},f.editors.DateEditor=E,b("date",E)},{browser:24,editors:30,eventManager:42,"helpers/dom/element":47,"helpers/dom/event":48,"helpers/object":53,"helpers/unicode":56,moment:"moment",pikaday:"pikaday",textEditor:41}],35:[function(e,t,o){"use strict";Object.defineProperties(o,{DropdownEditor:{get:function(){return c}},__esModule:{value:!0}});var n,r,i,s=(n=e("browser"),n&&n.__esModule&&n||{default:n}).default,a=(r=e("editors"),r&&r.__esModule&&r||{default:r}),l=(a.getEditor,a.registerEditor),u=(a.getEditorConstructor,(i=e("autocompleteEditor"),i&&i.__esModule&&i||{default:i}).AutocompleteEditor),c=function(){$traceurRuntime.superConstructor(d).apply(this,arguments)},d=c;$traceurRuntime.createClass(c,{prepare:function(e,t,o,n,r,i){$traceurRuntime.superGet(this,d.prototype,"prepare").call(this,e,t,o,n,r,i),this.cellProperties.filter=!1,this.cellProperties.strict=!0}},{},u),s.hooks.add("beforeValidate",function(e,t,o,n){var r=this.getCellMeta(t,this.propToCol(o));r.editor===s.editors.DropdownEditor&&void 0===r.strict&&(r.filter=!1,r.strict=!0)}),l("dropdown",c)},{autocompleteEditor:32,browser:24,editors:30}],36:[function(e,t,o){"use strict";Object.defineProperties(o,{HandsontableEditor:{get:function(){return b}},__esModule:{value:!0}});var n,r,i,s,a,l,u,c=(n=e("browser"),n&&n.__esModule&&n||{default:n}).default,d=(r=e("helpers/unicode"),r&&r.__esModule&&r||{default:r}).KEY_CODES,h=(i=e("helpers/object"),i&&i.__esModule&&i||{default:i}).extend,f=(s=e("helpers/dom/element"),s&&s.__esModule&&s||{default:s}).setCaretPosition,p=(a=e("helpers/dom/event"),a&&a.__esModule&&a||{default:a}),g=p.stopImmediatePropagation,m=p.isImmediatePropagationStopped,w=(l=e("editors"),l&&l.__esModule&&l||{default:l}),v=(w.getEditor,w.registerEditor),y=(u=e("textEditor"),u&&u.__esModule&&u||{default:u}).TextEditor,b=y.prototype.extend();b.prototype.createElements=function(){y.prototype.createElements.apply(this,arguments);var e=document.createElement("DIV");e.className="handsontableEditor",this.TEXTAREA_PARENT.appendChild(e),this.htContainer=e,this.assignHooks()},b.prototype.prepare=function(e,t,o,n,r,i){y.prototype.prepare.apply(this,arguments);var s=this,a={startRows:0,startCols:0,minRows:0,minCols:0,className:"listbox",copyPaste:!1,autoColumnSize:!1,autoRowSize:!1,readOnly:!0,fillHandle:!1,afterOnCellMouseDown:function(){var e=this.getValue();void 0!==e&&s.setValue(e),s.instance.destroyEditor()}};this.cellProperties.handsontable&&h(a,i.handsontable),this.htOptions=a};var C=function(e){if(!m(e)){var t,o=this.getActiveEditor(),n=o.htEditor.getInstance();if(e.keyCode==d.ARROW_DOWN)if(n.getSelected()||n.flipped){if(n.getSelected())if(n.flipped)t=n.getSelected()[0]+1;else if(!n.flipped){var r=n.getSelected()[0],i=n.countRows()-1;t=Math.min(i,r+1)}}else t=0;else if(e.keyCode==d.ARROW_UP)if(!n.getSelected()&&n.flipped)t=n.countRows()-1;else if(n.getSelected())if(n.flipped){var r=n.getSelected()[0];t=Math.max(0,r-1)}else{var r=n.getSelected()[0];t=r-1}void 0!==t&&(t<0||n.flipped&&t>n.countRows()-1?n.deselectCell():n.selectCell(t,0),n.getData().length&&(e.preventDefault(),g(e),o.instance.listen(),o.TEXTAREA.focus()))}};b.prototype.open=function(){this.instance.addHook("beforeKeyDown",C),y.prototype.open.apply(this,arguments),this.htEditor&&this.htEditor.destroy(),this.htEditor=new c(this.htContainer,this.htOptions),this.cellProperties.strict?(this.htEditor.selectCell(0,0),this.TEXTAREA.style.visibility="hidden"):(this.htEditor.deselectCell(),this.TEXTAREA.style.visibility="visible"),f(this.TEXTAREA,0,this.TEXTAREA.value.length)},b.prototype.close=function(){this.instance.removeHook("beforeKeyDown",C),this.instance.listen(),y.prototype.close.apply(this,arguments)},b.prototype.focus=function(){this.instance.listen(),y.prototype.focus.apply(this,arguments)},b.prototype.beginEditing=function(e){var t=this.instance.getSettings().onBeginEditing;t&&t()===!1||y.prototype.beginEditing.apply(this,arguments)},b.prototype.finishEditing=function(e,t){if(this.htEditor&&this.htEditor.isListening()&&this.instance.listen(),this.htEditor&&this.htEditor.getSelected()){var o=this.htEditor.getInstance().getValue();void 0!==o&&this.setValue(o)}return y.prototype.finishEditing.apply(this,arguments)},b.prototype.assignHooks=function(){var e=this;this.instance.addHook("afterDestroy",function(){e.htEditor&&e.htEditor.destroy()})},v("handsontable",b)},{browser:24,editors:30,"helpers/dom/element":47,"helpers/dom/event":48,"helpers/object":53,"helpers/unicode":56,textEditor:41}],37:[function(e,t,o){"use strict";Object.defineProperties(o,{MobileTextEditor:{get:function(){return k}},__esModule:{value:!0}});var n,r,i,s,a,l,u,c=((n=e("browser"),n&&n.__esModule&&n||{default:n}).default,(r=e("helpers/unicode"),r&&r.__esModule&&r||{default:r}).KEY_CODES),d=(i=e("helpers/dom/event"),i&&i.__esModule&&i||{default:i}),h=d.stopImmediatePropagation,f=d.isImmediatePropagationStopped,p=(s=e("helpers/dom/element"),s&&s.__esModule&&s||{default:s}),g=p.addClass,m=p.getScrollLeft,w=p.getScrollTop,v=p.hasClass,y=p.isChildOf,b=p.offset,C=p.outerHeight,_=p.outerWidth,R=p.removeClass,M=p.setCaretPosition,S=(a=e("editors"),a&&a.__esModule&&a||{default:a}),E=(S.getEditor,S.registerEditor),O=(l=e("_baseEditor"),l&&l.__esModule&&l||{default:l}).BaseEditor,T=(u=e("eventManager"),u&&u.__esModule&&u||{default:u}).eventManager,k=O.prototype.extend(),D={},x=function(){this.controls={},this.controls.leftButton=document.createElement("DIV"),this.controls.leftButton.className="leftButton",this.controls.rightButton=document.createElement("DIV"),this.controls.rightButton.className="rightButton",this.controls.upButton=document.createElement("DIV"),this.controls.upButton.className="upButton",this.controls.downButton=document.createElement("DIV"),this.controls.downButton.className="downButton";for(var e in this.controls)this.controls.hasOwnProperty(e)&&this.positionControls.appendChild(this.controls[e])};k.prototype.valueChanged=function(){return this.initValue!=this.getValue()},k.prototype.init=function(){var e=this;this.eventManager=T(this.instance),this.createElements(),this.bindEvents(),this.instance.addHook("afterDestroy",function(){e.destroy()})},k.prototype.getValue=function(){return this.TEXTAREA.value},k.prototype.setValue=function(e){this.initValue=e,this.TEXTAREA.value=e},k.prototype.createElements=function(){this.editorContainer=document.createElement("DIV"),this.editorContainer.className="htMobileEditorContainer",this.cellPointer=document.createElement("DIV"),this.cellPointer.className="cellPointer",this.moveHandle=document.createElement("DIV"),this.moveHandle.className="moveHandle",this.inputPane=document.createElement("DIV"),this.inputPane.className="inputs",this.positionControls=document.createElement("DIV"),this.positionControls.className="positionControls",this.TEXTAREA=document.createElement("TEXTAREA"),g(this.TEXTAREA,"handsontableInput"),this.inputPane.appendChild(this.TEXTAREA),this.editorContainer.appendChild(this.cellPointer),this.editorContainer.appendChild(this.moveHandle),this.editorContainer.appendChild(this.inputPane),this.editorContainer.appendChild(this.positionControls),x.call(this),document.body.appendChild(this.editorContainer)},k.prototype.onBeforeKeyDown=function(e){var t=this,o=t.getActiveEditor();if(e.target===o.TEXTAREA&&!f(e))switch(e.keyCode){case c.ENTER:o.close(),e.preventDefault();break;case c.BACKSPACE:h(e)}},k.prototype.open=function(){this.instance.addHook("beforeKeyDown",this.onBeforeKeyDown),g(this.editorContainer,"active"),R(this.cellPointer,"hidden"),this.updateEditorPosition()},k.prototype.focus=function(){this.TEXTAREA.focus(),M(this.TEXTAREA,this.TEXTAREA.value.length)},k.prototype.close=function(){this.TEXTAREA.blur(),this.instance.removeHook("beforeKeyDown",this.onBeforeKeyDown),R(this.editorContainer,"active")},k.prototype.scrollToView=function(){var e=this.instance.getSelectedRange().highlight;this.instance.view.scrollViewport(e)},k.prototype.hideCellPointer=function(){v(this.cellPointer,"hidden")||g(this.cellPointer,"hidden")},k.prototype.updateEditorPosition=function(e,t){if(e&&t)e=parseInt(e,10),t=parseInt(t,10),this.editorContainer.style.top=t+"px",this.editorContainer.style.left=e+"px";else{var o=this.instance.getSelected(),n=this.instance.getCell(o[0],o[1]);if(D.cellPointer||(D.cellPointer={height:C(this.cellPointer),width:_(this.cellPointer)}),D.editorContainer||(D.editorContainer={width:_(this.editorContainer)}),void 0!==n){var r=this.instance.view.wt.wtOverlays.leftOverlay.trimmingContainer==window?0:m(this.instance.view.wt.wtOverlays.leftOverlay.holder),i=this.instance.view.wt.wtOverlays.topOverlay.trimmingContainer==window?0:w(this.instance.view.wt.wtOverlays.topOverlay.holder),s=b(n),a=_(n),l={x:r,y:i};this.editorContainer.style.top=parseInt(s.top+C(n)-l.y+D.cellPointer.height,10)+"px",this.editorContainer.style.left=parseInt(window.innerWidth/2-D.editorContainer.width/2,10)+"px",s.left+a/2>parseInt(this.editorContainer.style.left,10)+D.editorContainer.width?this.editorContainer.style.left=window.innerWidth-D.editorContainer.width+"px":s.left+a/2=0&&(o.select[n].selected=!0),C(e),e.preventDefault();break;case _.ARROW_DOWN:var r=o.select.selectedIndex+1;r<=o.select.length-1&&(o.select[r].selected=!0),C(e),e.preventDefault()}};E.prototype.open=function(){this._opened=!0,this.refreshDimensions(),this.select.style.display="",this.instance.addHook("beforeKeyDown",O)},E.prototype.close=function(){this._opened=!1,this.select.style.display="none",this.instance.removeHook("beforeKeyDown",O)},E.prototype.focus=function(){this.select.focus()},E.prototype.refreshValue=function(){var e=this.instance.getSourceDataAtCell(this.row,this.prop);this.originalValue=e,this.setValue(e),this.refreshDimensions()},E.prototype.refreshDimensions=function(){if(this.state===u.EditorState.EDITING){if(this.TD=this.getEditedCell(),!this.TD)return void this.close();var e,t=y(this.TD)+1,o=v(this.TD)+1,n=w(this.TD),r=w(this.instance.rootElement),i=m(this.TD),s=n.top-r.top-1-(i.scrollTop||0),a=n.left-r.left-1-(i.scrollLeft||0),l=this.checkEditorSection(),c=this.instance.getSettings();c.rowHeaders?1:0,c.colHeaders?1:0;switch(l){case"top":e=g(this.instance.view.wt.wtOverlays.topOverlay.clone.wtTable.holder.parentNode);break;case"left":e=g(this.instance.view.wt.wtOverlays.leftOverlay.clone.wtTable.holder.parentNode);break;case"top-left-corner":e=g(this.instance.view.wt.wtOverlays.topLeftCornerOverlay.clone.wtTable.holder.parentNode);break;case"bottom-left-corner":e=g(this.instance.view.wt.wtOverlays.bottomLeftCornerOverlay.clone.wtTable.holder.parentNode);break;case"bottom":e=g(this.instance.view.wt.wtOverlays.bottomOverlay.clone.wtTable.holder.parentNode)}0===this.instance.getSelected()[0]&&(s+=1), -0===this.instance.getSelected()[1]&&(a+=1);var d=this.select.style;e&&e!=-1?d[e[0]]=e[1]:b(this.select);var h=p(this.TD);parseInt(h.borderTopWidth,10)>0&&(o-=1),parseInt(h.borderLeftWidth,10)>0&&(t-=1),d.height=o+"px",d.minWidth=t+"px",d.top=s+"px",d.left=a+"px",d.margin="0px"}},E.prototype.getEditedCell=function(){var e,t=this.checkEditorSection();switch(t){case"top":e=this.instance.view.wt.wtOverlays.topOverlay.clone.wtTable.getCell({row:this.row,col:this.col}),this.select.style.zIndex=101;break;case"corner":e=this.instance.view.wt.wtOverlays.topLeftCornerOverlay.clone.wtTable.getCell({row:this.row,col:this.col}),this.select.style.zIndex=103;break;case"left":e=this.instance.view.wt.wtOverlays.leftOverlay.clone.wtTable.getCell({row:this.row,col:this.col}),this.select.style.zIndex=102;break;default:e=this.instance.getCell(this.row,this.col),this.select.style.zIndex=""}return e!=-1&&e!=-2?e:void 0},M("select",E)},{_baseEditor:31,browser:24,editors:30,"helpers/dom/element":47,"helpers/dom/event":48,"helpers/unicode":56}],41:[function(e,t,o){"use strict";Object.defineProperties(o,{TextEditor:{get:function(){return N}},__esModule:{value:!0}});var n,r,i,s,a,l,u,c,d=(n=e("browser"),n&&n.__esModule&&n||{default:n}).default,h=(r=e("helpers/dom/element"),r&&r.__esModule&&r||{default:r}),f=h.addClass,p=h.getCaretPosition,g=h.getComputedStyle,m=h.getCssTransform,w=h.getScrollableElement,v=h.getScrollbarWidth,y=h.innerWidth,b=h.offset,C=h.resetCssTransform,_=h.setCaretPosition,R=h.hasVerticalScrollbar,M=h.hasHorizontalScrollbar,S=(i=e("autoResize"),i&&i.__esModule&&i||{default:i}).default,E=(s=e("_baseEditor"),s&&s.__esModule&&s||{default:s}).BaseEditor,O=(a=e("eventManager"),a&&a.__esModule&&a||{default:a}).eventManager,T=(l=e("editors"),l&&l.__esModule&&l||{default:l}),k=(T.getEditor,T.registerEditor),D=(u=e("helpers/unicode"),u&&u.__esModule&&u||{default:u}).KEY_CODES,x=(c=e("helpers/dom/event"),c&&c.__esModule&&c||{default:c}),H=x.stopPropagation,A=x.stopImmediatePropagation,P=x.isImmediatePropagationStopped,N=E.prototype.extend();N.prototype.init=function(){var e=this;this.createElements(),this.eventManager=O(this),this.bindEvents(),this.autoResize=S(),this.instance.addHook("afterDestroy",function(){e.destroy()})},N.prototype.getValue=function(){return this.TEXTAREA.value},N.prototype.setValue=function(e){this.TEXTAREA.value=e};var L=function(e){var t,o=this,n=o.getActiveEditor();if(t=(e.ctrlKey||e.metaKey)&&!e.altKey,e.target===n.TEXTAREA&&!P(e)){if(17===e.keyCode||224===e.keyCode||91===e.keyCode||93===e.keyCode)return void A(e);switch(e.keyCode){case D.ARROW_RIGHT:n.isInFullEditMode()&&(!n.isWaiting()&&!n.allowKeyEventPropagation||!n.isWaiting()&&n.allowKeyEventPropagation&&!n.allowKeyEventPropagation(e.keyCode))&&A(e);break;case D.ARROW_LEFT:n.isInFullEditMode()&&(!n.isWaiting()&&!n.allowKeyEventPropagation||!n.isWaiting()&&n.allowKeyEventPropagation&&!n.allowKeyEventPropagation(e.keyCode))&&A(e);break;case D.ARROW_UP:case D.ARROW_DOWN:n.isInFullEditMode()&&(!n.isWaiting()&&!n.allowKeyEventPropagation||!n.isWaiting()&&n.allowKeyEventPropagation&&!n.allowKeyEventPropagation(e.keyCode))&&A(e);break;case D.ENTER:var r=n.instance.getSelected(),i=!(r[0]===r[2]&&r[1]===r[3]);if(t&&!i||e.altKey){if(n.isOpened()){var s=p(n.TEXTAREA),a=n.getValue(),l=a.slice(0,s)+"\n"+a.slice(s);n.setValue(l),_(n.TEXTAREA,s+1)}else n.beginEditing(n.originalValue+"\n");A(e)}e.preventDefault();break;case D.A:case D.X:case D.C:case D.V:t&&A(e);break;case D.BACKSPACE:case D.DELETE:case D.HOME:case D.END:A(e)}[D.ARROW_UP,D.ARROW_RIGHT,D.ARROW_DOWN,D.ARROW_LEFT].indexOf(e.keyCode)===-1&&n.autoResize.resize(String.fromCharCode(e.keyCode))}};N.prototype.open=function(){this.refreshDimensions(),this.instance.addHook("beforeKeyDown",L)},N.prototype.close=function(e){this.textareaParentStyle.display="none",this.autoResize.unObserve(),document.activeElement===this.TEXTAREA&&this.instance.listen(),this.instance.removeHook("beforeKeyDown",L)},N.prototype.focus=function(){this.TEXTAREA.focus(),_(this.TEXTAREA,this.TEXTAREA.value.length)},N.prototype.createElements=function(){this.TEXTAREA=document.createElement("TEXTAREA"),f(this.TEXTAREA,"handsontableInput"),this.textareaStyle=this.TEXTAREA.style,this.textareaStyle.width=0,this.textareaStyle.height=0,this.TEXTAREA_PARENT=document.createElement("DIV"),f(this.TEXTAREA_PARENT,"handsontableInputHolder"),this.textareaParentStyle=this.TEXTAREA_PARENT.style,this.textareaParentStyle.top=0,this.textareaParentStyle.left=0,this.textareaParentStyle.display="none",this.TEXTAREA_PARENT.appendChild(this.TEXTAREA),this.instance.rootElement.appendChild(this.TEXTAREA_PARENT);var e=this;this.instance._registerTimeout(setTimeout(function(){e.refreshDimensions()},0))},N.prototype.getEditedCell=function(){var e,t=this.checkEditorSection();switch(t){case"top":e=this.instance.view.wt.wtOverlays.topOverlay.clone.wtTable.getCell({row:this.row,col:this.col}),this.textareaParentStyle.zIndex=101;break;case"top-left-corner":e=this.instance.view.wt.wtOverlays.topLeftCornerOverlay.clone.wtTable.getCell({row:this.row,col:this.col}),this.textareaParentStyle.zIndex=103;break;case"bottom-left-corner":e=this.instance.view.wt.wtOverlays.bottomLeftCornerOverlay.clone.wtTable.getCell({row:this.row,col:this.col}),this.textareaParentStyle.zIndex=103;break;case"left":e=this.instance.view.wt.wtOverlays.leftOverlay.clone.wtTable.getCell({row:this.row,col:this.col}),this.textareaParentStyle.zIndex=102;break;case"bottom":e=this.instance.view.wt.wtOverlays.bottomOverlay.clone.wtTable.getCell({row:this.row,col:this.col}),this.textareaParentStyle.zIndex=102;break;default:e=this.instance.getCell(this.row,this.col),this.textareaParentStyle.zIndex=""}return e!=-1&&e!=-2?e:void 0},N.prototype.refreshValue=function(){var e=this.instance.getSourceDataAtCell(this.row,this.prop);this.originalValue=e,this.setValue(e),this.refreshDimensions()},N.prototype.refreshDimensions=function(){if(this.state===d.EditorState.EDITING){if(this.TD=this.getEditedCell(),!this.TD)return void this.close(!0);var e,t=b(this.TD),o=b(this.instance.rootElement),n=w(this.TD),r=this.instance.countRows(),i=t.top===o.top?0:1,s=t.top-o.top-i-(n.scrollTop||0),a=t.left-o.left-1-(n.scrollLeft||0),l=this.instance.getSettings(),u=(this.instance.hasRowHeaders(),this.instance.hasColHeaders()),c=this.checkEditorSection(),h=this.TD.style.backgroundColor;switch(c){case"top":e=m(this.instance.view.wt.wtOverlays.topOverlay.clone.wtTable.holder.parentNode);break;case"left":e=m(this.instance.view.wt.wtOverlays.leftOverlay.clone.wtTable.holder.parentNode);break;case"top-left-corner":e=m(this.instance.view.wt.wtOverlays.topLeftCornerOverlay.clone.wtTable.holder.parentNode);break;case"bottom-left-corner":e=m(this.instance.view.wt.wtOverlays.bottomLeftCornerOverlay.clone.wtTable.holder.parentNode);break;case"bottom":e=m(this.instance.view.wt.wtOverlays.bottomOverlay.clone.wtTable.holder.parentNode)}(u&&0===this.instance.getSelected()[0]||l.fixedRowsBottom&&this.instance.getSelected()[0]===r-l.fixedRowsBottom)&&(s+=1),0===this.instance.getSelected()[1]&&(a+=1),e&&e!=-1?this.textareaParentStyle[e[0]]=e[1]:C(this.TEXTAREA_PARENT),this.textareaParentStyle.top=s+"px",this.textareaParentStyle.left=a+"px";var f=this.instance.view.wt.wtViewport.rowsRenderCalculator.startPosition,p=this.instance.view.wt.wtViewport.columnsRenderCalculator.startPosition,_=this.instance.view.wt.wtOverlays.leftOverlay.getScrollPosition(),S=this.instance.view.wt.wtOverlays.topOverlay.getScrollPosition(),E=v(),O=this.TD.offsetTop+f-S,T=this.TD.offsetLeft+p-_,k=y(this.TD)-8,D=R(n)?E:0,x=M(n)?E:0,H=this.instance.view.maximumVisibleElementWidth(T)-9-D,A=this.TD.scrollHeight+1,P=Math.max(this.instance.view.maximumVisibleElementHeight(O)-x,23),N=g(this.TD);this.TEXTAREA.style.fontSize=N.fontSize,this.TEXTAREA.style.fontFamily=N.fontFamily,this.TEXTAREA.style.backgroundColor="",this.TEXTAREA.style.backgroundColor=h?h:g(this.TEXTAREA).backgroundColor,this.autoResize.init(this.TEXTAREA,{minHeight:Math.min(A,P),maxHeight:P,minWidth:Math.min(k,H),maxWidth:H},!0),this.textareaParentStyle.display="block"}},N.prototype.bindEvents=function(){var e=this;this.eventManager.addEventListener(this.TEXTAREA,"cut",function(e){H(e)}),this.eventManager.addEventListener(this.TEXTAREA,"paste",function(e){H(e)}),this.instance.addHook("afterScrollHorizontally",function(){e.refreshDimensions()}),this.instance.addHook("afterScrollVertically",function(){e.refreshDimensions()}),this.instance.addHook("afterColumnResize",function(){e.refreshDimensions(),e.focus()}),this.instance.addHook("afterRowResize",function(){e.refreshDimensions(),e.focus()}),this.instance.addHook("afterDestroy",function(){e.eventManager.destroy()})},N.prototype.destroy=function(){this.eventManager.destroy()},k("text",N)},{_baseEditor:31,autoResize:"autoResize",browser:24,editors:30,eventManager:42,"helpers/dom/element":47,"helpers/dom/event":48,"helpers/unicode":56}],42:[function(e,t,o){"use strict";function n(e,t){var o,n,r,i,s,a,l="HOT-TABLE";if(t.isTargetWebComponent=!1,t.realTarget=t.target,a=t.stopImmediatePropagation,t.stopImmediatePropagation=function(){a.apply(this),p(this)},!u.eventManager.isHotTableEnv)return t;for(t=d(t),s=t.path?t.path.length:0;s--;){if(t.path[s].nodeName===l)o=!0;else if(o&&t.path[s].shadowRoot){i=t.path[s];break}0!==s||i||(i=t.path[s])}return i||(i=t.target),t.isTargetWebComponent=!0,f()?t.realTarget=t.srcElement||t.toElement:(e instanceof u.Core||e instanceof Walkontable)&&(e instanceof u.Core?n=e.view?e.view.wt.wtTable.TABLE:null:e instanceof Walkontable&&(n=e.wtTable.TABLE.parentNode.parentNode),r=h(t.target,[l],n),r?t.realTarget=n.querySelector(l)||t.target:t.realTarget=t.target),Object.defineProperty(t,"target",{get:function(){return d(i)},enumerable:!0,configurable:!0}),t}function r(e){return new g(e)}Object.defineProperties(o,{EventManager:{get:function(){return g}},eventManager:{get:function(){return r}},__esModule:{value:!0}});var i,s,a,l,u=(i=e("browser"),i&&i.__esModule&&i||{default:i}).default,c=(s=e("helpers/dom/element"),s&&s.__esModule&&s||{default:s}),d=c.polymerWrap,h=c.closest,f=(a=e("helpers/feature"),a&&a.__esModule&&a||{default:a}).isWebComponentSupportedNatively,p=(l=e("helpers/dom/event"),l&&l.__esModule&&l||{default:l}).stopImmediatePropagation,g=function(){var e=void 0!==arguments[0]?arguments[0]:null;this.context=e||this,this.context.eventListeners||(this.context.eventListeners=[])};$traceurRuntime.createClass(g,{addEventListener:function(e,t,o){function r(e){e=n(s,e),o.call(this,e)}var i=this,s=this.context;return this.context.eventListeners.push({element:e,event:t,callback:o,callbackProxy:r}),window.addEventListener?e.addEventListener(t,r,!1):e.attachEvent("on"+t,r),u.countEventManagerListeners++,function(){i.removeEventListener(e,t,o)}},removeEventListener:function(e,t,o){for(var n,r=this.context.eventListeners.length;r--;)if(n=this.context.eventListeners[r],n.event==t&&n.element==e){if(o&&o!=n.callback)continue;this.context.eventListeners.splice(r,1),n.element.removeEventListener?n.element.removeEventListener(n.event,n.callbackProxy,!1):n.element.detachEvent("on"+n.event,n.callbackProxy),u.countEventManagerListeners--}},clearEvents:function(){if(this.context)for(var e=this.context.eventListeners.length;e--;){var t=this.context.eventListeners[e];t&&this.removeEventListener(t.element,t.event,t.callback)}},clear:function(){this.clearEvents()},destroy:function(){this.clearEvents(),this.context=null},fireEvent:function(e,t){var o,n={bubbles:!0,cancelable:"mousemove"!==t,view:window,detail:0,screenX:0,screenY:0,clientX:1,clientY:1,ctrlKey:!1,altKey:!1,shiftKey:!1,metaKey:!1,button:0,relatedTarget:void 0};document.createEvent?(o=document.createEvent("MouseEvents"),o.initMouseEvent(t,n.bubbles,n.cancelable,n.view,n.detail,n.screenX,n.screenY,n.clientX,n.clientY,n.ctrlKey,n.altKey,n.shiftKey,n.metaKey,n.button,n.relatedTarget||document.body.parentNode)):o=document.createEventObject(),e.dispatchEvent?e.dispatchEvent(o):e.fireEvent("on"+t,o)}},{}),u.countEventManagerListeners=0,u.eventManager=r},{browser:24,"helpers/dom/element":47,"helpers/dom/event":48,"helpers/feature":49}],43:[function(e,t,o){"use strict";function n(e){for(var t=0,o=e.length;tt?e:t},Array.isArray(e)?e[0]:void 0)}function h(e){return s(e,function(e,t){return e>>0;if(0===r)return!1;for(var i=0|o,s=Math.max(i>=0?i:r-Math.abs(i),0);s0;)t=(o-1)%g,n=String.fromCharCode(65+t)+n,o=parseInt((o-t)/g,10);return n}function r(e){var t=0;if(e)for(var o=0,n=e.length-1;o-1||t.indexOf(e)>-1))return e;e=e.host&&e.nodeType===Node.DOCUMENT_FRAGMENT_NODE?e.host:e.parentNode}return null}function i(e,t,o){for(var n=[];e&&(e=r(e,t,o),e&&(!o||o.contains(e)));)n.push(e),e=e.host&&e.nodeType===Node.DOCUMENT_FRAGMENT_NODE?e.host:e.parentNode;var i=n.length;return i?n[i-1]:null}function s(e,t){var o=e.parentNode,n=[];for("string"==typeof t?n=Array.prototype.slice.call(document.querySelectorAll(t),0):n.push(t);null!=o;){if(n.indexOf(o)>-1)return!0;o=o.parentNode}return!1}function a(e){function t(e){return e.nodeType===Node.ELEMENT_NODE&&e.nodeName===n.toUpperCase()}var o,n="hot-table",r=!1;for(o=l(e);null!=o;){if(t(o)){r=!0;break}if(o.host&&o.nodeType===Node.DOCUMENT_FRAGMENT_NODE){if(r=t(o.host))break;o=o.host}o=o.parentNode}return r}function l(e){return"undefined"!=typeof Polymer&&"function"==typeof wrap?wrap(e):e}function u(e){return"undefined"!=typeof Polymer&&"function"==typeof unwrap?unwrap(e):e}function c(e){var t=0;if(e.previousSibling)for(;e=e.previousSibling;)++t;return t}function d(e,t){var o=document.querySelector(".ht_clone_"+e);return o?o.contains(t):null}function h(e){var t=0,o=[];if(!e||!e.length)return o;for(;e[t];)o.push(e[t]),t++;return o}function f(e,t){return Z(e,t)}function p(e,t){return J(e,t)}function g(e,t){return Q(e,t)}function m(e,t){if(3===e.nodeType)t.removeChild(e);else if(["TABLE","THEAD","TBODY","TFOOT","TR"].indexOf(e.nodeName)>-1)for(var o=e.childNodes,n=o.length-1;n>=0;n--)m(o[n],e)}function w(e){for(var t;t=e.lastChild;)e.removeChild(t)}function v(e,t){ue.test(t)?e.innerHTML=t:y(e,t)}function y(e,t){var o=e.firstChild;o&&3===o.nodeType&&null===o.nextSibling?ce?o.textContent=t:o.data=t:(w(e),e.appendChild(document.createTextNode(t)))}function b(e){for(var t=e;u(t)!==document.documentElement;){if(null===t)return!1;if(t.nodeType===Node.DOCUMENT_FRAGMENT_NODE){if(t.host){if(t.host.impl)return b(t.host.impl);if(t.host)return b(t.host);throw new Error("Lost in Web Components world")}return!1}if("none"===t.style.display)return!1;t=t.parentNode}return!0}function C(e){var t,o,n,r,i;if(r=document.documentElement,re()&&e.firstChild&&"CAPTION"===e.firstChild.nodeName)return i=e.getBoundingClientRect(),{top:i.top+(window.pageYOffset||r.scrollTop)-(r.clientTop||0),left:i.left+(window.pageXOffset||r.scrollLeft)-(r.clientLeft||0)};for(t=e.offsetLeft,o=e.offsetTop,n=e;(e=e.offsetParent)&&e!==document.body;)t+=e.offsetLeft,o+=e.offsetTop,n=e;return n&&"fixed"===n.style.position&&(t+=window.pageXOffset||r.scrollLeft,o+=window.pageYOffset||r.scrollTop),{left:t,top:o}}function _(){var e=window.scrollY;return void 0===e&&(e=document.documentElement.scrollTop),e}function R(){var e=window.scrollX;return void 0===e&&(e=document.documentElement.scrollLeft),e}function M(e){return e===window?_():e.scrollTop}function S(e){return e===window?R():e.scrollLeft}function E(e){for(var t,o,n,r=e.parentNode,i=["auto","scroll"],s="",a="",l="",u="";r&&r.style&&document.body!==r;){if(t=r.style.overflow,o=r.style.overflowX,n=r.style.overflowY,"scroll"==t||"scroll"==o||"scroll"==n)return r;if(window.getComputedStyle&&(s=window.getComputedStyle(r),a=s.getPropertyValue("overflow"),l=s.getPropertyValue("overflow-y"),u=s.getPropertyValue("overflow-x"),"scroll"===a||"scroll"===u||"scroll"===l))return r;if(r.clientHeight<=r.scrollHeight&&(i.indexOf(n)!==-1||i.indexOf(t)!==-1||i.indexOf(a)!==-1||i.indexOf(l)!==-1))return r;if(r.clientWidth<=r.scrollWidth&&(i.indexOf(o)!==-1||i.indexOf(t)!==-1||i.indexOf(a)!==-1||i.indexOf(u)!==-1))return r;r=r.parentNode}return window}function O(e){for(var t=e.parentNode;t&&t.style&&document.body!==t;){if("visible"!==t.style.overflow&&""!==t.style.overflow)return t;if(window.getComputedStyle){var o=window.getComputedStyle(t);if("visible"!==o.getPropertyValue("overflow")&&""!==o.getPropertyValue("overflow"))return t}t=t.parentNode}return window}function T(e,t){if(e){if(e!==window){var o,n=e.style[t];return""!==n&&void 0!==n?n:(o=k(e),""!==o[t]&&void 0!==o[t]?o[t]:void 0)}if("width"===t)return window.innerWidth+"px";if("height"===t)return window.innerHeight+"px"}}function k(e){return e.currentStyle||document.defaultView.getComputedStyle(e)}function D(e){return e.offsetWidth}function x(e){return re()&&e.firstChild&&"CAPTION"===e.firstChild.nodeName?e.offsetHeight+e.firstChild.offsetHeight:e.offsetHeight}function H(e){return e.clientHeight||e.innerHeight}function A(e){return e.clientWidth||e.innerWidth}function P(e,t,o){window.addEventListener?e.addEventListener(t,o,!1):e.attachEvent("on"+t,o)}function N(e,t,o){window.removeEventListener?e.removeEventListener(t,o,!1):e.detachEvent("on"+t,o)}function L(e){if(e.selectionStart)return e.selectionStart;if(document.selection){e.focus();var t=document.selection.createRange();if(null==t)return 0;var o=e.createTextRange(),n=o.duplicate();return o.moveToBookmark(t.getBookmark()),n.setEndPoint("EndToStart",o),n.text.length}return 0}function I(e){if(e.selectionEnd)return e.selectionEnd;if(document.selection){var t=document.selection.createRange();if(null==t)return 0;var o=e.createTextRange();return o.text.indexOf(t.text)+t.text.length}}function W(){var e="";return window.getSelection?e=window.getSelection().toString():document.selection&&"Control"!==document.selection.type&&(e=document.selection.createRange().text),e}function j(e,t,o){if(void 0===o&&(o=t),e.setSelectionRange){e.focus();try{e.setSelectionRange(t,o)}catch(i){var n=e.parentNode,r=n.style.display;n.style.display="block",e.setSelectionRange(t,o),n.style.display=r}}else if(e.createTextRange){var i=e.createTextRange();i.collapse(!0),i.moveEnd("character",o),i.moveStart("character",t),i.select()}}function V(){var e=document.createElement("div");e.style.height="200px",e.style.width="100%";var t=document.createElement("div");t.style.boxSizing="content-box",t.style.height="150px",t.style.left="0px",t.style.overflow="hidden",t.style.position="absolute",t.style.top="0px",t.style.width="200px",t.style.visibility="hidden",t.appendChild(e),(document.body||document.documentElement).appendChild(t);var o=e.offsetWidth;t.style.overflow="scroll";var n=e.offsetWidth;return o==n&&(n=t.clientWidth),(document.body||document.documentElement).removeChild(t),o-n}function B(){return void 0===le&&(le=V()),le}function F(e){return e.offsetWidth!==e.clientWidth}function z(e){return e.offsetHeight!==e.clientHeight}function Y(e,t,o){te()||oe()?(e.style.top=o,e.style.left=t):ne()?e.style["-webkit-transform"]="translate3d("+t+","+o+",0)":e.style.transform="translate3d("+t+","+o+",0)"}function U(e){var t;return e.style.transform&&""!==(t=e.style.transform)?["transform",t]:e.style["-webkit-transform"]&&""!==(t=e.style["-webkit-transform"])?["-webkit-transform",t]:-1}function G(e){e.style.transform&&""!==e.style.transform?e.style.transform="":e.style["-webkit-transform"]&&""!==e.style["-webkit-transform"]&&(e.style["-webkit-transform"]="")}function $(e){var t=["INPUT","SELECT","TEXTAREA"];return e&&(t.indexOf(e.nodeName)>-1||"true"===e.contentEditable)}function K(e){return $(e)&&e.className.indexOf("handsontableInput")==-1&&e.className.indexOf("copyPaste")==-1}Object.defineProperties(o,{getParent:{get:function(){return n}},closest:{get:function(){return r}},closestDown:{get:function(){return i}},isChildOf:{get:function(){return s}},isChildOfWebComponentTable:{get:function(){return a}},polymerWrap:{get:function(){return l}},polymerUnwrap:{get:function(){return u}},index:{get:function(){return c}},overlayContainsElement:{get:function(){return d}},hasClass:{get:function(){return f}},addClass:{get:function(){return p}},removeClass:{get:function(){return g}},removeTextNodes:{get:function(){return m}},empty:{get:function(){return w}},HTML_CHARACTERS:{get:function(){return ue}},fastInnerHTML:{get:function(){return v}},fastInnerText:{get:function(){return y}},isVisible:{get:function(){return b}},offset:{get:function(){return C}},getWindowScrollTop:{get:function(){return _}},getWindowScrollLeft:{get:function(){return R}},getScrollTop:{get:function(){return M}},getScrollLeft:{get:function(){return S}},getScrollableElement:{get:function(){return E}},getTrimmingContainer:{get:function(){return O}},getStyle:{get:function(){return T}},getComputedStyle:{get:function(){return k}},outerWidth:{get:function(){return D}},outerHeight:{get:function(){return x}},innerHeight:{get:function(){return H}},innerWidth:{get:function(){return A}},addEvent:{get:function(){return P}},removeEvent:{get:function(){return N}},getCaretPosition:{get:function(){return L}},getSelectionEndPosition:{get:function(){return I}},getSelectionText:{get:function(){return W}},setCaretPosition:{get:function(){return j}},getScrollbarWidth:{get:function(){return B}},hasVerticalScrollbar:{get:function(){return F}},hasHorizontalScrollbar:{get:function(){return z}},setOverlayPosition:{get:function(){return Y}},getCssTransform:{get:function(){return U}},resetCssTransform:{get:function(){return G}},isInput:{get:function(){return $}},isOutsideInput:{get:function(){return K}},__esModule:{value:!0}});var X,q,Z,J,Q,ee=(X=e("../browser"),X&&X.__esModule&&X||{default:X}),te=ee.isIE8,oe=ee.isIE9,ne=ee.isSafari,re=(q=e("../feature"),q&&q.__esModule&&q||{default:q}).hasCaptionProblem,ie=!!document.documentElement.classList;if(ie){var se=function(){var e=document.createElement("div");return e.classList.add("test","test2"),e.classList.contains("test2")}();Z=function(e,t){return""!==t&&e.classList.contains(t)},J=function(e,t){var o=0;if("string"==typeof t&&(t=t.split(" ")),t=h(t),se)e.classList.add.apply(e.classList,t);else for(;t&&t[o];)e.classList.add(t[o]),o++},Q=function(e,t){var o=0;if("string"==typeof t&&(t=t.split(" ")),t=h(t),se)e.classList.remove.apply(e.classList,t);else for(;t&&t[o];)e.classList.remove(t[o]),o++}}else{var ae=function(e){return new RegExp("(\\s|^)"+e+"(\\s|$)")};Z=function(e,t){return!!e.className.match(ae(t))},J=function(e,t){var o=0,n=e.className;if("string"==typeof t&&(t=t.split(" ")),""===n)n=t.join(" ");else for(;t&&t[o];)ae(t[o]).test(n)||(n+=" "+t[o]),o++;e.className=n},Q=function(e,t){var o=0,n=e.className;for("string"==typeof t&&(t=t.split(" "));t&&t[o];)n=n.replace(ae(t[o])," ").trim(),o++;e.className!==n&&(e.className=n)}}var le,ue=/(<(.*)>|&(.*);)/,ce=!!document.createTextNode("test").textContent},{"../browser":44,"../feature":49}],48:[function(e,t,o){"use strict";function n(e){e.isImmediatePropagationEnabled=!1,e.cancelBubble=!0}function r(e){return e.isImmediatePropagationEnabled===!1}function i(e){"function"==typeof e.stopPropagation?e.stopPropagation():e.cancelBubble=!0}function s(e){return e.pageX?e.pageX:e.clientX+f()}function a(e){return e.pageY?e.pageY:e.clientY+h()}function l(e){return 2===e.button}function u(e){return 0===e.button}Object.defineProperties(o,{stopImmediatePropagation:{get:function(){return n}},isImmediatePropagationStopped:{get:function(){return r}},stopPropagation:{get:function(){return i}},pageX:{get:function(){return s}},pageY:{get:function(){return a}},isRightClick:{get:function(){return l}},isLeftClick:{get:function(){return u}},__esModule:{value:!0}});var c,d=(c=e("element"),c&&c.__esModule&&c||{default:c}),h=d.getWindowScrollTop,f=d.getWindowScrollLeft},{element:47}],49:[function(e,t,o){"use strict";function n(e){return h.call(window,e)}function r(e){f.call(window,e)}function i(){return"ontouchstart"in window}function s(){var e=document.createElement("div");return!(!e.createShadowRoot||!e.createShadowRoot.toString().match(/\[native code\]/))}function a(){var e=document.createElement("TABLE");e.style.borderSpacing=0,e.style.borderWidth=0,e.style.padding=0;var t=document.createElement("TBODY");e.appendChild(t),t.appendChild(document.createElement("TR")),t.firstChild.appendChild(document.createElement("TD")),t.firstChild.firstChild.innerHTML="t
t";var o=document.createElement("CAPTION");o.innerHTML="c
c
c
c",o.style.padding=0,o.style.margin=0,e.insertBefore(o,t),document.body.appendChild(e),g=e.offsetHeight<2*e.lastChild.offsetHeight,document.body.removeChild(e)}function l(){return void 0===g&&a(),g}function u(e){var t=void 0!==arguments[1]?arguments[1]:{};return m?m:m="object"==typeof Intl?new Intl.Collator(e,t).compare:"function"==typeof String.prototype.localeCompare?function(e,t){return(e+"").localeCompare(t)}:function(e,t){return e===t?0:e>t?-1:1}}Object.defineProperties(o,{requestAnimationFrame:{get:function(){return n}},cancelAnimationFrame:{get:function(){return r}},isTouchSupported:{get:function(){return i}},isWebComponentSupportedNatively:{get:function(){return s}},hasCaptionProblem:{get:function(){return l}},getComparisonFunction:{get:function(){return u}},__esModule:{value:!0}});for(var c=0,d=["ms","moz","webkit","o"],h=window.requestAnimationFrame,f=window.cancelAnimationFrame,p=0;p=o?e.apply(this,a):t(a)}}var o=e.length;return t([])}function d(e){function t(n){return function(){for(var r=[],i=0;i=o?e.apply(this,a):t(a)}}var o=e.length;return t([])}Object.defineProperties(o,{isFunction:{get:function(){return n}},proxy:{get:function(){return r}},throttle:{get:function(){return i}},throttleAfterHits:{get:function(){return s}},debounce:{get:function(){return a}},pipe:{get:function(){return l}},partial:{get:function(){return u}},curry:{get:function(){return c}},curryRight:{get:function(){return d}},__esModule:{value:!0}});var h,f=(h=e("array"),h&&h.__esModule&&h||{default:h}).arrayReduce},{array:43}],51:[function(e,t,o){"use strict";function n(e){switch(typeof e){case"string":case"number":return e+"";case"object":return null===e?"":e.toString();case"undefined":return"";default:return e.toString()}}function r(e){return"undefined"!=typeof e}function i(e){return"undefined"==typeof e}Object.defineProperties(o,{stringify:{get:function(){return n}},isDefined:{get:function(){return r}},isUndefined:{get:function(){return i}},__esModule:{value:!0}})},{}],52:[function(e,t,o){"use strict";function n(e){var t=typeof e;return"number"==t?!isNaN(e)&&isFinite(e):"string"==t?!!e.length&&(1==e.length?/\d/.test(e):/^\s*[+-]?\s*(?:(?:\d+(?:\.\d+)?(?:e[+-]?\d+)?)|(?:0x[a-f\d]+))\s*$/i.test(e)):"object"==t&&!(!e||"number"!=typeof e.valueOf()||e instanceof Date)}function r(e,t,o){var n=-1;for("function"==typeof t?(o=t,t=e):n=e-1;++n<=t&&o(n)!==!1;);}function i(e,t,o){var n=e+1;for("function"==typeof t&&(o=t,t=0);--n>=t&&o(n)!==!1;);}function s(e,t){return t=parseInt(t.toString().replace("%",""),10),t=parseInt(e*t/100)}Object.defineProperties(o,{isNumeric:{get:function(){return n}},rangeEach:{get:function(){return r}},rangeEachReverse:{get:function(){return i}},valueAccordingPercent:{get:function(){return s}},__esModule:{value:!0}})},{}],53:[function(e,t,o){"use strict";function n(e){var t;return Array.isArray(e)?t=[]:(t={},p(e,function(e,o){"__children"!==o&&(e&&"object"==typeof e&&!Array.isArray(e)?t[o]=n(e):Array.isArray(e)?e.length&&"object"==typeof e[0]&&!Array.isArray(e[0])?t[o]=[n(e[0])]:t[o]=[]:t[o]=null)})),t}function r(e,t){return t.prototype.constructor=t,e.prototype=new t,e.prototype.constructor=e,e}function i(e,t){return p(t,function(t,o){e[o]=t}),e}function s(e,t){p(t,function(o,n){t[n]&&"object"==typeof t[n]?(e[n]||(Array.isArray(t[n])?e[n]=[]:"[object Date]"===Object.prototype.toString.call(t[n])?e[n]=t[n]:e[n]={}),s(e[n],t[n])):e[n]=t[n]})}function a(e){return"object"==typeof e?JSON.parse(JSON.stringify(e)):e}function l(e){var t={};return p(e,function(e,o){t[o]=e}),t}function u(e){for(var t=[],o=1;o=t)return e;o=String(o);var n=o.length;n||(o=" ");var r=t-e.length,i=Math.ceil(r/o.length),s="";return g(i,function(e){s+=o}),s=s.slice(0,r),s+e}function d(e){return e+="",e.replace(m,"")}Object.defineProperties(o,{toUpperCaseFirst:{get:function(){return n}},startsWith:{get:function(){return r}},endsWith:{get:function(){return i}},equalsIgnoreCase:{get:function(){return s}},randomString:{get:function(){return a}},isPercentValue:{get:function(){return l}},substitute:{get:function(){return u}},padStart:{get:function(){return c}},stripTags:{get:function(){return d}},__esModule:{value:!0}});var h,f,p=(h=e("mixed"),h&&h.__esModule&&h||{default:h}).stringify,g=(f=e("number"),f&&f.__esModule&&f||{default:f}).rangeEach,m=/<\/?\w+\/?>|<\w+[\s|\/][^>]*>/gi},{mixed:51,number:52}],56:[function(e,t,o){"use strict";function n(e){return 32==e||e>=48&&e<=57||e>=96&&e<=111||e>=186&&e<=192||e>=219&&e<=222||e>=226||e>=65&&e<=90}function r(e){var t=[u.ARROW_DOWN,u.ARROW_UP,u.ARROW_LEFT,u.ARROW_RIGHT,u.HOME,u.END,u.DELETE,u.BACKSPACE,u.F1,u.F2,u.F3,u.F4,u.F5,u.F6,u.F7,u.F8,u.F9,u.F10,u.F11,u.F12,u.TAB,u.PAGE_DOWN,u.PAGE_UP,u.ENTER,u.ESCAPE,u.SHIFT,u.CAPS_LOCK,u.ALT];return t.indexOf(e)!==-1}function i(e){return[u.CONTROL_LEFT,224,u.COMMAND_LEFT,u.COMMAND_RIGHT].indexOf(e)!==-1}function s(e,t){var o=t.split("|"),n=!1;return l(o,function(t){if(e===u[t])return n=!0,!1}),n}Object.defineProperties(o,{KEY_CODES:{get:function(){return u}},isPrintableChar:{get:function(){return n}},isMetaKey:{get:function(){return r}},isCtrlKey:{get:function(){return i}},isKey:{get:function(){return s}},__esModule:{value:!0}});var a,l=(a=e("array"),a&&a.__esModule&&a||{default:a}).arrayEach,u={MOUSE_LEFT:1,MOUSE_RIGHT:3,MOUSE_MIDDLE:2,BACKSPACE:8,COMMA:188,INSERT:45,DELETE:46,END:35,ENTER:13,ESCAPE:27,CONTROL_LEFT:91,COMMAND_LEFT:17,COMMAND_RIGHT:93,ALT:18,HOME:36,PAGE_DOWN:34,PAGE_UP:33,PERIOD:190,SPACE:32,SHIFT:16,CAPS_LOCK:20,TAB:9,ARROW_RIGHT:39,ARROW_LEFT:37,ARROW_UP:38,ARROW_DOWN:40,F1:112,F2:113,F3:114,F4:115,F5:116,F6:117,F7:118,F8:119,F9:120,F10:121,F11:122,F12:123,A:65,X:88,C:67,V:86}},{array:43}],57:[function(e,t,o){"use strict";Object.defineProperties(o,{arrayMapper:{get:function(){return g}},__esModule:{value:!0}});var n,r,i,s,a=(n=e("browser"),n&&n.__esModule&&n||{default:n}).default,l=(r=e("helpers/array"),r&&r.__esModule&&r||{default:r}),u=(l.arrayEach,l.arrayReduce),c=l.arrayMap,d=l.arrayMax,h=(i=e("helpers/object"),i&&i.__esModule&&i||{default:i}).defineGetter,f=(s=e("helpers/number"),s&&s.__esModule&&s||{default:s}).rangeEach,p="arrayMapper",g={_arrayMap:[],getValueByIndex:function(e){var t;return void 0===(t=this._arrayMap[e])?null:t},getIndexByValue:function(e){var t;return(t=this._arrayMap.indexOf(e))===-1?null:t},insertItems:function(e){var t=void 0!==arguments[1]?arguments[1]:1,o=this,n=d(this._arrayMap)+1,r=[];return f(t-1,function(t){r.push(o._arrayMap.splice(e+t,0,n+t))}),r},removeItems:function(e){var t=void 0!==arguments[1]?arguments[1]:1,o=this,n=[];if(Array.isArray(e)){var r=[].concat(this._arrayMap);e.sort(function(e,t){return t-e}),n=u(e,function(e,t){return o._arrayMap.splice(t,1),e.concat(r.slice(t,t+1))},[])}else n=this._arrayMap.splice(e,t);return n},unshiftItems:function(e){function t(e){return u(n,function(t,o){return e>o&&t++,t},0)}var o=void 0!==arguments[1]?arguments[1]:1,n=this.removeItems(e,o);this._arrayMap=c(this._arrayMap,function(e,o){var n=t(e);return n&&(e-=n),e})},shiftItems:function(e){var t=void 0!==arguments[1]?arguments[1]:1,o=this;this._arrayMap=c(this._arrayMap,function(o){return o>=e&&(o+=t),o}),f(t-1,function(t){o._arrayMap.splice(e+t,0,e+t)})},clearMap:function(){this._arrayMap.length=0}};h(g,"MIXIN_NAME",p,{writable:!1,enumerable:!1}),a.utils.arrayMapper=g},{browser:24,"helpers/array":43,"helpers/number":52,"helpers/object":53}],58:[function(e,t,o){"use strict";Object.defineProperties(o,{localHooks:{get:function(){return c}},__esModule:{value:!0}});var n,r,i,s=(n=e("browser"),n&&n.__esModule&&n||{default:n}).default,a=(r=e("helpers/array"),r&&r.__esModule&&r||{default:r}).arrayEach,l=(i=e("helpers/object"),i&&i.__esModule&&i||{default:i}).defineGetter,u="localHooks",c={_localHooks:Object.create(null),addLocalHook:function(e,t){this._localHooks[e]||(this._localHooks[e]=[]),this._localHooks[e].push(t)},runLocalHooks:function(e){for(var t=[],o=1;o=0&&(t.skip=!0,!0)},has:function(e){var t=void 0!==arguments[1]?arguments[1]:null,o=this.getBucket(t);return!(void 0===o[e]||!o[e].length)},run:function(e,t,o,n,r,i,s,a){var l=this.globalBucket[t],u=-1,c=l?l.length:0;if(c)for(;++u=0},getRegistered:function(){return i}},{})},{"helpers/array":43,"helpers/object":53}],61:[function(e,t,o){"use strict";function n(e,t){e=h(e),c.plugins[e]=t,c.hooks.add("construct",function(){var o;f.has(this)||f.set(this,{}),o=f.get(this),o[e]||(o[e]=new t(this))}),c.hooks.add("afterDestroy",function(){if(f.has(this)){var e=f.get(this);d(e,function(e){return e.destroy()}),f.delete(this)}})}function r(e,t){if("string"!=typeof t)throw Error('Only strings can be passed as "plugin" parameter');var o=h(t);if(f.has(e)&&f.get(e)[o])return f.get(e)[o]}function i(e){return f.has(e)?Object.keys(f.get(e)):[]}function s(e,t){var o=null;return f.has(e)&&d(f.get(e),function(e,n){e===t&&(o=n)}),o}Object.defineProperties(o,{registerPlugin:{get:function(){return n}},getPlugin:{get:function(){return r}},getRegistredPluginNames:{get:function(){return i}},getPluginName:{get:function(){return s}},__esModule:{value:!0}});var a,l,u,c=(a=e("browser"),a&&a.__esModule&&a||{default:a}).default,d=(l=e("helpers/object"),l&&l.__esModule&&l||{default:l}).objectEach,h=(u=e("helpers/string"),u&&u.__esModule&&u||{default:u}).toUpperCaseFirst,f=new WeakMap},{browser:24,"helpers/object":53,"helpers/string":55}],62:[function(e,t,o){"use strict";Object.defineProperties(o,{default:{get:function(){return C}},__esModule:{value:!0}});var n,r,i,s,a,l=(n=e("browser"),n&&n.__esModule&&n||{default:n}).default,u=(r=e("helpers/object"),r&&r.__esModule&&r||{default:r}),c=u.defineGetter,d=u.objectEach,h=(i=e("helpers/array"),i&&i.__esModule&&i||{default:i}).arrayEach,f=(s=e("utils/recordTranslator"),s&&s.__esModule&&s||{default:s}),p=(f.registerIdentity,f.getTranslator),g=(a=e("plugins"),a&&a.__esModule&&a||{default:a}),m=g.getRegistredPluginNames,w=g.getPluginName,v=new WeakMap,y=null,b=function(e){var t=this;c(this,"hot",e,{writable:!1}),c(this,"t",p(e),{writable:!1}),v.set(this,{hooks:{}}),y=null,this.pluginName=null,this.pluginsInitializedCallbacks=[],this.isPluginsReady=!1,this.enabled=!1,this.initialized=!1,this.hot.addHook("afterPluginsInitialized",function(){return t.onAfterPluginsInitialized()}),this.hot.addHook("afterUpdateSettings",function(){return t.onUpdateSettings()}),this.hot.addHook("beforeInit",function(){return t.init()})};$traceurRuntime.createClass(b,{init:function(){this.pluginName=w(this.hot,this),this.isEnabled&&this.isEnabled()&&this.enablePlugin(),y||(y=m(this.hot)),y.indexOf(this.pluginName)>=0&&y.splice(y.indexOf(this.pluginName),1),y.length||this.hot.runHooks("afterPluginsInitialized"),this.initialized=!0},enablePlugin:function(){this.enabled=!0},disablePlugin:function(){this.eventManager&&this.eventManager.clear(),this.clearHooks(),this.enabled=!1},addHook:function(e,t){var o=v.get(this).hooks[e]=v.get(this).hooks[e]||[];this.hot.addHook(e,t),o.push(t),v.get(this).hooks[e]=o},removeHooks:function(e){var t=this;h(v.get(this).hooks[e]||[],function(o){t.hot.removeHook(e,o)})},clearHooks:function(){var e=this,t=v.get(this).hooks;d(t,function(t,o){return e.removeHooks(o)}),t.length=0},callOnPluginsReady:function(e){this.isPluginsReady?e():this.pluginsInitializedCallbacks.push(e)},onAfterPluginsInitialized:function(){h(this.pluginsInitializedCallbacks,function(e){return e()}),this.pluginsInitializedCallbacks.length=0,this.isPluginsReady=!0},onUpdateSettings:function(){this.isEnabled&&(this.enabled&&!this.isEnabled()&&this.disablePlugin(),!this.enabled&&this.isEnabled()&&this.enablePlugin(),this.enabled&&this.isEnabled()&&this.updatePlugin())},updatePlugin:function(){},destroy:function(){var e=this;this.eventManager&&this.eventManager.destroy(),this.clearHooks(),d(this,function(t,o){"hot"!==o&&"t"!==o&&(e[o]=null)}),delete this.t,delete this.hot}},{});var C=b;l.plugins.BasePlugin=b},{browser:24,"helpers/array":43,"helpers/object":53,plugins:61,"utils/recordTranslator":129}],63:[function(e,t,o){"use strict";Object.defineProperties(o,{AutoColumnSize:{get:function(){return H}},__esModule:{value:!0}});var n,r,i,s,a,l,u,c,d,h,f,p=(n=e("_base"),n&&n.__esModule&&n||{default:n}).default,g=(r=e("helpers/array"),r&&r.__esModule&&r||{default:r}),m=g.arrayEach,w=g.arrayFilter,v=(i=e("helpers/feature"),i&&i.__esModule&&i||{default:i}),y=v.cancelAnimationFrame,b=v.requestAnimationFrame,C=(s=e("helpers/dom/element"),s&&s.__esModule&&s||{default:s}).isVisible,_=(a=e("utils/ghostTable"),a&&a.__esModule&&a||{default:a}).GhostTable,R=(l=e("helpers/object"),l&&l.__esModule&&l||{default:l}),M=R.isObject,S=(R.objectEach,u=e("helpers/number"),u&&u.__esModule&&u||{default:u}),E=S.valueAccordingPercent,O=S.rangeEach,T=(c=e("plugins"),c&&c.__esModule&&c||{default:c}).registerPlugin,k=(d=e("utils/samplesGenerator"),d&&d.__esModule&&d||{default:d}).SamplesGenerator,D=(h=e("helpers/string"),h&&h.__esModule&&h||{default:h}).isPercentValue,x=(f=e("3rdparty/walkontable/src/calculator/viewportColumns"),f&&f.__esModule&&f||{default:f}).WalkontableViewportColumnsCalculator,H=function(e){var t=this;$traceurRuntime.superConstructor(A).call(this,e),this.widths=[],this.ghostTable=new _(this.hot),this.samplesGenerator=new k(function(e,o){return t.hot.getDataAtCell(e,o)}),this.firstCalculation=!0,this.inProgress=!1,this.addHook("beforeColumnResize",function(e,o,n){return t.onBeforeColumnResize(e,o,n)})},A=H;$traceurRuntime.createClass(H,{isEnabled:function(){return this.hot.getSettings().autoColumnSize!==!1&&!this.hot.getSettings().colWidths},enablePlugin:function(){var e=this;if(!this.enabled){var t=this.hot.getSettings().autoColumnSize;t&&null!=t.useHeaders&&this.ghostTable.setSetting("useHeaders",t.useHeaders),this.addHook("afterLoadData",function(){return e.onAfterLoadData()}),this.addHook("beforeChange",function(t){return e.onBeforeChange(t)}),this.addHook("beforeRender",function(t){return e.onBeforeRender(t)}),this.addHook("modifyColWidth",function(t,o){return e.getColumnWidth(o,t)}),$traceurRuntime.superGet(this,A.prototype,"enablePlugin").call(this)}},disablePlugin:function(){$traceurRuntime.superGet(this,A.prototype,"disablePlugin").call(this)},calculateColumnsWidth:function(){var e=void 0!==arguments[0]?arguments[0]:{from:0,to:this.hot.countCols()-1},t=void 0!==arguments[1]?arguments[1]:{from:0,to:this.hot.countRows()-1},o=void 0!==arguments[2]&&arguments[2],n=this;"number"==typeof e&&(e={from:e,to:e}),"number"==typeof t&&(t={from:t,to:t}),O(e.from,e.to,function(e){if(o||void 0===n.widths[e]&&!n.hot._getColWidthFromSettings(e)){var r=n.samplesGenerator.generateColumnSamples(e,t);r.forEach(function(e,t){return n.ghostTable.addColumn(t,e)})}}),this.ghostTable.columns.length&&(this.ghostTable.getWidths(function(e,t){return n.widths[e]=t}),this.ghostTable.clean())},calculateAllColumnsWidth:function(){var e=void 0!==arguments[0]?arguments[0]:{from:0,to:this.hot.countRows()-1},t=this,o=0,n=this.hot.countCols()-1,r=null;this.inProgress=!0;var i=function(){return t.hot?(t.calculateColumnsWidth({from:o,to:Math.min(o+A.CALCULATION_STEP,n)},e),o=o+A.CALCULATION_STEP+1,void(o>=0),Math.min(e,t)},getColumnWidth:function(e){var t=arguments[1],o=void 0===arguments[2]||arguments[2],n=t;return void 0===n&&(n=this.widths[e],o&&"number"==typeof n&&(n=Math.max(n,x.DEFAULT_WIDTH))),n},getFirstVisibleColumn:function(){var e=this.hot.view.wt;return e.wtViewport.columnsVisibleCalculator?e.wtTable.getFirstVisibleColumn():e.wtViewport.columnsRenderCalculator?e.wtTable.getFirstRenderedColumn():-1},getLastVisibleColumn:function(){var e=this.hot.view.wt;return e.wtViewport.columnsVisibleCalculator?e.wtTable.getLastVisibleColumn():e.wtViewport.columnsRenderCalculator?e.wtTable.getLastRenderedColumn():-1},clearCache:function(){this.widths.length=0},isNeedRecalculate:function(){return!!w(this.widths,function(e){return void 0===e}).length},onBeforeRender:function(){var e=this.hot.renderCall,t=this.hot.countRows();t&&(this.calculateColumnsWidth({from:this.getFirstVisibleColumn(),to:this.getLastVisibleColumn()},void 0,e),this.isNeedRecalculate()&&!this.inProgress&&this.calculateAllColumnsWidth())},onAfterLoadData:function(){var e=this;this.hot.view?this.recalculateAllColumnsWidth():setTimeout(function(){e.hot&&e.recalculateAllColumnsWidth()},0)},onBeforeChange:function(e){var t=this;m(e,function(e){return t.widths[t.hot.propToCol(e[1])]=void 0})},onBeforeColumnResize:function(e,t,o){return o&&(this.calculateColumnsWidth(e,void 0,!0),t=this.getColumnWidth(e,void 0,!1)),t},destroy:function(){this.ghostTable.clean(),$traceurRuntime.superGet(this,A.prototype,"destroy").call(this)}},{get CALCULATION_STEP(){return 50},get SYNC_CALCULATION_LIMIT(){return 50}},p),T("autoColumnSize",H)},{"3rdparty/walkontable/src/calculator/viewportColumns":4,_base:62,"helpers/array":43,"helpers/dom/element":47,"helpers/feature":49,"helpers/number":52,"helpers/object":53,"helpers/string":55,plugins:61,"utils/ghostTable":127,"utils/samplesGenerator":130}],64:[function(e,t,o){"use strict";Object.defineProperties(o,{AutoRowSize:{get:function(){return k}},__esModule:{value:!0}});var n,r,i,s,a,l,u,c,d,h,f=(n=e("_base"),n&&n.__esModule&&n||{default:n}).default,p=(r=e("helpers/array"),r&&r.__esModule&&r||{default:r}),g=(p.arrayEach,p.arrayFilter),m=(i=e("helpers/feature"),i&&i.__esModule&&i||{default:i}),w=m.cancelAnimationFrame,v=m.requestAnimationFrame,y=(s=e("helpers/dom/element"),s&&s.__esModule&&s||{default:s}).isVisible,b=(a=e("utils/ghostTable"),a&&a.__esModule&&a||{default:a}).GhostTable,C=(l=e("helpers/object"),l&&l.__esModule&&l||{default:l}),_=C.isObject,R=(C.objectEach,u=e("helpers/number"),u&&u.__esModule&&u||{default:u}),M=R.valueAccordingPercent,S=R.rangeEach,E=(c=e("plugins"),c&&c.__esModule&&c||{default:c}).registerPlugin,O=(d=e("utils/samplesGenerator"),d&&d.__esModule&&d||{default:d}).SamplesGenerator,T=(h=e("helpers/string"),h&&h.__esModule&&h||{default:h}).isPercentValue,k=function(e){var t=this;$traceurRuntime.superConstructor(D).call(this,e),this.heights=[],this.ghostTable=new b(this.hot),this.samplesGenerator=new O(function(e,o){return e>=0?t.hot.getDataAtCell(e,o):e===-1?t.hot.getColHeader(o):null}),this.firstCalculation=!0,this.inProgress=!1,this.addHook("beforeRowResize",function(e,o,n){return t.onBeforeRowResize(e,o,n)})},D=k;$traceurRuntime.createClass(k,{isEnabled:function(){return this.hot.getSettings().autoRowSize===!0||_(this.hot.getSettings().autoRowSize)},enablePlugin:function(){var e=this;this.enabled||(this.setSamplingOptions(),this.addHook("afterLoadData",function(){return e.onAfterLoadData()}),this.addHook("beforeChange",function(t){return e.onBeforeChange(t)}),this.addHook("beforeColumnMove",function(){return e.recalculateAllRowsHeight()}),this.addHook("beforeColumnResize",function(){return e.recalculateAllRowsHeight()}),this.addHook("beforeColumnSort",function(){return e.clearCache()}),this.addHook("beforeRender",function(t){return e.onBeforeRender(t)}),this.addHook("beforeRowMove",function(t,o){return e.onBeforeRowMove(t,o)}),this.addHook("modifyRowHeight",function(t,o){return e.getRowHeight(o,t)}),this.addHook("modifyColumnHeaderHeight",function(){return e.getColumnHeaderHeight()}),$traceurRuntime.superGet(this,D.prototype,"enablePlugin").call(this))},disablePlugin:function(){$traceurRuntime.superGet(this,D.prototype,"disablePlugin").call(this)},calculateRowsHeight:function(){var e=void 0!==arguments[0]?arguments[0]:{from:0,to:this.hot.countRows()-1},t=void 0!==arguments[1]?arguments[1]:{from:0,to:this.hot.countCols()-1},o=void 0!==arguments[2]&&arguments[2],n=this;if("number"==typeof e&&(e={from:e,to:e}),"number"==typeof t&&(t={from:t,to:t}),null!==this.hot.getColHeader(0)){var r=this.samplesGenerator.generateRowSamples(-1,t);this.ghostTable.addColumnHeadersRow(r.get(-1))}S(e.from,e.to,function(e){if(o||void 0===n.heights[e]){var r=n.samplesGenerator.generateRowSamples(e,t);r.forEach(function(e,t){return n.ghostTable.addRow(t,e)})}}),this.ghostTable.rows.length&&(this.ghostTable.getHeights(function(e,t){return n.heights[e]=t}),this.ghostTable.clean())},calculateAllRowsHeight:function(){var e=void 0!==arguments[0]?arguments[0]:{from:0,to:this.hot.countCols()-1},t=this,o=0,n=this.hot.countRows()-1,r=null;this.inProgress=!0;var i=function(){return t.hot?(t.calculateRowsHeight({from:o,to:Math.min(o+D.CALCULATION_STEP,n)},e),o=o+D.CALCULATION_STEP+1,void(o>=0),Math.min(e,t)},getRowHeight:function(e){var t=arguments[1],o=t;return void 0!==this.heights[e]&&this.heights[e]>(t||0)&&(o=this.heights[e]),o},getColumnHeaderHeight:function(){return this.heights[-1]},getFirstVisibleRow:function(){var e=this.hot.view.wt;return e.wtViewport.rowsVisibleCalculator?e.wtTable.getFirstVisibleRow():e.wtViewport.rowsRenderCalculator?e.wtTable.getFirstRenderedRow():-1},getLastVisibleRow:function(){var e=this.hot.view.wt;return e.wtViewport.rowsVisibleCalculator?e.wtTable.getLastVisibleRow():e.wtViewport.rowsRenderCalculator?e.wtTable.getLastRenderedRow():-1},clearCache:function(){this.heights.length=0,this.heights[-1]=void 0},clearCacheByRange:function(e){var t=this;"number"==typeof e&&(e={from:e,to:e}),S(Math.min(e.from,e.to),Math.max(e.from,e.to),function(e){return t.heights[e]=void 0})},isNeedRecalculate:function(){return!!g(this.heights,function(e){return void 0===e}).length},onBeforeRender:function(){var e=this.hot.renderCall;this.calculateRowsHeight({from:this.getFirstVisibleRow(),to:this.getLastVisibleRow() -},void 0,e);var t=this.hot.getSettings().fixedRowsBottom;if(t){var o=this.hot.countRows()-1;this.calculateRowsHeight({from:o-t,to:o})}this.isNeedRecalculate()&&!this.inProgress&&this.calculateAllRowsHeight()},onBeforeRowMove:function(e,t){this.clearCacheByRange({from:e,to:t}),this.calculateAllRowsHeight()},onBeforeRowResize:function(e,t,o){return o&&(this.calculateRowsHeight(e,void 0,!0),t=this.getRowHeight(e)),t},onAfterLoadData:function(){var e=this;this.hot.view?this.recalculateAllRowsHeight():setTimeout(function(){e.hot&&e.recalculateAllRowsHeight()},0)},onBeforeChange:function(e){var t=null;1===e.length?t=e[0][0]:e.length>1&&(t={from:e[0][0],to:e[e.length-1][0]}),null!==t&&this.clearCacheByRange(t)},destroy:function(){this.ghostTable.clean(),$traceurRuntime.superGet(this,D.prototype,"destroy").call(this)}},{get CALCULATION_STEP(){return 50},get SYNC_CALCULATION_LIMIT(){return 500}},f),E("autoRowSize",k)},{_base:62,"helpers/array":43,"helpers/dom/element":47,"helpers/feature":49,"helpers/number":52,"helpers/object":53,"helpers/string":55,plugins:61,"utils/ghostTable":127,"utils/samplesGenerator":130}],65:[function(e,t,o){"use strict";Object.defineProperties(o,{Autofill:{get:function(){return T}},__esModule:{value:!0}});var n,r,i,s,a,l,u,c,d=(n=e("_base"),n&&n.__esModule&&n||{default:n}).default,h=(r=e("browser"),r&&r.__esModule&&r||{default:r}).default,f=(i=e("helpers/array"),i&&i.__esModule&&i||{default:i}).arrayIncludes,p=(s=e("helpers/dom/element"),s&&s.__esModule&&s||{default:s}),g=p.offset,m=p.outerHeight,w=p.outerWidth,v=(a=e("eventManager"),a&&a.__esModule&&a||{default:a}).eventManager,y=(l=e("plugins"),l&&l.__esModule&&l||{default:l}).registerPlugin,b=(u=e("3rdparty/walkontable/src/cell/coords"),u&&u.__esModule&&u||{default:u}).WalkontableCellCoords,C=(c=e("utils"),c&&c.__esModule&&c||{default:c}),_=C.getDeltas,R=C.getDragDirectionAndRange,M=C.DIRECTIONS,S=C.getMappedFillHandleSetting,E="insert_row",O=200,T=function(e){$traceurRuntime.superConstructor(k).call(this,e),this.eventManager=v(this),this.addingStarted=!1,this.mouseDownOnCellCorner=!1,this.mouseDragOutside=!1,this.handleDraggedCells=0,this.directions=[],this.autoInsertRow=!1},k=T;$traceurRuntime.createClass(T,{isEnabled:function(){return this.hot.getSettings().fillHandle},enablePlugin:function(){var e=this;this.enabled||(this.mapSettings(),this.registerEvents(),this.addHook("afterOnCellCornerMouseDown",function(t){return e.onAfterCellCornerMouseDown(t)}),this.addHook("afterOnCellCornerDblClick",function(t){return e.onCellCornerDblClick(t)}),this.addHook("beforeOnCellMouseOver",function(t,o,n){return e.onBeforeCellMouseOver(o)}),$traceurRuntime.superGet(this,k.prototype,"enablePlugin").call(this))},updatePlugin:function(){this.disablePlugin(),this.enablePlugin(),$traceurRuntime.superGet(this,k.prototype,"updatePlugin").call(this)},disablePlugin:function(){this.clearMappedSettings(),$traceurRuntime.superGet(this,k.prototype,"disablePlugin").call(this)},getSelectionData:function(){var e={from:this.hot.getSelectedRange().from,to:this.hot.getSelectedRange().to};return this.hot.getData(e.from.row,e.from.col,e.to.row,e.to.col)},fillIn:function(){if(this.hot.view.wt.selections.fill.isEmpty())return!1;var e=this.hot.view.wt.selections.fill.getCorners();this.resetSelectionOfDraggedArea();var t=this.getCornersOfSelectedCells(),o=R(t,e),n=o.directionOfDrag,r=o.startOfDragCoords,i=o.endOfDragCoords;if(this.hot.runHooks("modifyAutofillRange",t,e),r&&r.row>-1&&r.col>-1){var s=this.getSelectionData(),a=_(r,i,s,n);this.hot.runHooks("beforeAutofill",r,i,s),this.hot.populateFromArray(r.row,r.col,s,i.row,i.col,"autofill",null,n,a),this.setSelection(e)}else this.hot.selection.refreshBorders();return!0},reduceSelectionAreaIfNeeded:function(e){return e.row<0&&(e.row=0),e.col<0&&(e.col=0),e},getCoordsOfDragAndDropBorders:function(e){var t,o=this.hot.getSelectedRange().getTopLeftCorner(),n=this.hot.getSelectedRange().getBottomRightCorner();if(f(this.directions,M.vertical)&&(n.rowe.row))t=new b(e.row,n.col);else{if(!f(this.directions,M.horizontal))return;t=new b(n.row,e.col)}return this.reduceSelectionAreaIfNeeded(t)},showBorder:function(e){var t=this.getCoordsOfDragAndDropBorders(e);t&&this.redrawBorders(t)},addRow:function(){var e=this;this.hot._registerTimeout(setTimeout(function(){e.hot.alter(E),e.addingStarted=!1},O))},addNewRowIfNeeded:function(){if(this.hot.view.wt.selections.fill.cellRange&&this.addingStarted===!1&&this.autoInsertRow){var e=this.hot.getSelected(),t=this.hot.view.wt.selections.fill.getCorners(),o=this.hot.countRows();e[2]t&&e.clientX<=o},registerEvents:function(){var e=this;this.eventManager.addEventListener(document.documentElement,"mouseup",function(){return e.onMouseUp()}),this.eventManager.addEventListener(document.documentElement,"mousemove",function(t){return e.onMouseMove(t)})},onCellCornerDblClick:function(){var e=this.selectAdjacent();e&&this.fillIn()},onAfterCellCornerMouseDown:function(){this.handleDraggedCells=1,this.mouseDownOnCellCorner=!0},onBeforeCellMouseOver:function(e){this.mouseDownOnCellCorner&&!this.hot.view.isMouseDown()&&this.handleDraggedCells&&(this.handleDraggedCells++,this.showBorder(e),this.addNewRowIfNeeded())},onMouseUp:function(){this.handleDraggedCells&&(this.handleDraggedCells>1&&this.fillIn(),this.handleDraggedCells=0,this.mouseDownOnCellCorner=!1)},onMouseMove:function(e){var t=this.getIfMouseWasDraggedOutside(e);this.addingStarted===!1&&this.handleDraggedCells>0&&t?(this.mouseDragOutside=!0,this.addingStarted=!0):this.mouseDragOutside=!1,this.mouseDragOutside&&this.autoInsertRow&&this.addRow()},clearMappedSettings:function(){this.directions.length=0,this.autoInsertRow=!1},mapSettings:function(){var e=S(this.hot.getSettings().fillHandle);this.directions=e.directions,this.autoInsertRow=e.autoInsertRow},destroy:function(){$traceurRuntime.superGet(this,k.prototype,"destroy").call(this)}},{},d),y("autofill",T),h.hooks.register("modifyAutofillRange"),h.hooks.register("beforeAutofill")},{"3rdparty/walkontable/src/cell/coords":6,_base:62,browser:24,eventManager:42,"helpers/array":43,"helpers/dom/element":47,plugins:61,utils:66}],66:[function(e,t,o){"use strict";function n(e,t,o,n){var r=o.length,i=o?o[0].length:0,s=[],a=t.row-e.row,l=t.col-e.col;if(["down","up"].indexOf(n)!==-1){for(var u=[],c=0;c<=l;c++){var d=parseInt(o[0][c],10),h=parseInt(o[r-1][c],10),f=("down"===n?h-d:d-h)/(r-1)||0;u.push(f)}s.push(u)}if(["right","left"].indexOf(n)!==-1)for(var p=0;p<=a;p++){var g=parseInt(o[p][0],10),m=parseInt(o[p][i-1],10),w=("right"===n?m-g:g-m)/(i-1)||0;s.push([w])}return s}function r(e,t){var o,n,r;return t[0]===e[0]&&t[1]e[3]?(r="right",o=new WalkontableCellCoords(t[0],e[3]+1),n=new WalkontableCellCoords(t[2],t[3])):t[0]e[2]&&t[1]===e[1]&&(r="down",o=new WalkontableCellCoords(e[2]+1,t[1]),n=new WalkontableCellCoords(t[2],t[3])),{directionOfDrag:r,startOfDragCoords:o,endOfDragCoords:n}}function i(e){var t={};return e===!0?(t.directions=Object.keys(c),t.autoInsertRow=!0):l(e)?(u(e.autoInsertRow)?e.direction===c.horizontal?t.autoInsertRow=!1:t.autoInsertRow=e.autoInsertRow:t.autoInsertRow=!1,u(e.direction)?t.directions=[e.direction]:t.directions=Object.keys(c)):"string"==typeof e?(t.directions=[e],t.autoInsertRow=!0):(t.directions=[],t.autoInsertRow=!1),t}Object.defineProperties(o,{DIRECTIONS:{get:function(){return c}},getDeltas:{get:function(){return n}},getDragDirectionAndRange:{get:function(){return r}},getMappedFillHandleSetting:{get:function(){return i}},__esModule:{value:!0}});var s,a,l=(s=e("helpers/object"),s&&s.__esModule&&s||{default:s}).isObject,u=(a=e("helpers/mixed"),a&&a.__esModule&&a||{default:a}).isDefined,c={horizontal:"horizontal",vertical:"vertical"}},{"helpers/mixed":51,"helpers/object":53}],67:[function(e,t,o){"use strict";Object.defineProperties(o,{ColumnSorting:{get:function(){return C}},__esModule:{value:!0}});var n,r,i,s,a,l,u,c=(n=e("browser"),n&&n.__esModule&&n||{default:n}).default,d=(r=e("moment"),r&&r.__esModule&&r||{default:r}).default,h=(i=e("helpers/dom/element"),i&&i.__esModule&&i||{default:i}),f=h.addClass,p=(h.closest,h.hasClass),g=(h.index,h.removeClass),m=(s=e("helpers/array"),s&&s.__esModule&&s||{default:s}),w=(m.arrayEach,m.arrayMap),v=m.arrayReduce,y=((a=e("eventManager"),a&&a.__esModule&&a||{default:a}).eventManager,(l=e("_base"),l&&l.__esModule&&l||{default:l}).default),b=(u=e("plugins"),u&&u.__esModule&&u||{default:u}).registerPlugin;c.hooks.register("beforeColumnSort"),c.hooks.register("afterColumnSort");var C=function(e){$traceurRuntime.superConstructor(_).call(this,e),this.sortIndicators=[],this.lastSortedColumn=null},_=C;$traceurRuntime.createClass(C,{isEnabled:function(){return!!this.hot.getSettings().columnSorting},enablePlugin:function(){var e=this;if(!this.enabled){var t=this;this.hot.sortIndex=[],this.hot.sort=function(){var e=Array.prototype.slice.call(arguments);return t.sortByColumn.apply(t,e)},"undefined"==typeof this.hot.getSettings().observeChanges&&this.enableObserveChangesPlugin(),this.addHook("afterTrimRow",function(t){return e.sort()}),this.addHook("afterUntrimRow",function(t){return e.sort()}),this.addHook("modifyRow",function(t){return e.translateRow(t)}),this.addHook("unmodifyRow",function(t){return e.untranslateRow(t)}),this.addHook("afterUpdateSettings",function(){return e.onAfterUpdateSettings()}),this.addHook("afterGetColHeader",function(t,o){return e.getColHeader(t,o)}),this.addHook("afterOnCellMouseDown",function(t,o){return e.onAfterOnCellMouseDown(t,o)}),this.addHook("afterCreateRow",function(){t.afterCreateRow.apply(t,arguments)}),this.addHook("afterRemoveRow",function(){t.afterRemoveRow.apply(t,arguments)}),this.addHook("afterInit",function(){return e.sortBySettings()}),this.addHook("afterLoadData",function(){e.hot.sortIndex=[],e.hot.view&&e.sortBySettings()}),this.hot.view&&this.sortBySettings(),$traceurRuntime.superGet(this,_.prototype,"enablePlugin").call(this)}},disablePlugin:function(){this.hot.sort=void 0,$traceurRuntime.superGet(this,_.prototype,"disablePlugin").call(this)},onAfterUpdateSettings:function(){this.sortBySettings()},sortBySettings:function(){var e,t,o=this.hot.getSettings().columnSorting,n=this.loadSortingState();"undefined"==typeof n?(e=o.column,t=o.sortOrder):(e=n.sortColumn,t=n.sortOrder),"number"==typeof e&&(this.lastSortedColumn=e,this.sortByColumn(e,t))},setSortingColumn:function(e,t){return"undefined"==typeof e?(this.hot.sortColumn=void 0,void(this.hot.sortOrder=void 0)):(this.hot.sortColumn===e&&"undefined"==typeof t?this.hot.sortOrder===!1?this.hot.sortOrder=void 0:this.hot.sortOrder=!this.hot.sortOrder:this.hot.sortOrder="undefined"==typeof t||t,void(this.hot.sortColumn=e))},sortByColumn:function(e,t){if(this.setSortingColumn(e,t),"undefined"!=typeof this.hot.sortColumn){var o=c.hooks.run(this.hot,"beforeColumnSort",this.hot.sortColumn,this.hot.sortOrder);o!==!1&&this.sort(),this.updateOrderClass(),this.updateSortIndicator(),c.hooks.run(this.hot,"afterColumnSort",this.hot.sortColumn,this.hot.sortOrder),this.hot.render(),this.saveSortingState()}},saveSortingState:function(){var e={};"undefined"!=typeof this.hot.sortColumn&&(e.sortColumn=this.hot.sortColumn),"undefined"!=typeof this.hot.sortOrder&&(e.sortOrder=this.hot.sortOrder),(e.hasOwnProperty("sortColumn")||e.hasOwnProperty("sortOrder"))&&c.hooks.run(this.hot,"persistentStateSave","columnSorting",e)},loadSortingState:function(){var e={};return c.hooks.run(this.hot,"persistentStateLoad","columnSorting",e),e.value},updateOrderClass:function(){var e;this.hot.sortOrder===!0?e="ascending":this.hot.sortOrder===!1&&(e="descending"),this.sortOrderClass=e},enableObserveChangesPlugin:function(){var e=this;this.hot._registerTimeout(setTimeout(function(){e.hot.updateSettings({observeChanges:!0})},0))},defaultSort:function(e,t){return function(t,o){return"string"==typeof t[1]&&(t[1]=t[1].toLowerCase()),"string"==typeof o[1]&&(o[1]=o[1].toLowerCase()),t[1]===o[1]?0:null===t[1]||""===t[1]?1:null===o[1]||""===o[1]?-1:isNaN(t[1])&&!isNaN(o[1])?e?1:-1:!isNaN(t[1])&&isNaN(o[1])?e?-1:1:(isNaN(t[1])||isNaN(o[1])||(t[1]=parseFloat(t[1]),o[1]=parseFloat(o[1])),t[1]o[1]?e?1:-1:0)}},dateSort:function(e,t){return function(o,n){if(o[1]===n[1])return 0;if(null===o[1]||""===o[1])return 1;if(null===n[1]||""===n[1])return-1;var r=d(o[1],t.dateFormat),i=d(n[1],t.dateFormat);return r.isValid()?i.isValid()?i.isAfter(r)?e?-1:1:i.isBefore(r)?e?1:-1:0:-1:1}},numericSort:function(e,t){return function(t,o){var n=parseFloat(t[1]),r=parseFloat(o[1]);return n===r||isNaN(n)&&isNaN(r)?0:isNaN(n)?1:isNaN(r)?-1:nr?e?1:-1:0}},sort:function(){if("undefined"==typeof this.hot.sortOrder)return void(this.hot.sortIndex.length=0);var e,t;this.hot.sortingEnabled=!1,this.hot.sortIndex.length=0;var o,n=this.hot.countEmptyRows();o=this.hot.getSettings().maxRows===Number.POSITIVE_INFINITY?this.hot.countRows()-this.hot.getSettings().minSpareRows:this.hot.countRows()-n;for(var r=0,i=o;r=0&&r===-1&&f(o,"columnSorting"),g(o,"descending"),g(o,"ascending"),this.sortIndicators[e]&&e===this.hot.sortColumn&&("ascending"===this.sortOrderClass?f(o,"ascending"):"descending"===this.sortOrderClass&&f(o,"descending")))},isSorted:function(){return"undefined"!=typeof this.hot.sortColumn},afterCreateRow:function(e,t){if(this.isSorted()){for(var o=0;o=e&&(this.hot.sortIndex[o][0]+=t);for(var o=0;oo&&t++,t},0)}if(this.isSorted()){var n=this.hot.sortIndex.splice(e,t);n=w(n,function(e){return e[0]}),this.hot.sortIndex=w(this.hot.sortIndex,function(e,t){var n=o(e[0]);return n&&(e[0]-=n),e}),this.saveSortingState()}},onAfterOnCellMouseDown:function(e,t){t.row>-1||p(e.realTarget,"columnSorting")&&(t.col!==this.lastSortedColumn&&(this.hot.sortOrder=!0),this.lastSortedColumn=t.col,this.sortByColumn(t.col))}},{},y),b("columnSorting",C)},{_base:62,browser:24,eventManager:42,"helpers/array":43,"helpers/dom/element":47,moment:"moment",plugins:61}],68:[function(e,t,o){"use strict";Object.defineProperties(o,{CommentEditor:{get:function(){return i}},__esModule:{value:!0}});var n,r=(n=e("helpers/dom/element"),n&&n.__esModule&&n||{default:n}).addClass,i=function(){this.editor=this.createEditor(),this.editorStyle=this.editor.style,this.hidden=!0,this.hide()},s=i;$traceurRuntime.createClass(i,{setPosition:function(e,t){this.editorStyle.left=e+"px",this.editorStyle.top=t+"px"},setSize:function(e,t){if(e&&t){var o=this.getInputElement();o.style.width=e+"px",o.style.height=t+"px"}},resetSize:function(){var e=this.getInputElement();e.style.width="",e.style.height=""},setReadOnlyState:function(e){var t=this.getInputElement();t.readOnly=e},show:function(){this.editorStyle.display="block",this.hidden=!1},hide:function(){this.editorStyle.display="none",this.hidden=!0},isVisible:function(){return"block"===this.editorStyle.display},setValue:function(){var e=void 0!==arguments[0]?arguments[0]:"";e=e||"",this.getInputElement().value=e},getValue:function(){return this.getInputElement().value},isFocused:function(){return document.activeElement===this.getInputElement()},focus:function(){this.getInputElement().focus()},createEditor:function(){var e,t,o=document.querySelector("."+s.CLASS_EDITOR_CONTAINER);return o||(o=document.createElement("div"),r(o,s.CLASS_EDITOR_CONTAINER),document.body.appendChild(o)),e=document.createElement("div"),r(e,s.CLASS_EDITOR),t=document.createElement("textarea"),r(t,s.CLASS_INPUT),e.appendChild(t),o.appendChild(e),e},getInputElement:function(){return this.editor.querySelector("."+s.CLASS_INPUT)},destroy:function(){this.editor.parentNode.removeChild(this.editor),this.editor=null,this.editorStyle=null}},{get CLASS_EDITOR_CONTAINER(){return"htCommentsContainer"},get CLASS_EDITOR(){return"htComments"},get CLASS_INPUT(){return"htCommentTextArea"},get CLASS_CELL(){return"htCommentCell"}})},{"helpers/dom/element":47}],69:[function(e,t,o){"use strict";var n;Object.defineProperties(o,{Comments:{get:function(){return B}},__esModule:{value:!0}});var r,i,s,a,l,u,c,d,h,f,p=(r=e("browser"),r&&r.__esModule&&r||{default:r}).default,g=(i=e("helpers/dom/element"),i&&i.__esModule&&i||{default:i}),m=g.addClass,w=g.closest,v=g.isChildOf,y=g.hasClass,b=g.offset,C=g.outerWidth,_=g.outerHeight,R=g.getScrollableElement,M=(s=e("helpers/object"),s&&s.__esModule&&s||{default:s}),S=M.deepClone,E=M.deepExtend,O=(a=e("helpers/function"),a&&a.__esModule&&a||{default:a}).debounce,T=(l=e("eventManager"),l&&l.__esModule&&l||{default:l}).EventManager,k=(u=e("3rdparty/walkontable/src/cell/coords"),u&&u.__esModule&&u||{default:u}).WalkontableCellCoords,D=(c=e("plugins"),c&&c.__esModule&&c||{default:c}).registerPlugin,x=(d=e("_base"),d&&d.__esModule&&d||{default:d}).default,H=(h=e("commentEditor"),h&&h.__esModule&&h||{default:h}).CommentEditor,A=(f=e("contextMenu/utils"),f&&f.__esModule&&f||{default:f}),P=A.checkSelectionConsistency,N=A.markLabelAsSelected,L=new WeakMap,I="comment",W="value",j="style",V="readOnly",B=function(e){$traceurRuntime.superConstructor(F).call(this,e),this.editor=null,this.eventManager=null,this.range={},this.mouseDown=!1,this.contextMenuEvent=!1,this.timer=null,this.displayDelay=250,L.set(this,{tempEditorDimensions:{},cellBelowCursor:null})},F=B;$traceurRuntime.createClass(B,(n={},Object.defineProperty(n,"isEnabled",{value:function(){return!!this.hot.getSettings().comments},configurable:!0,enumerable:!0,writable:!0}),Object.defineProperty(n,"enablePlugin",{value:function(){var e=this;this.enabled||(this.editor||(this.editor=new H),this.eventManager||(this.eventManager=new T(this)),this.addHook("afterContextMenuDefaultOptions",function(t){return e.addToContextMenu(t)}),this.addHook("afterRenderer",function(t,o,n,r,i,s){return e.onAfterRenderer(t,s)}),this.addHook("afterScrollHorizontally",function(){return e.hide()}),this.addHook("afterScrollVertically",function(){return e.hide()}),this.addHook("afterBeginEditing",function(t){return e.onAfterBeginEditing(t)}),this.registerListeners(),$traceurRuntime.superGet(this,F.prototype,"enablePlugin").call(this))},configurable:!0,enumerable:!0,writable:!0}),Object.defineProperty(n,"disablePlugin",{value:function(){$traceurRuntime.superGet(this,F.prototype,"disablePlugin").call(this)},configurable:!0,enumerable:!0,writable:!0}),Object.defineProperty(n,"registerListeners",{value:function(){var e=this;this.eventManager.addEventListener(document,"mouseover",function(t){return e.onMouseOver(t)}),this.eventManager.addEventListener(document,"mousedown",function(t){return e.onMouseDown(t)}),this.eventManager.addEventListener(document,"mouseup",function(t){return e.onMouseUp(t)}),this.eventManager.addEventListener(this.editor.getInputElement(),"blur",function(t){return e.onEditorBlur(t)}),this.eventManager.addEventListener(this.editor.getInputElement(),"mousedown",function(t){return e.onEditorMouseDown(t)}),this.eventManager.addEventListener(this.editor.getInputElement(),"mouseup",function(t){return e.onEditorMouseUp(t)})},configurable:!0,enumerable:!0,writable:!0}),Object.defineProperty(n,"setRange",{value:function(e){this.range=e},configurable:!0,enumerable:!0,writable:!0}),Object.defineProperty(n,"clearRange",{value:function(){this.range={}},configurable:!0,enumerable:!0,writable:!0}),Object.defineProperty(n,"targetIsCellWithComment",{value:function(e){var t=w(e.target,"TD","TBODY");return!!(t&&y(t,"htCommentCell")&&w(t,[this.hot.rootElement]))},configurable:!0,enumerable:!0,writable:!0}),Object.defineProperty(n,"targetIsCommentTextArea",{value:function(e){return this.editor.getInputElement()===e.target},configurable:!0,enumerable:!0,writable:!0}),Object.defineProperty(n,"setComment",{value:function(e){var t;if(!this.range.from)throw new Error('Before using this method, first set cell range (hot.getPlugin("comment").setRange())');var o=this.editor.getValue(),n="";null!=e?n=e:null!=o&&(n=o);var r=this.range.from.row,i=this.range.from.col;this.updateCommentMeta(r,i,(t={},Object.defineProperty(t,W,{value:n,configurable:!0,enumerable:!0,writable:!0}),t)),this.hot.render()},configurable:!0,enumerable:!0,writable:!0}),Object.defineProperty(n,"setCommentAtCell",{value:function(e,t,o){this.setRange({from:new k(e,t)}),this.setComment(o)},configurable:!0,enumerable:!0,writable:!0}),Object.defineProperty(n,"removeComment",{value:function(){var e=void 0===arguments[0]||arguments[0];if(!this.range.from)throw new Error('Before using this method, first set cell range (hot.getPlugin("comment").setRange())');this.hot.setCellMeta(this.range.from.row,this.range.from.col,I,void 0),e&&this.hot.render(),this.hide()},configurable:!0,enumerable:!0,writable:!0}),Object.defineProperty(n,"removeCommentAtCell",{value:function(e,t){var o=void 0===arguments[2]||arguments[2];this.setRange({from:new k(e,t)}),this.removeComment(o)},configurable:!0,enumerable:!0,writable:!0}),Object.defineProperty(n,"getComment",{value:function(){},configurable:!0,enumerable:!0,writable:!0}),Object.defineProperty(n,"getCommentAtCell",{value:function(e,t){},configurable:!0,enumerable:!0,writable:!0}),Object.defineProperty(n,"show",{value:function(){if(!this.range.from)throw new Error('Before using this method, first set cell range (hot.getPlugin("comment").setRange())');var e=this.hot.getCellMeta(this.range.from.row,this.range.from.col);return this.refreshEditor(!0),this.editor.setValue(e[I]?e[I][W]:""),this.editor.hidden&&this.editor.show(),!0},configurable:!0,enumerable:!0,writable:!0}),Object.defineProperty(n,"showAtCell",{value:function(e,t){return this.setRange({from:new k(e,t)}),this.show()},configurable:!0,enumerable:!0,writable:!0}),Object.defineProperty(n,"hide",{value:function(){this.editor.hidden||this.editor.hide()},configurable:!0,enumerable:!0,writable:!0}),Object.defineProperty(n,"refreshEditor",{value:function(){var e=void 0!==arguments[0]&&arguments[0];if(e||this.range.from&&this.editor.isVisible()){var t=R(this.hot.view.wt.wtTable.TABLE),o=this.hot.view.wt.wtTable.getCell(this.range.from),n=this.range.from.row,r=this.range.from.col,i=b(o),s=this.hot.view.wt.wtTable.getStretchedColumnWidth(r),a=i.top<0?0:i.top,l=i.left;this.hot.view.wt.wtViewport.hasVerticalScroll()&&t!==window&&(a-=this.hot.view.wt.wtOverlays.topOverlay.getScrollPosition()),this.hot.view.wt.wtViewport.hasHorizontalScroll()&&t!==window&&(l-=this.hot.view.wt.wtOverlays.leftOverlay.getScrollPosition());var u=l+s,c=a,d=this.getCommentMeta(n,r,j),h=this.getCommentMeta(n,r,V);d?this.editor.setSize(d.width,d.height):this.editor.resetSize(),this.editor.setReadOnlyState(h),this.editor.setPosition(u,c)}},configurable:!0,enumerable:!0,writable:!0}),Object.defineProperty(n,"checkSelectionCommentsConsistency",{value:function(){var e=this.hot.getSelectedRange();if(!e)return!1;var t=!1,o=e.from;return this.getCommentMeta(o.row,o.col,W)&&(t=!0),t},configurable:!0,enumerable:!0,writable:!0}),Object.defineProperty(n,"updateCommentMeta",{value:function(e,t,o){var n,r=this.hot.getCellMeta(e,t)[I];r?(n=S(r),E(n,o)):n=o,this.hot.setCellMeta(e,t,I,n)},configurable:!0,enumerable:!0,writable:!0}),Object.defineProperty(n,"getCommentMeta",{value:function(e,t,o){var n=this.hot.getCellMeta(e,t);if(n[I])return n[I][o]},configurable:!0,enumerable:!0,writable:!0}),Object.defineProperty(n,"onMouseDown",{value:function(e){if(this.mouseDown=!0,this.hot.view&&this.hot.view.wt){if(!this.contextMenuEvent&&!this.targetIsCommentTextArea(e)){var t=w(e.target,"TD","TBODY"),o=null;t&&(o=this.hot.view.wt.wtTable.getCoords(t)),(!t||this.range.from&&o&&(this.range.from.row!==o.row||this.range.from.col!==o.col))&&this.hide()}this.contextMenuEvent=!1}},configurable:!0,enumerable:!0,writable:!0}),Object.defineProperty(n,"onMouseOver",{value:function(e){var t=this;if(!this.mouseDown&&!this.editor.isFocused()){var o=L.get(this);o.cellBelowCursor=document.elementFromPoint(e.clientX,e.clientY),O(function(){if(!y(e.target,"wtBorder")&&o.cellBelowCursor===e.target&&t.editor)if(t.targetIsCellWithComment(e)){var n=t.hot.view.wt.wtTable.getCoords(e.target),r={from:new k(n.row,n.col)};t.setRange(r),t.show()}else!v(e.target,document)||t.targetIsCommentTextArea(e)||t.editor.isFocused()||t.hide()},this.displayDelay)()}},configurable:!0,enumerable:!0,writable:!0}),Object.defineProperty(n,"onMouseUp",{value:function(e){this.mouseDown=!1},configurable:!0,enumerable:!0,writable:!0}),Object.defineProperty(n,"onAfterRenderer",{value:function(e,t){t[I]&&t[I][W]&&m(e,t.commentedCellClassName)},configurable:!0,enumerable:!0,writable:!0}),Object.defineProperty(n,"onEditorBlur",{value:function(e){this.setComment()},configurable:!0,enumerable:!0,writable:!0}),Object.defineProperty(n,"onEditorMouseDown",{value:function(e){var t=L.get(this);t.tempEditorDimensions={width:C(e.target),height:_(e.target)}},configurable:!0,enumerable:!0,writable:!0}),Object.defineProperty(n,"onEditorMouseUp",{value:function(e){var t,o=L.get(this),n=C(e.target),r=_(e.target);n===o.tempEditorDimensions.width+1&&r===o.tempEditorDimensions.height+2||this.updateCommentMeta(this.range.from.row,this.range.from.col,(t={},Object.defineProperty(t,j,{value:{width:n,height:r},configurable:!0,enumerable:!0,writable:!0}),t))},configurable:!0,enumerable:!0,writable:!0}),Object.defineProperty(n,"onContextMenuAddComment",{value:function(){var e=this,t=this.hot.getSelectedRange();this.contextMenuEvent=!0,this.setRange({from:t.from}),this.show(),setTimeout(function(){e.hot&&(e.hot.deselectCell(),e.editor.focus())},10)},configurable:!0,enumerable:!0,writable:!0}),Object.defineProperty(n,"onContextMenuRemoveComment",{value:function(e){this.contextMenuEvent=!0;for(var t=e.start.row;t<=e.end.row;t++)for(var o=e.start.col;o<=e.end.col;o++)this.removeCommentAtCell(t,o,!1);this.hot.render()},configurable:!0,enumerable:!0,writable:!0}),Object.defineProperty(n,"onContextMenuMakeReadOnly",{value:function(e){var t;this.contextMenuEvent=!0;for(var o=e.start.row;o<=e.end.row;o++)for(var n=e.start.col;n<=e.end.col;n++){var r=!!this.getCommentMeta(o,n,V);this.updateCommentMeta(o,n,(t={},Object.defineProperty(t,V,{value:!r,configurable:!0,enumerable:!0,writable:!0}),t))}},configurable:!0,enumerable:!0,writable:!0}),Object.defineProperty(n,"addToContextMenu",{value:function(e){var t=this;e.items.push(p.plugins.ContextMenu.SEPARATOR,{key:"commentsAddEdit",name:function(){return t.checkSelectionCommentsConsistency()?"Edit comment":"Add comment"},callback:function(){return t.onContextMenuAddComment()},disabled:function(){return!(this.getSelected()&&!this.selection.selectedHeader.corner)}},{key:"commentsRemove",name:function(){return"Delete comment"},callback:function(e,o){return t.onContextMenuRemoveComment(o)},disabled:function(){return t.hot.selection.selectedHeader.corner}},{key:"commentsReadOnly",name:function(){var e=this,t="Read only comment",o=P(this.getSelectedRange(),function(t,o){var n=e.getCellMeta(t,o)[I];if(n&&(n=n[V]),n)return!0});return o&&(t=N(t)),t},callback:function(e,o){return t.onContextMenuMakeReadOnly(o)},disabled:function(){return t.hot.selection.selectedHeader.corner||!t.checkSelectionCommentsConsistency()}})},configurable:!0,enumerable:!0,writable:!0}),Object.defineProperty(n,"onAfterBeginEditing",{value:function(e,t){this.hide()},configurable:!0,enumerable:!0,writable:!0}),Object.defineProperty(n,"destroy",{value:function(){this.editor&&this.editor.destroy(),$traceurRuntime.superGet(this,F.prototype,"destroy").call(this)},configurable:!0,enumerable:!0,writable:!0}),n),{},x),D("comments",B)},{"3rdparty/walkontable/src/cell/coords":6,_base:62,browser:24,commentEditor:68,"contextMenu/utils":88,eventManager:42,"helpers/dom/element":47,"helpers/function":50,"helpers/object":53,plugins:61}],70:[function(e,t,o){"use strict";function n(e,t){var o;return i(t,function(t){var n=t.key?t.key.split(":"):null;if(Array.isArray(n)&&n[1]===e)return o=t,!1}),o}Object.defineProperties(o,{CommandExecutor:{get:function(){return s}},__esModule:{value:!0}});var r,i=(r=e("helpers/array"),r&&r.__esModule&&r||{default:r}).arrayEach,s=function(e){this.hot=e,this.commands={},this.commonCallback=null};$traceurRuntime.createClass(s,{registerCommand:function(e,t){this.commands[e]=t},setCommonCallback:function(e){this.commonCallback=e},execute:function(e){for(var t=[],o=1;o=e.offsetHeight},fitsBelow:function(e){var t=void 0!==arguments[1]?arguments[1]:window.innerHeight;return this.topRelative+e.offsetHeight<=t},fitsOnRight:function(e){var t=void 0!==arguments[1]?arguments[1]:window.innerWidth;return this.leftRelative+this.cellWidth+e.offsetWidth<=t},fitsOnLeft:function(e){return this.leftRelative>=e.offsetWidth}},{}),s.plugins.utils=s.plugins.utils||{},s.plugins.utils.Cursor=f},{browser:24,"helpers/dom/element":47,"helpers/dom/event":48}],73:[function(e,t,o){"use strict";function n(){var e=void 0!==arguments[0]?arguments[0]:null,t=void 0!==arguments[1]?arguments[1]:[],o=void 0!==arguments[2]?arguments[2]:{},n=[];return e&&e.items?e=e.items:Array.isArray(e)||(e=t),u(e)?l(e,function(e,t){var r=o["string"==typeof e?e:t];r||(r=e),u(e)?c(r,e):"string"==typeof r&&(r={name:r}),void 0===r.key&&(r.key=t),n.push(r)}):d(e,function(e,t){var r=o[e];!r&&p.indexOf(e)>=0||(r||(r={name:e,key:t+""}),u(e)&&c(r,e),void 0===r.key&&(r.key=t),n.push(r))}),n}Object.defineProperties(o,{ItemsFactory:{get:function(){return m}},__esModule:{value:!0}});var r,i,s,a=(r=e("helpers/object"),r&&r.__esModule&&r||{default:r}),l=a.objectEach,u=a.isObject,c=a.extend,d=(i=e("helpers/array"),i&&i.__esModule&&i||{default:i}).arrayEach,h=(s=e("predefinedItems"),s&&s.__esModule&&s||{default:s}),f=h.SEPARATOR,p=h.ITEMS,g=h.predefinedItems,m=function(e){var t=void 0!==arguments[1]?arguments[1]:null;this.hot=e,this.predefinedItems=g(),this.defaultOrderPattern=t};$traceurRuntime.createClass(m,{setPredefinedItems:function(e){var t=this,o={};this.defaultOrderPattern.length=0,l(e,function(e,n){var r="";e.name===f?(o[f]=e,r=f):isNaN(parseInt(n,10))?(e.key=void 0===e.key?n:e.key,o[n]=e,r=e.key):(o[e.key]=e,r=e.key),t.defaultOrderPattern.push(r)}),this.predefinedItems=o},getItems:function(){var e=void 0!==arguments[0]?arguments[0]:null;return n(e,this.defaultOrderPattern,this.predefinedItems)}},{})},{"helpers/array":43,"helpers/object":53,predefinedItems:75}],74:[function(e,t,o){"use strict";Object.defineProperties(o,{Menu:{get:function(){return z}},__esModule:{value:!0}});var n,r,i,s,a,l,u,c,d,h,f,p,g=(n=e("browser"),n&&n.__esModule&&n||{default:n}).default,m=(r=e("helpers/dom/element"),r&&r.__esModule&&r||{default:r}),w=m.addClass,v=m.empty,y=m.fastInnerHTML,b=m.getScrollbarWidth,C=m.isChildOf,_=m.removeClass,R=(i=e("helpers/array"),i&&i.__esModule&&i||{default:i}),M=R.arrayEach,S=R.arrayFilter,E=R.arrayReduce,O=(s=e("cursor"),s&&s.__esModule&&s||{default:s}).Cursor,T=(a=e("eventManager"),a&&a.__esModule&&a||{default:a}).EventManager,k=(l=e("helpers/object"),l&&l.__esModule&&l||{default:l}).mixin,D=(u=e("helpers/function"),u&&u.__esModule&&u||{default:u}).debounce,x=(c=e("utils"),c&&c.__esModule&&c||{default:c}),H=x.filterSeparators,A=x.hasSubMenu,P=x.isDisabled,N=x.isItemHidden,L=x.isSeparator,I=x.isSelectionDisabled,W=x.normalizeSelection,j=(d=e("helpers/unicode"),d&&d.__esModule&&d||{default:d}).KEY_CODES,V=(h=e("mixins/localHooks"),h&&h.__esModule&&h||{default:h}).localHooks,B=(f=e("predefinedItems"),f&&f.__esModule&&f||{default:f}).SEPARATOR,F=(p=e("helpers/dom/event"),p&&p.__esModule&&p||{default:p}).stopImmediatePropagation,z=function(e,t){this.hot=e,this.options=t||{parent:null,name:null,className:"",keepInViewport:!0,standalone:!1},this.eventManager=new T(this),this.container=this.createContainer(this.options.name),this.hotMenu=null,this.hotSubMenus={},this.parentMenu=this.options.parent||null,this.menuItems=null,this.origOutsideClickDeselects=null,this.offset={above:0,below:0,left:0,right:0},this._afterScrollCallback=null,this.registerEvents()},Y=z;$traceurRuntime.createClass(z,{registerEvents:function(){var e=this;this.eventManager.addEventListener(document.documentElement,"mousedown",function(t){return e.onDocumentMouseDown(t)})},setMenuItems:function(e){this.menuItems=e},setOffset:function(e){var t=void 0!==arguments[1]?arguments[1]:0;this.offset[e]=t},isSubMenu:function(){return null!==this.parentMenu},open:function(){var e=this;this.container.removeAttribute("style"),this.container.style.display="block";var t=D(function(t){return e.openSubMenu(t)},300),o=S(this.menuItems,function(t){return N(t,e.hot)});o=H(o,B);var n={data:o,colHeaders:!1,colWidths:[200],autoRowSize:!1,readOnly:!0,copyPaste:!1,columns:[{data:"name",renderer:function(t,o,n,r,i,s){return e.menuItemRenderer(t,o,n,r,i,s)}}],renderAllRows:!0,fragmentSelection:"cell",disableVisualSelection:"area",beforeKeyDown:function(t){return e.onBeforeKeyDown(t)},afterOnCellMouseOver:function(o,n,r){e.isAllSubMenusClosed()?t(n.row):e.openSubMenu(n.row)}};this.origOutsideClickDeselects=this.hot.getSettings().outsideClickDeselects,this.hot.getSettings().outsideClickDeselects=!1,this.hotMenu=new g.Core(this.container,n),this.hotMenu.addHook("afterInit",function(){return e.onAfterInit()}),this.hotMenu.init(),this.hotMenu.listen(),this.blockMainTableCallbacks(),this.runLocalHooks("afterOpen")},close:function(){var e=void 0!==arguments[0]&&arguments[0];this.isOpened()&&(e&&this.parentMenu?this.parentMenu.close():(this.closeAllSubMenus(),this.container.style.display="none",this.releaseMainTableCallbacks(),this.hotMenu.destroy(),this.hotMenu=null,this.hot.getSettings().outsideClickDeselects=this.origOutsideClickDeselects,this.runLocalHooks("afterClose"),this.parentMenu&&this.parentMenu.hotMenu.listen()))},openSubMenu:function(e){if(!this.hotMenu)return!1;var t=this.hotMenu.getCell(e,0);if(this.closeAllSubMenus(),!t||!A(t))return!1;var o=this.hotMenu.getSourceDataAtRow(e),n=new Y(this.hot,{parent:this,name:o.name,className:this.options.className,keepInViewport:!0});return n.setMenuItems(o.submenu.items),n.open(),n.setPosition(t.getBoundingClientRect()),this.hotSubMenus[o.key]=n,n},closeSubMenu:function(e){var t=this.hotMenu.getSourceDataAtRow(e),o=this.hotSubMenus[t.key];o&&(o.destroy(),delete this.hotSubMenus[t.key])},closeAllSubMenus:function(){var e=this;M(this.hotMenu.getData(),function(t,o){return e.closeSubMenu(o)})},isAllSubMenusClosed:function(){return 0===Object.keys(this.hotSubMenus).length},destroy:function(){this.clearLocalHooks(),this.close(),this.parentMenu=null,this.eventManager.destroy()},isOpened:function(){return null!==this.hotMenu},executeCommand:function(e){if(this.isOpened()&&this.hotMenu.getSelected()){var t=this.hotMenu.getSourceDataAtRow(this.hotMenu.getSelected()[0]);if(this.runLocalHooks("select",t,e),t.isCommand!==!1&&t.name!==B){var o=this.hot.getSelectedRange(),n=o?W(o):{},r=!0;(t.disabled===!0||"function"==typeof t.disabled&&t.disabled.call(this.hot)===!0||t.submenu)&&(r=!1),this.runLocalHooks("executeCommand",t.key,n,e),this.isSubMenu()&&this.parentMenu.runLocalHooks("executeCommand",t.key,n,e),r&&this.close(!0)}}},setPosition:function(e){var t=new O(e);this.options.keepInViewport?(t.fitsBelow(this.container)?this.setPositionBelowCursor(t):t.fitsAbove(this.container)?this.setPositionAboveCursor(t):this.setPositionBelowCursor(t),t.fitsOnRight(this.container)?this.setPositionOnRightOfCursor(t):this.setPositionOnLeftOfCursor(t)):(this.setPositionBelowCursor(t),this.setPositionOnRightOfCursor(t))},setPositionAboveCursor:function(e){var t=this.offset.above+e.top-this.container.offsetHeight;this.isSubMenu()&&(t=e.top+e.cellHeight-this.container.offsetHeight+3),this.container.style.top=t+"px"},setPositionBelowCursor:function(e){var t=this.offset.below+e.top;this.isSubMenu()&&(t=e.top-1),this.container.style.top=t+"px"},setPositionOnRightOfCursor:function(e){var t;t=this.isSubMenu()?1+e.left+e.cellWidth:this.offset.right+1+e.left,this.container.style.left=t+"px"},setPositionOnLeftOfCursor:function(e){var t=this.offset.left+e.left-this.container.offsetWidth+b()+4;this.container.style.left=t+"px"},selectFirstCell:function(){var e=this.hotMenu.getCell(0,0);L(e)||P(e)||I(e)?this.selectNextCell(0,0):this.hotMenu.selectCell(0,0)},selectLastCell:function(){var e=this.hotMenu.countRows()-1,t=this.hotMenu.getCell(e,0);L(t)||P(t)||I(t)?this.selectPrevCell(e,0):this.hotMenu.selectCell(e,0)},selectNextCell:function(e,t){var o=e+1,n=o=0?this.hotMenu.getCell(o,t):null;n&&(L(n)||P(n)||I(n)?this.selectPrevCell(o,t):this.hotMenu.selectCell(o,t))},menuItemRenderer:function(e,t,o,n,r,i){var s=this,a=e.getSourceDataAtRow(o),l=document.createElement("div"),u=function(e){return e.hasOwnProperty("submenu")},c=function(e){return new RegExp(B,"i").test(e.name)},d=function(e){return e.disabled===!0||"function"==typeof e.disabled&&e.disabled.call(s.hot)===!0},h=function(e){return e.disableSelection};"function"==typeof i&&(i=i.call(this.hot)),v(t),w(l,"htItemWrapper"),t.appendChild(l),c(a)?w(t,"htSeparator"):"function"==typeof a.renderer?(w(t,"htCustomMenuRenderer"),t.appendChild(a.renderer(e,l,o,n,r,i))):y(l,i),d(a)?(w(t,"htDisabled"),this.eventManager.addEventListener(t,"mouseenter",function(){return e.deselectCell()})):h(a)?(w(t,"htSelectionDisabled"),this.eventManager.addEventListener(t,"mouseenter",function(){return e.deselectCell()})):u(a)?(w(t,"htSubmenu"),h(a)?this.eventManager.addEventListener(t,"mouseenter",function(){return e.deselectCell()}):this.eventManager.addEventListener(t,"mouseenter",function(){return e.selectCell(o,n,void 0,void 0,!1,!1)})):(_(t,"htSubmenu"),_(t,"htDisabled"),h(a)?this.eventManager.addEventListener(t,"mouseenter",function(){return e.deselectCell()}):this.eventManager.addEventListener(t,"mouseenter",function(){return e.selectCell(o,n,void 0,void 0,!1,!1)}))},createContainer:function(){var e=void 0!==arguments[0]?arguments[0]:null;e&&(e=e.replace(/ /g,"_"),e=this.options.className+"Sub_"+e);var t;return t=e?document.querySelector("."+this.options.className+"."+e):document.querySelector("."+this.options.className),t||(t=document.createElement("div"),w(t,"htMenu "+this.options.className),e&&w(t,e),document.getElementsByTagName("body")[0].appendChild(t)),t},blockMainTableCallbacks:function(){this._afterScrollCallback=function(){},this.hot.addHook("afterScrollVertically",this._afterScrollCallback),this.hot.addHook("afterScrollHorizontally",this._afterScrollCallback)},releaseMainTableCallbacks:function(){this._afterScrollCallback&&(this.hot.removeHook("afterScrollVertically",this._afterScrollCallback),this.hot.removeHook("afterScrollHorizontally",this._afterScrollCallback),this._afterScrollCallback=null)},onBeforeKeyDown:function(e){var t=this.hotMenu.getSelected(),o=!1;switch(e.keyCode){case j.ESCAPE:this.close(),o=!0;break;case j.ENTER:t&&(this.hotMenu.getSourceDataAtRow(t[0]).submenu?o=!0:(this.executeCommand(e),this.close(!0)));break;case j.ARROW_DOWN:t?this.selectNextCell(t[0],t[1]):this.selectFirstCell(),o=!0;break;case j.ARROW_UP:t?this.selectPrevCell(t[0],t[1]):this.selectLastCell(),o=!0;break;case j.ARROW_RIGHT:if(t){var n=this.openSubMenu(t[0]);n&&n.selectFirstCell()}o=!0;break;case j.ARROW_LEFT:t&&this.isSubMenu()&&(this.close(),this.parentMenu&&this.parentMenu.hotMenu.listen(),o=!0)}o&&(e.preventDefault(),F(e))},onAfterInit:function(){var e=this.hotMenu.getSettings().data,t=this.hotMenu.view.wt.wtTable.hider.style,o=this.hotMenu.view.wt.wtTable.holder.style,n=parseInt(t.width,10),r=E(e,function(e,t){return e+(t.name===B?1:26)},0);o.width=n+22+"px",o.height=r+4+"px",t.height=o.height},onDocumentMouseDown:function(e){this.isOpened()&&(this.container&&C(e.target,this.container)&&this.executeCommand(e),this.options.standalone&&this.hotMenu&&!C(e.target,this.hotMenu.rootElement)?this.close(!0):(this.isAllSubMenusClosed()||this.isSubMenu())&&!C(e.target,".htMenu")&&C(e.target,document)&&this.close(!0))}},{}),k(z,V)},{browser:24,cursor:72,eventManager:42,"helpers/array":43,"helpers/dom/element":47,"helpers/dom/event":48,"helpers/function":50,"helpers/object":53,"helpers/unicode":56,"mixins/localHooks":58,predefinedItems:75,utils:88}],75:[function(e,t,o){"use strict";function n(){var e={};return y(ne,function(t,o){return e[o]=t()}),e}function r(e,t){oe.indexOf(e)===-1&&(ne[e]=t)}var i;Object.defineProperties(o,{ALIGNMENT:{get:function(){return a.KEY}},CLEAR_COLUMN:{get:function(){return l.KEY}},COLUMN_LEFT:{get:function(){return u.KEY}},COLUMN_RIGHT:{get:function(){return c.KEY}},READ_ONLY:{get:function(){return d.KEY}},REDO:{get:function(){return h.KEY}},REMOVE_COLUMN:{get:function(){return f.KEY}},REMOVE_ROW:{get:function(){return p.KEY}},ROW_ABOVE:{get:function(){return g.KEY}},ROW_BELOW:{get:function(){return m.KEY}},SEPARATOR:{get:function(){return w.KEY}},UNDO:{get:function(){return v.KEY}},ITEMS:{get:function(){return oe}},predefinedItems:{get:function(){return n}},addItem:{get:function(){return r}},__esModule:{value:!0}});var s,a,l,u,c,d,h,f,p,g,m,w,v,a,l,u,c,d,h,f,p,g,m,w,v,y=(s=e("helpers/object"),s&&s.__esModule&&s||{default:s}).objectEach,b=(a=e("predefinedItems/alignment"),a&&a.__esModule&&a||{default:a}),C=b.alignmentItem,_=b.KEY,R=(l=e("predefinedItems/clearColumn"),l&&l.__esModule&&l||{default:l}),M=R.clearColumnItem,S=R.KEY,E=(u=e("predefinedItems/columnLeft"),u&&u.__esModule&&u||{default:u}),O=E.columnLeftItem,T=E.KEY,k=(c=e("predefinedItems/columnRight"),c&&c.__esModule&&c||{default:c}),D=k.columnRightItem,x=k.KEY,H=(d=e("predefinedItems/readOnly"),d&&d.__esModule&&d||{default:d}),A=H.readOnlyItem,P=H.KEY,N=(h=e("predefinedItems/redo"),h&&h.__esModule&&h||{default:h}),L=N.redoItem,I=N.KEY,W=(f=e("predefinedItems/removeColumn"),f&&f.__esModule&&f||{default:f}),j=W.removeColumnItem,V=W.KEY,B=(p=e("predefinedItems/removeRow"),p&&p.__esModule&&p||{default:p}),F=B.removeRowItem,z=B.KEY,Y=(g=e("predefinedItems/rowAbove"),g&&g.__esModule&&g||{default:g}),U=Y.rowAboveItem,G=Y.KEY,$=(m=e("predefinedItems/rowBelow"),m&&m.__esModule&&m||{default:m}),K=$.rowBelowItem,X=$.KEY,q=(w=e("predefinedItems/separator"),w&&w.__esModule&&w||{default:w}),Z=q.separatorItem,J=q.KEY,Q=(v=e("predefinedItems/undo"),v&&v.__esModule&&v||{default:v}),ee=Q.undoItem,te=Q.KEY,a=(a=e("predefinedItems/alignment"),a&&a.__esModule&&a||{default:a}),l=(l=e("predefinedItems/clearColumn"),l&&l.__esModule&&l||{default:l}),u=(u=e("predefinedItems/columnLeft"),u&&u.__esModule&&u||{default:u}),c=(c=e("predefinedItems/columnRight"),c&&c.__esModule&&c||{default:c}),d=(d=e("predefinedItems/readOnly"),d&&d.__esModule&&d||{default:d}),h=(h=e("predefinedItems/redo"),h&&h.__esModule&&h||{default:h}),f=(f=e("predefinedItems/removeColumn"),f&&f.__esModule&&f||{default:f}),p=(p=e("predefinedItems/removeRow"),p&&p.__esModule&&p||{default:p}),g=(g=e("predefinedItems/rowAbove"),g&&g.__esModule&&g||{default:g}),m=(m=e("predefinedItems/rowBelow"),m&&m.__esModule&&m||{default:m}),w=(w=e("predefinedItems/separator"),w&&w.__esModule&&w||{default:w}),v=(v=e("predefinedItems/undo"),v&&v.__esModule&&v||{default:v}),oe=[G,X,T,x,S,z,V,te,I,P,_,J],ne=(i={},Object.defineProperty(i,J,{value:Z,configurable:!0,enumerable:!0,writable:!0}),Object.defineProperty(i,G,{value:U,configurable:!0,enumerable:!0,writable:!0}),Object.defineProperty(i,X,{value:K,configurable:!0,enumerable:!0,writable:!0}),Object.defineProperty(i,T,{value:O,configurable:!0,enumerable:!0,writable:!0}),Object.defineProperty(i,x,{value:D,configurable:!0,enumerable:!0,writable:!0}),Object.defineProperty(i,S,{value:M,configurable:!0,enumerable:!0,writable:!0}),Object.defineProperty(i,z,{value:F,configurable:!0,enumerable:!0,writable:!0}),Object.defineProperty(i,V,{value:j,configurable:!0,enumerable:!0,writable:!0}),Object.defineProperty(i,te,{value:ee,configurable:!0,enumerable:!0,writable:!0}),Object.defineProperty(i,I,{value:L,configurable:!0,enumerable:!0,writable:!0}),Object.defineProperty(i,P,{value:A,configurable:!0,enumerable:!0,writable:!0}),Object.defineProperty(i,_,{value:C,configurable:!0,enumerable:!0,writable:!0}),i)},{"helpers/object":53,"predefinedItems/alignment":76,"predefinedItems/clearColumn":77,"predefinedItems/columnLeft":78,"predefinedItems/columnRight":79,"predefinedItems/readOnly":80,"predefinedItems/redo":81,"predefinedItems/removeColumn":82,"predefinedItems/removeRow":83,"predefinedItems/rowAbove":84,"predefinedItems/rowBelow":85,"predefinedItems/separator":86,"predefinedItems/undo":87}],76:[function(e,t,o){"use strict";function n(){return{key:h,name:"Alignment",disabled:function(){return!(this.getSelectedRange()&&!this.selection.selectedHeader.corner)},submenu:{items:[{key:h+":left",name:function(){var e=this,t="Left",o=u(this.getSelectedRange(),function(t,o){var n=e.getCellMeta(t,o).className;if(n&&n.indexOf("htLeft")!==-1)return!0});return o&&(t=c(t)),t},callback:function(){var e=this,t=this.getSelectedRange(),o=l(t,function(t,o){return e.getCellMeta(t,o).className}),n="horizontal",r="htLeft";this.runHooks("beforeCellAlignment",o,t,n,r),a(t,n,r,function(t,o){return e.getCellMeta(t,o)}),this.render()},disabled:!1},{key:h+":center",name:function(){var e=this,t="Center",o=u(this.getSelectedRange(),function(t,o){var n=e.getCellMeta(t,o).className;if(n&&n.indexOf("htCenter")!==-1)return!0});return o&&(t=c(t)),t},callback:function(){var e=this,t=this.getSelectedRange(),o=l(t,function(t,o){return e.getCellMeta(t,o).className}),n="horizontal",r="htCenter";this.runHooks("beforeCellAlignment",o,t,n,r),a(t,n,r,function(t,o){return e.getCellMeta(t,o)}),this.render()},disabled:!1},{key:h+":right",name:function(){var e=this,t="Right",o=u(this.getSelectedRange(),function(t,o){var n=e.getCellMeta(t,o).className;if(n&&n.indexOf("htRight")!==-1)return!0});return o&&(t=c(t)),t},callback:function(){var e=this,t=this.getSelectedRange(),o=l(t,function(t,o){return e.getCellMeta(t,o).className}),n="horizontal",r="htRight";this.runHooks("beforeCellAlignment",o,t,n,r),a(t,n,r,function(t,o){return e.getCellMeta(t,o)}),this.render()},disabled:!1},{key:h+":justify",name:function(){var e=this,t="Justify",o=u(this.getSelectedRange(),function(t,o){var n=e.getCellMeta(t,o).className;if(n&&n.indexOf("htJustify")!==-1)return!0});return o&&(t=c(t)),t},callback:function(){var e=this,t=this.getSelectedRange(),o=l(t,function(t,o){return e.getCellMeta(t,o).className}),n="horizontal",r="htJustify";this.runHooks("beforeCellAlignment",o,t,n,r),a(t,n,r,function(t,o){return e.getCellMeta(t,o)}),this.render()},disabled:!1},{name:d},{key:h+":top",name:function(){var e=this,t="Top",o=u(this.getSelectedRange(),function(t,o){var n=e.getCellMeta(t,o).className;if(n&&n.indexOf("htTop")!==-1)return!0});return o&&(t=c(t)),t},callback:function(){var e=this,t=this.getSelectedRange(),o=l(t,function(t,o){return e.getCellMeta(t,o).className}),n="vertical",r="htTop";this.runHooks("beforeCellAlignment",o,t,n,r),a(t,n,r,function(t,o){return e.getCellMeta(t,o)}),this.render()},disabled:!1},{key:h+":middle",name:function(){var e=this,t="Middle",o=u(this.getSelectedRange(),function(t,o){var n=e.getCellMeta(t,o).className;if(n&&n.indexOf("htMiddle")!==-1)return!0});return o&&(t=c(t)),t},callback:function(){var e=this,t=this.getSelectedRange(),o=l(t,function(t,o){return e.getCellMeta(t,o).className}),n="vertical",r="htMiddle";this.runHooks("beforeCellAlignment",o,t,n,r),a(t,n,r,function(t,o){return e.getCellMeta(t,o)}),this.render()},disabled:!1},{key:h+":bottom",name:function(){var e=this,t="Bottom",o=u(this.getSelectedRange(),function(t,o){var n=e.getCellMeta(t,o).className;if(n&&n.indexOf("htBottom")!==-1)return!0});return o&&(t=c(t)),t},callback:function(){var e=this,t=this.getSelectedRange(),o=l(t,function(t,o){return e.getCellMeta(t,o).className}),n="vertical",r="htBottom";this.runHooks("beforeCellAlignment",o,t,n,r),a(t,n,r,function(t,o){return e.getCellMeta(t,o)}),this.render()},disabled:!1}]}}}Object.defineProperties(o,{KEY:{get:function(){return h}},alignmentItem:{get:function(){return n}},__esModule:{value:!0}});var r,i,s=(r=e("utils"),r&&r.__esModule&&r||{default:r}),a=s.align,l=s.getAlignmentClasses,u=s.checkSelectionConsistency,c=s.markLabelAsSelected,d=(i=e("separator"),i&&i.__esModule&&i||{default:i}).KEY,h="alignment"},{separator:86,utils:88}],77:[function(e,t,o){"use strict";function n(){return{key:s,name:"Clear column",callback:function(e,t){var o=t.start.col;this.countRows()&&this.populateFromArray(0,o,[[null]],Math.max(t.start.row,t.end.row),o)},disabled:function(){var e=i(this);if(!e)return!0;var t=[e[0],0,e[0],this.countCols()-1],o=t.join(",")==e.join(",");return e[1]<0||this.countCols()>=this.getSettings().maxCols||o}}}Object.defineProperties(o,{KEY:{get:function(){return s}},clearColumnItem:{get:function(){return n}},__esModule:{value:!0}});var r,i=(r=e("utils"),r&&r.__esModule&&r||{default:r}).getValidSelection,s="clear_column"},{utils:88}],78:[function(e,t,o){"use strict";function n(){return{key:s,name:"Insert column on the left",callback:function(e,t){this.alter("insert_col",t.start.col)},disabled:function(){var e=i(this);if(!e)return!0;if(!this.isColumnModificationAllowed())return!0;var t=[e[0],0,e[0],this.countCols()-1],o=t.join(",")==e.join(","),n=1===this.countCols();return e[1]<0||this.countCols()>=this.getSettings().maxCols||!n&&o},hidden:function(){return!this.getSettings().allowInsertColumn}}}Object.defineProperties(o,{KEY:{get:function(){return s}},columnLeftItem:{get:function(){return n}},__esModule:{value:!0}});var r,i=(r=e("utils"),r&&r.__esModule&&r||{default:r}).getValidSelection,s="col_left"},{utils:88}],79:[function(e,t,o){"use strict";function n(){return{key:s,name:"Insert column on the right",callback:function(e,t){this.alter("insert_col",t.end.col+1)},disabled:function(){var e=i(this);if(!e)return!0;if(!this.isColumnModificationAllowed())return!0;var t=[e[0],0,e[0],this.countCols()-1],o=t.join(",")==e.join(","),n=1===this.countCols();return e[1]<0||this.countCols()>=this.getSettings().maxCols||!n&&o},hidden:function(){return!this.getSettings().allowInsertColumn}}}Object.defineProperties(o,{KEY:{get:function(){return s}},columnRightItem:{get:function(){return n}},__esModule:{value:!0}});var r,i=(r=e("utils"),r&&r.__esModule&&r||{default:r}).getValidSelection,s="col_right"},{utils:88}],80:[function(e,t,o){"use strict";function n(){return{key:l,name:function(){var e=this,t="Read only",o=s(this.getSelectedRange(),function(t,o){return e.getCellMeta(t,o).readOnly});return o&&(t=a(t)),t},callback:function(){var e=this,t=this.getSelectedRange(),o=s(t,function(t,o){return e.getCellMeta(t,o).readOnly});t.forAll(function(t,n){e.setCellMeta(t,n,"readOnly",!o)}),this.render()},disabled:function(){return!(this.getSelectedRange()&&!this.selection.selectedHeader.corner)}}}Object.defineProperties(o,{KEY:{get:function(){return l}},readOnlyItem:{get:function(){return n}},__esModule:{value:!0}});var r,i=(r=e("utils"),r&&r.__esModule&&r||{default:r}),s=i.checkSelectionConsistency,a=i.markLabelAsSelected,l="make_read_only"},{utils:88}],81:[function(e,t,o){"use strict";function n(){return{key:r,name:"Redo",callback:function(){this.redo()},disabled:function(){return this.undoRedo&&!this.undoRedo.isRedoAvailable()}}}Object.defineProperties(o,{KEY:{get:function(){return r}},redoItem:{get:function(){return n}},__esModule:{value:!0}});var r="redo"},{}],82:[function(e,t,o){"use strict";function n(){return{key:s,name:"Remove column",callback:function(e,t){var o=t.end.col-t.start.col+1;this.alter("remove_col",t.start.col,o)},disabled:function(){var e=i(this),t=this.countCols();return!e||this.selection.selectedHeader.rows||this.selection.selectedHeader.corner||!this.isColumnModificationAllowed()||!t},hidden:function(){return!this.getSettings().allowRemoveColumn}}}Object.defineProperties(o,{KEY:{get:function(){return s}},removeColumnItem:{get:function(){return n}},__esModule:{value:!0}});var r,i=(r=e("utils"),r&&r.__esModule&&r||{default:r}).getValidSelection,s="remove_col"},{utils:88}],83:[function(e,t,o){"use strict";function n(){return{key:s,name:"Remove row",callback:function(e,t){var o=t.end.row-t.start.row+1;this.alter("remove_row",t.start.row,o)},disabled:function(){var e=i(this),t=this.countRows();return!e||this.selection.selectedHeader.cols||this.selection.selectedHeader.corner||!t},hidden:function(){return!this.getSettings().allowRemoveRow}}}Object.defineProperties(o,{KEY:{get:function(){return s}},removeRowItem:{get:function(){return n}},__esModule:{value:!0}});var r,i=(r=e("utils"),r&&r.__esModule&&r||{default:r}).getValidSelection,s="remove_row"},{utils:88}],84:[function(e,t,o){"use strict";function n(){return{key:s,name:"Insert row above",callback:function(e,t){this.alter("insert_row",t.start.row)},disabled:function(){var e=i(this);return!e||this.selection.selectedHeader.cols||this.countRows()>=this.getSettings().maxRows},hidden:function(){return!this.getSettings().allowInsertRow}}}Object.defineProperties(o,{KEY:{get:function(){return s}},rowAboveItem:{get:function(){return n}},__esModule:{value:!0}});var r,i=(r=e("utils"),r&&r.__esModule&&r||{default:r}).getValidSelection,s="row_above"},{utils:88}],85:[function(e,t,o){"use strict";function n(){return{key:s,name:"Insert row below",callback:function(e,t){this.alter("insert_row",t.end.row+1)},disabled:function(){var e=i(this);return!e||this.selection.selectedHeader.cols||this.countRows()>=this.getSettings().maxRows},hidden:function(){return!this.getSettings().allowInsertRow}}}Object.defineProperties(o,{KEY:{get:function(){return s}},rowBelowItem:{get:function(){return n}},__esModule:{value:!0}});var r,i=(r=e("utils"),r&&r.__esModule&&r||{default:r}).getValidSelection,s="row_below"},{utils:88}],86:[function(e,t,o){"use strict";function n(){return{name:r}}Object.defineProperties(o,{KEY:{get:function(){return r}},separatorItem:{get:function(){return n}},__esModule:{value:!0}});var r="---------"},{}],87:[function(e,t,o){"use strict";function n(){return{key:r,name:"Undo",callback:function(){this.undo()},disabled:function(){return this.undoRedo&&!this.undoRedo.isUndoAvailable()}}}Object.defineProperties(o,{KEY:{get:function(){return r}},undoItem:{get:function(){return n}},__esModule:{value:!0}});var r="undo"},{}],88:[function(e,t,o){"use strict";function n(e){return{start:e.getTopLeftCorner(),end:e.getBottomRightCorner()}}function r(e){return S(e,"htSeparator")}function i(e){return S(e,"htSubmenu")}function s(e){return S(e,"htDisabled")}function a(e){return S(e,"htSelectionDisabled")}function l(e){var t=e.getSelected();return t?t[0]<0?null:t:null}function u(e,t){return e.indexOf(t)!=-1?e:(e=e.replace("htTop","").replace("htMiddle","").replace("htBottom","").replace(" ",""),e+=" "+t)}function c(e,t){return e.indexOf(t)!=-1?e:(e=e.replace("htLeft","").replace("htCenter","").replace("htRight","").replace("htJustify","").replace(" ",""),e+=" "+t)}function d(e,t){for(var o={},n=e.from.row;n<=e.to.row;n++)for(var r=e.from.col;r<=e.to.col;r++)o[n]||(o[n]=[]), -o[n][r]=t(n,r);return o}function h(e,t,o,n){if(e.from.row==e.to.row&&e.from.col==e.to.col)f(e.from.row,e.from.col,t,o,n);else for(var r=e.from.row;r<=e.to.row;r++)for(var i=e.from.col;i<=e.to.col;i++)f(r,i,t,o,n)}function f(e,t,o,n,r){var i=r(e,t),s=n;i.className&&(s="vertical"===o?u(i.className,n):c(i.className,n)),i.className=s}function p(e,t){var o=!1;return e&&e.forAll(function(e,n){if(t(e,n))return o=!0,!1}),o}function g(e){return''+String.fromCharCode(10003)+""+e}function m(e,t){return!e.hidden||!("function"==typeof e.hidden&&e.hidden.call(t))}function w(e,t){for(var o=e.slice(0),n=0;n0?t[t.length-1].name!==e.name&&t.push(e):t.push(e)}),t}function b(e){var t=void 0!==arguments[1]?arguments[1]:E,o=e.slice(0);return o=w(o,t),o=v(o,t),o=y(o)}Object.defineProperties(o,{normalizeSelection:{get:function(){return n}},isSeparator:{get:function(){return r}},hasSubMenu:{get:function(){return i}},isDisabled:{get:function(){return s}},isSelectionDisabled:{get:function(){return a}},getValidSelection:{get:function(){return l}},prepareVerticalAlignClass:{get:function(){return u}},prepareHorizontalAlignClass:{get:function(){return c}},getAlignmentClasses:{get:function(){return d}},align:{get:function(){return h}},checkSelectionConsistency:{get:function(){return p}},markLabelAsSelected:{get:function(){return g}},isItemHidden:{get:function(){return m}},filterSeparators:{get:function(){return b}},__esModule:{value:!0}});var C,_,R,M=(C=e("helpers/array"),C&&C.__esModule&&C||{default:C}).arrayEach,S=(_=e("helpers/dom/element"),_&&_.__esModule&&_||{default:_}).hasClass,E=(R=e("predefinedItems/separator"),R&&R.__esModule&&R||{default:R}).KEY},{"helpers/array":43,"helpers/dom/element":47,"predefinedItems/separator":86}],89:[function(e,t,o){"use strict";Object.defineProperties(o,{ContextMenuCopyPaste:{get:function(){return w}},__esModule:{value:!0}});var n,r,i,s,a,l,u,c=(n=e("_base"),n&&n.__esModule&&n||{default:n}).default,d=(r=e("zeroclipboard"),r&&r.__esModule&&r||{default:r}).default,h=(i=e("helpers/dom/element"),i&&i.__esModule&&i||{default:i}).removeClass,f=(s=e("helpers/array"),s&&s.__esModule&&s||{default:s}).arrayEach,p=(a=e("eventManager"),a&&a.__esModule&&a||{default:a}).EventManager,g=(l=e("plugins"),l&&l.__esModule&&l||{default:l}).registerPlugin,m=(u=e("contextMenu/predefinedItems"),u&&u.__esModule&&u||{default:u}).SEPARATOR,w=function(e){$traceurRuntime.superConstructor(v).call(this,e),this.eventManager=new p(this),this.swfPath=null,this.outsideClickDeselectsCache=null},v=w;$traceurRuntime.createClass(w,{isEnabled:function(){return this.hot.getSettings().contextMenuCopyPaste},enablePlugin:function(){var e=this;if(!this.enabled){"object"==typeof this.hot.getSettings().contextMenuCopyPaste&&(this.swfPath=this.hot.getSettings().contextMenuCopyPaste.swfPath),"undefined"==typeof d&&console.error("To be able to use the Copy/Paste feature from the context menu, you need to manually include ZeroClipboard.js file to your website.");try{new ActiveXObject("ShockwaveFlash.ShockwaveFlash")}catch(e){"undefined"==typeof navigator.mimeTypes["application/x-shockwave-flash"]&&console.error("To be able to use the Copy/Paste feature from the context menu, your browser needs to have Flash Plugin installed.")}this.swfPath&&d.config({swfPath:this.swfPath}),this.hot.addHook("afterContextMenuShow",function(){return e.onAfterContextMenuShow()}),this.hot.addHook("afterContextMenuDefaultOptions",function(t){return e.onAfterContextMenuDefaultOptions(t)}),this.registerEvents(),$traceurRuntime.superGet(this,v.prototype,"enablePlugin").call(this)}},disablePlugin:function(){$traceurRuntime.superGet(this,v.prototype,"disablePlugin").call(this)},registerEvents:function(){var e=this;this.eventManager.addEventListener(document,"mouseenter",function(){return e.removeCurrentClass()}),this.eventManager.addEventListener(document,"mouseleave",function(){return e.removeZeroClipboardClass()})},getCopyValue:function(){return this.hot.copyPaste.setCopyableText(),this.hot.copyPaste.copyPasteInstance.elTextarea.value},onAfterContextMenuDefaultOptions:function(e){e.items.unshift({key:"copy",name:"Copy",disabled:function(){return this.selection.selectedHeader.corner}},{key:"paste",name:"Paste",callback:function(){this.copyPaste.triggerPaste()},disabled:function(){return this.selection.selectedHeader.corner}},{name:m})},onAfterContextMenuShow:function(){var e=this,t=this.hot.getPlugin("contextMenu"),o=t.menu.hotMenu.getSourceData();f(o,function(o,n){if("copy"===o.key){var r=new d(t.menu.hotMenu.getCell(n,0));return r.off(),r.on("copy",function(t){var o=t.clipboardData;o.setData("text/plain",e.getCopyValue()),e.hot.getSettings().outsideClickDeselects=e.outsideClickDeselectsCache}),!1}})},removeCurrentClass:function(){var e=this.hot.getPlugin("contextMenu");if(e.enabled){if(e.menu.isOpened()){var t=e.menu.hotMenu.rootElement.querySelector("td.current");t&&h(t,"current")}this.outsideClickDeselectsCache=this.hot.getSettings().outsideClickDeselects,this.hot.getSettings().outsideClickDeselects=!1}},removeZeroClipboardClass:function(){var e=this.hot.getPlugin("contextMenu");if(e.enabled){if(e.menu.isOpened()){var t=e.menu.hotMenu.rootElement.querySelector("td.zeroclipboard-is-hover");t&&h(t,"zeroclipboard-is-hover")}this.hot.getSettings().outsideClickDeselects=this.outsideClickDeselectsCache}}},{},c),g("contextMenuCopyPaste",w)},{_base:62,"contextMenu/predefinedItems":75,eventManager:42,"helpers/array":43,"helpers/dom/element":47,plugins:61,zeroclipboard:"zeroclipboard"}],90:[function(e,t,o){"use strict";function n(e){function t(){e.isListening()&&e.selection.empty()}function o(t){var o,n,r,i,s,a,l,u,c,d;if(e.isListening()&&e.selection.isSelected()){o=t,n=y.parse(o),r=e.getSelected(),i=new D(r[0],r[1]),s=new D(r[2],r[3]),a=new x(i,i,s),l=a.getTopLeftCorner(),u=a.getBottomRightCorner(),c=l,d=new D(Math.max(u.row,n.length-1+l.row),Math.max(u.col,n[0].length-1+l.col));var h=s.row-i.row>=n.length-1,f=s.col-i.col>=n[0].length-1;e.addHookOnce("afterChange",function(t,o){var n=t?t.length:0;if(n){var r={row:0,col:0},i=-1;R(t,function(e,o){var s=n>o+1?t[o+1]:null;s&&(h||(r.row=r.row+Math.max(s[0]-e[0]-1,0)),!f&&e[1]>i&&(i=e[1],r.col=r.col+Math.max(s[1]-e[1]-1,0)))}),e.selectCell(c.row,c.col,d.row+r.row,d.col+r.col)}}),e.populateFromArray(c.row,c.col,n,d.row,d.col,"paste",e.getSettings().pasteMode)}}function n(t){if(e.getSelected()&&!(e.getActiveEditor()&&e.getActiveEditor().isOpened()||O(t))){if(_(t.keyCode)){if(e.getSettings().fragmentSelection&&T())return;return r.setCopyableText(),void E(t)}var o=(t.ctrlKey||t.metaKey)&&!t.altKey;t.keyCode==C.A&&o&&e._registerTimeout(setTimeout(k(r.setCopyableText,r),0))}}var r=this;this.copyPasteInstance=v(),this.copyPasteInstance.onCut(t),this.copyPasteInstance.onPaste(o),this.onPaste=o,e.addHook("beforeKeyDown",n),this.destroy=function(){this.copyPasteInstance&&(this.copyPasteInstance.removeCallback(t),this.copyPasteInstance.removeCallback(o),this.copyPasteInstance.destroy(),this.copyPasteInstance=null),e.removeHook("beforeKeyDown",n)},e.addHook("afterDestroy",k(this.destroy,this)),this.triggerPaste=k(this.copyPasteInstance.triggerPaste,this.copyPasteInstance),this.triggerCut=k(this.copyPasteInstance.triggerCut,this.copyPasteInstance),this.setCopyableText=function(){var t=e.getSettings(),o=t.copyRowsLimit,n=t.copyColsLimit,r=e.getSelectedRange(),i=r.getTopLeftCorner(),s=r.getBottomRightCorner(),a=i.row,l=i.col,u=s.row,c=s.col,d=Math.min(u,a+o-1),h=Math.min(c,l+n-1),f=[];f.push({startRow:a,startCol:l,endRow:d,endCol:h}),f=w.hooks.run(e,"modifyCopyableRange",f);var p=this.getRangedCopyableData(f);e.copyPaste.copyPasteInstance.copyable(p),u===d&&c===h||w.hooks.run(e,"afterCopyLimit",u-a+1,c-l+1,o,n)},this.getRangedCopyableData=function(t){var o=[],n=[],r=[];return R(t,function(e){M(e.startRow,e.endRow,function(e){n.indexOf(e)===-1&&n.push(e)}),M(e.startCol,e.endCol,function(e){r.indexOf(e)===-1&&r.push(e)})}),R(n,function(t){var n=[];R(r,function(o){n.push(e.getCopyableData(t,o))}),o.push(n)}),y.stringify(o)}}function r(){var e=this,t=e.getSettings().copyPaste!==!1;t&&!e.copyPaste?e.copyPaste=new n(e):!t&&e.copyPaste&&(e.copyPaste.destroy(),e.copyPaste=null)}Object.defineProperties(o,{CopyPastePlugin:{get:function(){return n}},__esModule:{value:!0}});var i,s,a,l,u,c,d,h,f,p,g,m,w=(i=e("browser"),i&&i.__esModule&&i||{default:i}).default,v=(s=e("copyPaste"),s&&s.__esModule&&s||{default:s}).default,y=(a=e("SheetClip"),a&&a.__esModule&&a||{default:a}).default,b=(l=e("helpers/unicode"),l&&l.__esModule&&l||{default:l}),C=b.KEY_CODES,_=b.isCtrlKey,R=(u=e("helpers/array"),u&&u.__esModule&&u||{default:u}).arrayEach,M=(c=e("helpers/number"),c&&c.__esModule&&c||{default:c}).rangeEach,S=(d=e("helpers/dom/event"),d&&d.__esModule&&d||{default:d}),E=S.stopImmediatePropagation,O=S.isImmediatePropagationStopped,T=(h=e("helpers/dom/element"),h&&h.__esModule&&h||{default:h}).getSelectionText,k=(f=e("helpers/function"),f&&f.__esModule&&f||{default:f}).proxy,D=((p=e("plugins"),p&&p.__esModule&&p||{default:p}).registerPlugin,(g=e("3rdparty/walkontable/src/cell/coords"),g&&g.__esModule&&g||{default:g}).WalkontableCellCoords),x=(m=e("3rdparty/walkontable/src/cell/range"),m&&m.__esModule&&m||{default:m}).WalkontableCellRange;w.hooks.add("afterInit",r),w.hooks.add("afterUpdateSettings",r),w.hooks.register("afterCopyLimit"),w.hooks.register("modifyCopyableRange")},{"3rdparty/walkontable/src/cell/coords":6,"3rdparty/walkontable/src/cell/range":7,SheetClip:"SheetClip",browser:24,copyPaste:"copyPaste","helpers/array":43,"helpers/dom/element":47,"helpers/dom/event":48,"helpers/function":50,"helpers/number":52,"helpers/unicode":56,plugins:61}],91:[function(e,t,o){"use strict";function n(){}var r,i,s,a,l,u=(r=e("browser"),r&&r.__esModule&&r||{default:r}).default,c=((i=e("plugins"),i&&i.__esModule&&i||{default:i}).registerPlugin,(s=e("3rdparty/walkontable/src/cell/range"),s&&s.__esModule&&s||{default:s}).WalkontableCellRange),d=(a=e("3rdparty/walkontable/src/selection"),a&&a.__esModule&&a||{default:a}).WalkontableSelection,h=function(e){return"boolean"==typeof e&&e===!0||"object"==typeof e&&e.length>0},f=function(){h(this.getSettings().customBorders)&&(this.customBorders||(l=this,this.customBorders=new n))},p=function(e){for(var t=0;t=0?l.view.wt.selections[n]=o:l.view.wt.selections.push(o)},m=function(e,t,o){var n=_(e,t);n=R(n,o),this.setCellMeta(e,t,"borders",n),g(n)},w=function(e){for(var t=e.range,o=t.from.row;o<=t.to.row;o++)for(var n=t.from.col;n<=t.to.col;n++){var r=_(o,n),i=0;o==t.from.row&&(i++,e.hasOwnProperty("top")&&(r.top=e.top)),o==t.to.row&&(i++,e.hasOwnProperty("bottom")&&(r.bottom=e.bottom)),n==t.from.col&&(i++,e.hasOwnProperty("left")&&(r.left=e.left)),n==t.to.col&&(i++,e.hasOwnProperty("right")&&(r.right=e.right)),i>0&&(this.setCellMeta(o,n,"borders",r),g(r))}},v=function(e,t){return"border_row"+e+"col"+t},y=function(){return{width:1,color:"#000"}},b=function(){return{hide:!0}},C=function(){return{width:1,color:"#000",cornerVisible:!1}},_=function(e,t){return{className:v(e,t),border:C(),row:e,col:t,top:b(),right:b(),bottom:b(),left:b()}},R=function(e,t){return t.hasOwnProperty("border")&&(e.border=t.border),t.hasOwnProperty("top")&&(e.top=t.top),t.hasOwnProperty("right")&&(e.right=t.right),t.hasOwnProperty("bottom")&&(e.bottom=t.bottom),t.hasOwnProperty("left")&&(e.left=t.left),e},M=function(e){for(var t=document.querySelectorAll("."+e),o=0;o'+String.fromCharCode(10003)+""+e},D=function(e){this.getSettings().customBorders&&(e.items.push(u.plugins.ContextMenu.SEPARATOR),e.items.push({key:"borders",name:"Borders",disabled:function(){return this.selection.selectedHeader.corner},submenu:{items:[{key:"borders:top",name:function(){var e="Top",t=T(this,"top");return t&&(e=k(e)),e},callback:function(){var e=T(this,"top");O.call(this,this.getSelectedRange(),"top",e)}},{key:"borders:right",name:function(){var e="Right",t=T(this,"right");return t&&(e=k(e)),e},callback:function(){var e=T(this,"right");O.call(this,this.getSelectedRange(),"right",e)}},{key:"borders:bottom",name:function(){var e="Bottom",t=T(this,"bottom");return t&&(e=k(e)),e},callback:function(){var e=T(this,"bottom");O.call(this,this.getSelectedRange(),"bottom",e)}},{key:"borders:left",name:function(){var e="Left",t=T(this,"left");return t&&(e=k(e)),e},callback:function(){var e=T(this,"left");O.call(this,this.getSelectedRange(),"left",e)}},{key:"borders:no_borders",name:"Remove border(s)",callback:function(){O.call(this,this.getSelectedRange(),"noBorders")},disabled:function(){return!T(this)}}]}}))};u.hooks.add("beforeInit",f),u.hooks.add("afterContextMenuDefaultOptions",D),u.hooks.add("afterInit",function(){var e=this.getSettings().customBorders;if(e){for(var t=0;tthis.boundaries.bottom&&(n=t-this.boundaries.bottom),ethis.boundaries.right&&(o=e-this.boundaries.right),this.callback(o,n)};var u,c=function(e){e.dragToScrollListening=!1;var t=e.view.wt.wtTable.holder;u=new n,t!==window&&(u.setBoundaries(t.getBoundingClientRect()),u.setCallback(function(e,o){e<0?t.scrollLeft-=50:e>0&&(t.scrollLeft+=50),o<0?t.scrollTop-=20:o>0&&(t.scrollTop+=20)}),e.dragToScrollListening=!0)};a.hooks.add("afterInit",function(){var e=this,t=l(this);t.addEventListener(document,"mouseup",function(){e.dragToScrollListening=!1}),t.addEventListener(document,"mousemove",function(t){e.dragToScrollListening&&u.check(t.clientX,t.clientY)})}),a.hooks.add("afterDestroy",function(){l(this).clear()}),a.hooks.add("afterOnCellMouseDown",function(){c(this)}),a.hooks.add("afterOnCellCornerMouseDown",function(){c(this)}),a.plugins.DragToScroll=n},{browser:24,eventManager:42,plugins:61}],93:[function(e,t,o){"use strict";function n(e){return{key:"freeze_column",name:"Freeze this column",callback:function(){var t=this.getSelectedRange().from.col;e.freezeColumn(t),this.render(),this.view.wt.wtOverlays.adjustElementsSize(!0)},hidden:function(){var e=this.getSelectedRange(),t=!1;return void 0===e?t=!0:(e.from.col!==e.to.col||e.from.col<=this.getSettings().fixedColumnsLeft-1)&&(t=!0),t}}}Object.defineProperties(o,{freezeColumnItem:{get:function(){return n}},__esModule:{value:!0}})},{}],94:[function(e,t,o){"use strict";function n(e){return{key:"unfreeze_column",name:"Unfreeze this column",callback:function(){var t=this.getSelectedRange().from.col;e.unfreezeColumn(t),this.render(),this.view.wt.wtOverlays.adjustElementsSize(!0)},hidden:function(){var e=this.getSelectedRange(),t=!1;return void 0===e?t=!0:(e.from.col!==e.to.col||e.from.col>=this.getSettings().fixedColumnsLeft)&&(t=!0),t}}}Object.defineProperties(o,{unfreezeColumnItem:{get:function(){return n}},__esModule:{value:!0}})},{}],95:[function(e,t,o){"use strict";Object.defineProperties(o,{ManualColumnFreeze:{get:function(){return m}},__esModule:{value:!0}});var n,r,i,s,a,l,u=(n=e("browser"),n&&n.__esModule&&n||{default:n}).default,c=(r=e("_base"),r&&r.__esModule&&r||{default:r}).default,d=(i=e("plugins"),i&&i.__esModule&&i||{default:i}).registerPlugin,h=(s=e("helpers/array"),s&&s.__esModule&&s||{default:s}).arrayEach,f=(a=e("contextMenuItem/freezeColumn"),a&&a.__esModule&&a||{default:a}).freezeColumnItem,p=(l=e("contextMenuItem/unfreezeColumn"),l&&l.__esModule&&l||{default:l}).unfreezeColumnItem,g=new WeakMap,m=function(e){$traceurRuntime.superConstructor(w).call(this,e),g.set(this,{moveByFreeze:!1,afterFirstUse:!1}),this.frozenColumnsBasePositions=[],this.manualColumnMovePlugin=void 0},w=m;$traceurRuntime.createClass(m,{isEnabled:function(){return!!this.hot.getSettings().manualColumnFreeze},enablePlugin:function(){var e=this;this.enabled||(this.addHook("afterContextMenuDefaultOptions",function(t){return e.addContextMenuEntry(t)}),this.addHook("afterInit",function(){return e.onAfterInit()}),this.addHook("beforeColumnMove",function(t,o){return e.onBeforeColumnMove(t,o)}),$traceurRuntime.superGet(this,w.prototype,"enablePlugin").call(this))},disablePlugin:function(){var e=g.get(this);e.afterFirstUse=!1,e.moveByFreeze=!1,$traceurRuntime.superGet(this,w.prototype,"disablePlugin").call(this)},updatePlugin:function(){this.disablePlugin(),this.enablePlugin(),$traceurRuntime.superGet(this,w.prototype,"updatePlugin").call(this)},freezeColumn:function(e){var t=g.get(this),o=this.hot.getSettings();t.afterFirstUse||(t.afterFirstUse=!0),o.fixedColumnsLeft===this.hot.countCols()||e<=o.fixedColumnsLeft-1||(t.moveByFreeze=!0,e!==this.getMovePlugin().columnsMapper.getValueByIndex(e)&&(this.frozenColumnsBasePositions[o.fixedColumnsLeft]=e),this.getMovePlugin().moveColumn(e,o.fixedColumnsLeft++))},unfreezeColumn:function(e){var t=g.get(this),o=this.hot.getSettings();if(t.afterFirstUse||(t.afterFirstUse=!0),!(o.fixedColumnsLeft<=0||e>o.fixedColumnsLeft-1)){var n=this.getBestColumnReturnPosition(e);t.moveByFreeze=!0,o.fixedColumnsLeft--,this.getMovePlugin().moveColumn(e,n+1)}},getMovePlugin:function(){return this.manualColumnMovePlugin||(this.manualColumnMovePlugin=this.hot.getPlugin("manualColumnMove")),this.manualColumnMovePlugin},getBestColumnReturnPosition:function(e){var t,o=this.getMovePlugin(),n=this.hot.getSettings(),r=n.fixedColumnsLeft,i=o.columnsMapper.getValueByIndex(r);if(null==this.frozenColumnsBasePositions[e])for(t=o.columnsMapper.getValueByIndex(e);i0?e.target.col=0:e.target.col=t>0?t-1:t;else if(e.target.TD.offsetWidth/2+s<=a){var f=e.coordsColumn>=e.countCols?e.countCols-1:e.coordsColumn;e.target.col=f+1,s+=e.target.TD.offsetWidth,e.target.col>o&&this.hot.scrollViewportTo(void 0,o+1,void 0,!0)}else e.target.col=e.coordsColumn,e.target.col<=t&&e.target.col>=e.fixedColumns&&this.hot.scrollViewportTo(void 0,t-1);e.target.col<=t&&e.target.col>=e.fixedColumns&&this.hot.scrollViewportTo(void 0,t-1);var p=a,g=s;a+d+c>=l?p=l-d-c:a+c=l-1?g=l-1:0===g?g=1:void 0!==r.scrollX&&e.coordsColumn-1;if(!s||!i||a.pressed||0!==e.button||l)return a.pressed=!1,a.columnsToMove.length=0,void v(this.hot.rootElement,[k,T]);var u=this.guideline.isBuilt()&&!this.guideline.isAppended(),c=this.backlight.isBuilt()&&!this.backlight.isAppended();u&&c&&(this.guideline.appendTo(r.hider),this.backlight.appendTo(r.hider));var d=s,h=d.from,f=d.to,p=Math.min(h.col,f.col),g=Math.max(h.col,f.col);if(t.row<0&&t.col>=p&&t.col<=g){n.column=!0,a.pressed=!0,a.target.eventPageX=e.pageX,a.coordsColumn=t.col,a.target.TD=o,a.target.col=t.col,a.columnsToMove=this.prepareColumnsToMoving(p,g),a.hasRowHeaders=!!this.hot.getSettings().rowHeaders,a.countCols=this.hot.countCols(),a.fixedColumns=this.hot.getSettings().fixedColumnsLeft,a.rootElementOffset=y(this.hot.rootElement).left;var m=a.hasRowHeaders?-1:0,b=r.holder.scrollTop+r.getColumnHeaderHeight(0)+1,C=t.col-1?v(this.hot.rootElement,T):w(this.hot.rootElement,T),n.row=!0,n.column=!0,n.cell=!0,i.coordsColumn=t.col,i.target.TD=o)},onMouseUp:function(){var e=E.get(this);if(e.coordsColumn=void 0,e.pressed=!1,e.backlightWidth=0,v(this.hot.rootElement,[k,T,D]),this.hot.selection.selectedHeader.cols&&w(this.hot.rootElement,D),!(e.columnsToMove.length<1||void 0===e.target.col||e.columnsToMove.indexOf(e.target.col)>-1)){if(this.moveColumns(e.columnsToMove,e.target.col),this.persistentStateSave(),this.hot.render(),this.hot.view.wt.wtOverlays.adjustElementsSize(!0),!e.disallowMoving){var t=this.columnsMapper.getIndexByValue(e.columnsToMove[0]),o=this.columnsMapper.getIndexByValue(e.columnsToMove[e.columnsToMove.length-1]);this.changeSelection(t,o)}e.columnsToMove.length=0}},onAfterScrollVertically:function(){var e=this.hot.view.wt.wtTable,t=e.getColumnHeaderHeight(0)+1,o=e.holder.scrollTop,n=t+o;this.backlight.setPosition(n),this.backlight.setSize(null,e.hider.offsetHeight-n)},onAfterCreateCol:function(e,t){this.columnsMapper.shiftItems(e,t)},onBeforeRemoveCol:function(e,t){var o=this;this.removedColumns.length=0,e!==!1&&b(e,e+t-1,function(e){o.removedColumns.push(o.hot.runHooks("modifyCol",e,o.pluginName))})},onAfterRemoveCol:function(e,t){this.columnsMapper.unshiftItems(this.removedColumns)},onModifyCol:function(e,t){if(t!==this.pluginName){var o=this.columnsMapper.getValueByIndex(e);e=null===o?e:o}return e},onUnmodifyCol:function(e){var t=this.columnsMapper.getIndexByValue(e);return e=null===t?e:t},onAfterPluginsInitialized:function(){var e=this.hot.countCols(),t=this.columnsMapper._arrayMap.length;if(0===t)this.columnsMapper.createMap(this.hot.countSourceCols()||this.hot.getSettings().startCols);else if(te){var n=e-1,r=[];g(this.columnsMapper._arrayMap,function(e,t,o){e>n&&r.push(t)}),this.columnsMapper.removeItems(r)}this.initialSettings(),this.backlight.build(),this.guideline.build()},destroy:function(){this.backlight.destroy(),this.guideline.destroy(),$traceurRuntime.superGet(this,H.prototype,"destroy").call(this)}},{},f),_("ManualColumnMove",x),p.hooks.register("beforeColumnMove"),p.hooks.register("afterColumnMove"),p.hooks.register("unmodifyCol")},{"_base.js":62,browser:24,columnsMapper:96,eventManager:42,"helpers/array":43,"helpers/dom/element":47,"helpers/number":52,plugins:61,"ui/backlight":99,"ui/guideline":100}],98:[function(e,t,o){"use strict";Object.defineProperties(o,{BaseUI:{get:function(){return u}},__esModule:{value:!0}});var n,r=(n=e("helpers/number"),n&&n.__esModule&&n||{ -default:n}).isNumeric,i=0,s=1,a=2,l="px",u=function(e){this.hot=e,this._element=null,this.state=i};$traceurRuntime.createClass(u,{appendTo:function(e){e.appendChild(this._element),this.state=a},build:function(){this._element=document.createElement("div"),this.state=s},destroy:function(){this.isAppended()&&this._element.parentElement.removeChild(this._element),this._element=null,this.state=i},isAppended:function(){return this.state===a},isBuilt:function(){return this.state>=s},setPosition:function(e,t){r(e)&&(this._element.style.top=e+l),r(t)&&(this._element.style.left=t+l)},getPosition:function(){return{top:this._element.style.top?parseInt(this._element.style.top,10):0,left:this._element.style.left?parseInt(this._element.style.left,10):0}},setSize:function(e,t){r(e)&&(this._element.style.width=e+l),r(t)&&(this._element.style.height=t+l)},getSize:function(){return{width:this._element.style.width?parseInt(this._element.style.width,10):0,height:this._element.style.height?parseInt(this._element.style.height,10):0}},setOffset:function(e,t){r(e)&&(this._element.style.marginTop=e+l),r(t)&&(this._element.style.marginLeft=t+l)},getOffset:function(){return{top:this._element.style.marginTop?parseInt(this._element.style.marginTop,10):0,left:this._element.style.marginLeft?parseInt(this._element.style.marginLeft,10):0}}},{})},{"helpers/number":52}],99:[function(e,t,o){"use strict";Object.defineProperties(o,{BacklightUI:{get:function(){return l}},__esModule:{value:!0}});var n,r,i=(n=e("_base"),n&&n.__esModule&&n||{default:n}).BaseUI,s=(r=e("helpers/dom/element"),r&&r.__esModule&&r||{default:r}).addClass,a="ht__manualColumnMove--backlight",l=function(e){$traceurRuntime.superConstructor(u).call(this,e)},u=l;$traceurRuntime.createClass(l,{build:function(){$traceurRuntime.superGet(this,u.prototype,"build").call(this),s(this._element,a)}},{},i)},{_base:98,"helpers/dom/element":47}],100:[function(e,t,o){"use strict";Object.defineProperties(o,{GuidelineUI:{get:function(){return l}},__esModule:{value:!0}});var n,r,i=(n=e("_base"),n&&n.__esModule&&n||{default:n}).BaseUI,s=(r=e("helpers/dom/element"),r&&r.__esModule&&r||{default:r}).addClass,a="ht__manualColumnMove--guideline",l=function(e){$traceurRuntime.superConstructor(u).call(this,e)},u=l;$traceurRuntime.createClass(l,{build:function(){$traceurRuntime.superGet(this,u.prototype,"build").call(this),s(this._element,a)}},{},i)},{_base:98,"helpers/dom/element":47}],101:[function(e,t,o){"use strict";Object.defineProperties(o,{ManualColumnResize:{get:function(){return M}},__esModule:{value:!0}});var n,r,i,s,a,l,u,c,d=(n=e("browser"),n&&n.__esModule&&n||{default:n}).default,h=(r=e("_base.js"),r&&r.__esModule&&r||{default:r}).default,f=(i=e("helpers/dom/element"),i&&i.__esModule&&i||{default:i}),p=f.addClass,g=f.hasClass,m=f.removeClass,w=f.outerHeight,v=(s=e("eventManager"),s&&s.__esModule&&s||{default:s}).eventManager,y=(a=e("helpers/dom/event"),a&&a.__esModule&&a||{default:a}),b=y.pageX,C=(y.pageY,(l=e("helpers/array"),l&&l.__esModule&&l||{default:l}).arrayEach),_=(u=e("helpers/number"),u&&u.__esModule&&u||{default:u}).rangeEach,R=(c=e("plugins"),c&&c.__esModule&&c||{default:c}).registerPlugin,M=function(e){$traceurRuntime.superConstructor(S).call(this,e),this.currentTH=null,this.currentCol=null,this.selectedCols=[],this.currentWidth=null,this.newSize=null,this.startY=null,this.startWidth=null,this.startOffset=null,this.handle=document.createElement("DIV"),this.guide=document.createElement("DIV"),this.eventManager=v(this),this.pressed=null,this.dblclick=0,this.autoresizeTimeout=null,this.manualColumnWidths=[],p(this.handle,"manualColumnResizer"),p(this.guide,"manualColumnResizerGuide")},S=M;$traceurRuntime.createClass(M,{isEnabled:function(){return this.hot.getSettings().manualColumnResize},enablePlugin:function(){var e=this;if(!this.enabled){this.manualColumnWidths=[];var t=this.hot.getSettings().manualColumnResize,o=this.loadManualColumnWidths();this.addHook("modifyColWidth",function(t,o){return e.onModifyColWidth(t,o)}),this.addHook("beforeStretchingColumnWidth",function(t,o){return e.onBeforeStretchingColumnWidth(t,o)}),this.addHook("beforeColumnResize",function(t,o,n){return e.onBeforeColumnResize(t,o,n)}),"undefined"!=typeof o?this.manualColumnWidths=o:Array.isArray(t)?this.manualColumnWidths=t:this.manualColumnWidths=[],d.hooks.register("beforeColumnResize"),d.hooks.register("afterColumnResize"),this.bindEvents(),$traceurRuntime.superGet(this,S.prototype,"enablePlugin").call(this)}},updatePlugin:function(){var e=this.hot.getSettings().manualColumnResize;Array.isArray(e)?this.manualColumnWidths=e:e||(this.manualColumnWidths=[])},disablePlugin:function(){$traceurRuntime.superGet(this,S.prototype,"disablePlugin").call(this)},saveManualColumnWidths:function(){this.hot.runHooks("persistentStateSave","manualColumnWidths",this.manualColumnWidths)},loadManualColumnWidths:function(){var e={};return this.hot.runHooks("persistentStateLoad","manualColumnWidths",e),e.value},setupHandlePosition:function(e){var t=this;if(!e.parentNode)return!1;this.currentTH=e;var o=this.hot.view.wt.wtTable.getCoords(e).col,n=w(this.currentTH);if(o>=0){var r=this.currentTH.getBoundingClientRect();if(this.currentCol=o,this.selectedCols=[],this.hot.selection.isSelected()&&this.hot.selection.selectedHeader.cols){var i=this.hot.getSelectedRange(),s=i.from,a=i.to,l=s.col,u=a.col;l>=u&&(l=a.col,u=s.col),this.currentCol>=l&&this.currentCol<=u?_(l,u,function(e){return t.selectedCols.push(e)}):this.selectedCols.push(this.currentCol)}else this.selectedCols.push(this.currentCol);this.startOffset=r.left-6,this.startWidth=parseInt(r.width,10),this.handle.style.top=r.top+"px",this.handle.style.left=this.startOffset+this.startWidth+"px",this.handle.style.height=n+"px",this.hot.rootElement.appendChild(this.handle)}},refreshHandlePosition:function(){this.handle.style.left=this.startOffset+this.currentWidth+"px"},setupGuidePosition:function(){var e=parseInt(w(this.handle),10),t=parseInt(this.handle.style.top,10)+e,o=parseInt(this.hot.view.maximumVisibleElementHeight(0),10);p(this.handle,"active"),p(this.guide,"active"),this.guide.style.top=t+"px",this.guide.style.left=this.handle.style.left,this.guide.style.height=o-e+"px",this.hot.rootElement.appendChild(this.guide)},refreshGuidePosition:function(){this.guide.style.left=this.handle.style.left},hideHandleAndGuide:function(){m(this.handle,"active"),m(this.guide,"active")},checkIfColumnHeader:function(e){if(e!=this.hot.rootElement){var t=e.parentNode;return"THEAD"===t.tagName||this.checkIfColumnHeader(t)}return!1},getTHFromTargetElement:function(e){return"TABLE"!=e.tagName?"TH"==e.tagName?e:this.getTHFromTargetElement(e.parentNode):null},onMouseOver:function(e){if(this.checkIfColumnHeader(e.target)){var t=this.getTHFromTargetElement(e.target);if(!t)return;var o=t.getAttribute("colspan");!t||null!==o&&1!==o||this.pressed||this.setupHandlePosition(t)}},afterMouseDownTimeout:function(){var e=this,t=function(){e.hot.forceFullRender=!0,e.hot.view.render(),e.hot.view.wt.wtOverlays.adjustElementsSize(!0)},o=function(o,n){var r=e.hot.runHooks("beforeColumnResize",o,e.newSize,!0);void 0!==r&&(e.newSize=r),"all"===e.hot.getSettings().stretchH?e.clearManualSize(o):e.setManualSize(o,e.newSize),n&&t(),e.saveManualColumnWidths(),e.hot.runHooks("afterColumnResize",o,e.newSize,!0)};if(this.dblclick>=2){var n=this.selectedCols.length;n>1?(C(this.selectedCols,function(e){o(e)}),t()):C(this.selectedCols,function(e){o(e,!0)})}this.dblclick=0,this.autoresizeTimeout=null},onMouseDown:function(e){var t=this;g(e.target,"manualColumnResizer")&&(this.setupGuidePosition(),this.pressed=this.hot,null===this.autoresizeTimeout&&(this.autoresizeTimeout=setTimeout(function(){return t.afterMouseDownTimeout()},500),this.hot._registerTimeout(this.autoresizeTimeout)),this.dblclick++,this.startX=b(e),this.newSize=this.startWidth)},onMouseMove:function(e){var t=this;this.pressed&&(this.currentWidth=this.startWidth+(b(e)-this.startX),C(this.selectedCols,function(e){t.newSize=t.setManualSize(e,t.currentWidth)}),this.refreshHandlePosition(),this.refreshGuidePosition())},onMouseUp:function(e){var t=this,o=function(){t.hot.forceFullRender=!0,t.hot.view.render(),t.hot.view.wt.wtOverlays.adjustElementsSize(!0)},n=function(e,n){t.hot.runHooks("beforeColumnResize",e,t.newSize),n&&o(),t.saveManualColumnWidths(),t.hot.runHooks("afterColumnResize",e,t.newSize)};if(this.pressed){if(this.hideHandleAndGuide(),this.pressed=!1,this.newSize!=this.startWidth){var r=this.selectedCols.length;r>1?(C(this.selectedCols,function(e){n(e)}),o()):C(this.selectedCols,function(e){n(e,!0)})}this.setupHandlePosition(this.currentTH)}},bindEvents:function(){var e=this;this.eventManager.addEventListener(this.hot.rootElement,"mouseover",function(t){return e.onMouseOver(t)}),this.eventManager.addEventListener(this.hot.rootElement,"mousedown",function(t){return e.onMouseDown(t)}),this.eventManager.addEventListener(window,"mousemove",function(t){return e.onMouseMove(t)}),this.eventManager.addEventListener(window,"mouseup",function(t){return e.onMouseUp(t)})},setManualSize:function(e,t){return t=Math.max(t,20),e=this.hot.runHooks("modifyCol",e),this.manualColumnWidths[e]=t,t},clearManualSize:function(e){e=this.hot.runHooks("modifyCol",e),this.manualColumnWidths[e]=void 0},onModifyColWidth:function(e,t){return this.enabled&&(t=this.hot.runHooks("modifyCol",t),this.hot.getSettings().manualColumnResize&&this.manualColumnWidths[t])?this.manualColumnWidths[t]:e},onBeforeStretchingColumnWidth:function(e,t){var o=this.manualColumnWidths[t];return void 0===o&&(o=e),o},onBeforeColumnResize:function(){this.hot.view.wt.wtViewport.hasOversizedColumnHeadersMarked={}}},{},h),R("manualColumnResize",M)},{"_base.js":62,browser:24,eventManager:42,"helpers/array":43,"helpers/dom/element":47,"helpers/dom/event":48,"helpers/number":52,plugins:61}],102:[function(e,t,o){"use strict";Object.defineProperties(o,{ManualRowMove:{get:function(){return x}},__esModule:{value:!0}});var n,r,i,s,a,l,u,c,d,h,f=(n=e("_base.js"),n&&n.__esModule&&n||{default:n}).default,p=(r=e("browser"),r&&r.__esModule&&r||{default:r}).default,g=(i=e("helpers/array"),i&&i.__esModule&&i||{default:i}).arrayEach,m=(s=e("helpers/dom/element"),s&&s.__esModule&&s||{default:s}),w=m.addClass,v=m.removeClass,y=m.offset,b=(a=e("helpers/number"),a&&a.__esModule&&a||{default:a}).rangeEach,C=(l=e("eventManager"),l&&l.__esModule&&l||{default:l}).eventManager,_=(u=e("plugins"),u&&u.__esModule&&u||{default:u}).registerPlugin,R=(c=e("rowsMapper"),c&&c.__esModule&&c||{default:c}).RowsMapper,M=(d=e("ui/backlight"),d&&d.__esModule&&d||{default:d}).BacklightUI,S=(h=e("ui/guideline"),h&&h.__esModule&&h||{default:h}).GuidelineUI,E=new WeakMap,O="ht__manualRowMove",T="show-ui",k="on-moving--rows",D="after-selection--rows",x=function(e){$traceurRuntime.superConstructor(H).call(this,e),E.set(this,{rowsToMove:[],pressed:void 0,disallowMoving:void 0,target:{eventPageY:void 0,coords:void 0,TD:void 0,row:void 0}}),this.removedRows=[],this.rowsMapper=new R(this),this.eventManager=C(this),this.backlight=new M(e),this.guideline=new S(e)},H=x;$traceurRuntime.createClass(x,{isEnabled:function(){return!!this.hot.getSettings().manualRowMove},enablePlugin:function(){var e=this;this.enabled||(this.addHook("beforeOnCellMouseDown",function(t,o,n,r){return e.onBeforeOnCellMouseDown(t,o,n,r)}),this.addHook("beforeOnCellMouseOver",function(t,o,n,r){return e.onBeforeOnCellMouseOver(t,o,n,r)}),this.addHook("afterScrollHorizontally",function(){return e.onAfterScrollHorizontally()}),this.addHook("modifyRow",function(t,o){return e.onModifyRow(t,o)}),this.addHook("beforeRemoveRow",function(t,o){return e.onBeforeRemoveRow(t,o)}),this.addHook("afterRemoveRow",function(t,o){return e.onAfterRemoveRow(t,o)}),this.addHook("afterCreateRow",function(t,o){return e.onAfterCreateRow(t,o)}),this.addHook("beforeColumnSort",function(t,o){return e.onBeforeColumnSort(t,o)}),this.addHook("unmodifyRow",function(t){return e.onUnmodifyRow(t)}),this.registerEvents(),w(this.hot.rootElement,O),$traceurRuntime.superGet(this,H.prototype,"enablePlugin").call(this))},updatePlugin:function(){this.disablePlugin(),this.enablePlugin(),this.onAfterPluginsInitialized(),$traceurRuntime.superGet(this,H.prototype,"updatePlugin").call(this)},disablePlugin:function(){var e=this.hot.getSettings().manualRowMove;Array.isArray(e)&&this.rowsMapper.clearMap(),v(this.hot.rootElement,O),this.unregisterEvents(),this.backlight.destroy(),this.guideline.destroy(),$traceurRuntime.superGet(this,H.prototype,"disablePlugin").call(this)},moveRow:function(e,t){this.moveRows([e],t)},moveRows:function(e,t){var o=this,n=E.get(this),r=this.hot.runHooks("beforeRowMove",e,t);n.disallowMoving=r===!1,n.disallowMoving||(g(e,function(e,t,n){n[t]=o.rowsMapper.getValueByIndex(e)}),g(e,function(e,n){var r=o.rowsMapper.getIndexByValue(e);r!==t&&o.rowsMapper.moveRow(r,t+n)}),this.rowsMapper.clearNull()),this.hot.runHooks("afterRowMove",e,t)},changeSelection:function(e,t){var o=this.hot.selection,n=this.hot.countCols()-1;o.setRangeStartOnly(new WalkontableCellCoords(e,0)),o.setRangeEnd(new WalkontableCellCoords(t,n),!1)},getRowsHeight:function(e,t){for(var o=0,n=e;nthis.hot.getSettings().fixedRowsBottom},persistentStateSave:function(){p.hooks.run(this.hot,"persistentStateSave","manualRowMove",this.rowsMapper._arrayMap)},persistentStateLoad:function(){var e={};return p.hooks.run(this.hot,"persistentStateLoad","manualRowMove",e),e.value?e.value:[]},prepareRowsToMoving:function(){var e=this.hot.getSelectedRange(),t=[];if(!e)return t;var o=e,n=o.from,r=o.to,i=Math.min(n.row,r.row),s=Math.max(n.row,r.row);return b(i,s,function(e){t.push(e)}),t},refreshPositions:function(){var e=E.get(this),t=e.target.coords,o=this.hot.view.wt.wtTable.getFirstVisibleRow(),n=this.hot.view.wt.wtTable.getLastVisibleRow(),r=this.hot.getSettings().fixedRowsTop,i=this.hot.countRows();t.row0&&this.hot.scrollViewportTo(o-1),t.row>=n&&n0?o-1:o:a.offsetHeight/2+u<=c?(e.target.row=t.row+1,u+=0===t.row?a.offsetHeight-1:a.offsetHeight):e.target.row=t.row;var g=c,m=u;c+p+f>=d?g=d-p-f:c+f=d-1&&(m=d-1);var w=0;this.hot.view.wt.wtOverlays.topOverlay&&(w=this.hot.view.wt.wtOverlays.topOverlay.clone.wtTable.TABLE.offsetHeight),t.row>=r&&m-s.holder.scrollTop=f&&t.row<=p){n.row=!0,a.pressed=!0,a.target.eventPageY=e.pageY,a.target.coords=t,a.target.TD=o,a.rowsToMove=this.prepareRowsToMoving();var g=r.holder.scrollLeft+r.getColumnWidth(-1);this.backlight.setPosition(null,g),this.backlight.setSize(r.hider.offsetWidth-g,this.getRowsHeight(f,p+1)),this.backlight.setOffset((this.getRowsHeight(f,t.row)+e.layerY)*-1,null),w(this.hot.rootElement,k),this.refreshPositions()}else v(this.hot.rootElement,D),a.pressed=!1,a.rowsToMove.length=0},onMouseMove:function(e){var t=E.get(this);if(t.pressed){if(e.realTarget===this.backlight.element){var o=this.backlight.getSize().height;this.backlight.setSize(null,0),setTimeout(function(){this.backlight.setPosition(null,o)})}t.target.eventPageY=e.pageY,this.refreshPositions()}},onBeforeOnCellMouseOver:function(e,t,o,n){var r=this.hot.getSelectedRange(),i=E.get(this);r&&i.pressed&&(i.rowsToMove.indexOf(t.row)>-1?v(this.hot.rootElement,T):w(this.hot.rootElement,T),n.row=!0,n.column=!0,n.cell=!0,i.target.coords=t,i.target.TD=o)},onMouseUp:function(){var e=E.get(this);if(e.pressed=!1,e.backlightHeight=0,v(this.hot.rootElement,[k,T,D]),this.hot.selection.selectedHeader.rows&&w(this.hot.rootElement,D),!(e.rowsToMove.length<1)){var t=e.target.row;if(this.moveRows(e.rowsToMove,t),this.persistentStateSave(),this.hot.render(),!e.disallowMoving){var o=this.rowsMapper.getIndexByValue(e.rowsToMove[0]),n=this.rowsMapper.getIndexByValue(e.rowsToMove[e.rowsToMove.length-1]);this.changeSelection(o,n)}e.rowsToMove.length=0}},onAfterScrollHorizontally:function(){var e=this.hot.view.wt.wtTable,t=e.getColumnWidth(-1),o=e.holder.scrollLeft,n=t+o;this.backlight.setPosition(null,n),this.backlight.setSize(e.hider.offsetWidth-n)},onAfterCreateRow:function(e,t){this.rowsMapper.shiftItems(e,t)},onBeforeRemoveRow:function(e,t){var o=this;this.removedRows.length=0,e!==!1&&b(e,e+t-1,function(e){o.removedRows.push(o.hot.runHooks("modifyRow",e,o.pluginName))})},onAfterRemoveRow:function(e,t){this.rowsMapper.unshiftItems(this.removedRows)},onModifyRow:function(e,t){return t!==this.pluginName&&(e=this.rowsMapper.getValueByIndex(e)),e},onUnmodifyRow:function(e){return this.rowsMapper.getIndexByValue(e)},onAfterPluginsInitialized:function(){0===this.rowsMapper._arrayMap.length&&this.rowsMapper.createMap(this.hot.countSourceRows()||this.hot.getSettings().startRows),this.initialSettings(),this.backlight.build(),this.guideline.build()},destroy:function(){this.backlight.destroy(),this.guideline.destroy(),$traceurRuntime.superGet(this,H.prototype,"destroy").call(this)}},{},f),_("ManualRowMove",x),p.hooks.register("beforeRowMove"),p.hooks.register("afterRowMove"),p.hooks.register("unmodifyRow")},{"_base.js":62,browser:24,eventManager:42,"helpers/array":43,"helpers/dom/element":47,"helpers/number":52,plugins:61,rowsMapper:103,"ui/backlight":105,"ui/guideline":106}],103:[function(e,t,o){"use strict";Object.defineProperties(o,{RowsMapper:{get:function(){return f}},__esModule:{value:!0}});var n,r,i,s,a,l=(n=e("browser"),n&&n.__esModule&&n||{default:n}).default,u=(r=e("mixins/arrayMapper"),r&&r.__esModule&&r||{default:r}).arrayMapper,c=(i=e("helpers/array"),i&&i.__esModule&&i||{default:i}).arrayFilter,d=(s=e("helpers/object"),s&&s.__esModule&&s||{default:s}).mixin,h=(a=e("helpers/number"),a&&a.__esModule&&a||{default:a}).rangeEach,f=function(e){this.manualRowMove=e};$traceurRuntime.createClass(f,{createMap:function(e){var t=this,o=void 0===e?this._arrayMap.length:e;this._arrayMap.length=0,h(o-1,function(e){t._arrayMap[e]=e})},destroy:function(){this._arrayMap=null},moveRow:function(e,t){var o=this._arrayMap[e];this._arrayMap[e]=null,this._arrayMap.splice(t,0,o)},clearNull:function(){this._arrayMap=c(this._arrayMap,function(e){return null!==e})}},{}),d(f,u),l.utils.ManualRowMoveRowsMapper=f},{browser:24,"helpers/array":43,"helpers/number":52,"helpers/object":53,"mixins/arrayMapper":57}],104:[function(e,t,o){"use strict";Object.defineProperties(o,{BaseUI:{get:function(){return a}},__esModule:{value:!0}});var n=0,r=1,i=2,s="px",a=function(e){this.hot=e,this._element=null,this.state=n};$traceurRuntime.createClass(a,{appendTo:function(e){e.appendChild(this._element),this.state=i},build:function(){this._element=document.createElement("div"),this.state=r},destroy:function(){this.isAppended()&&this._element.parentElement.removeChild(this._element),this._element=null,this.state=n},isAppended:function(){return this.state===i},isBuilt:function(){return this.state>=r},setPosition:function(e,t){e&&(this._element.style.top=e+s),t&&(this._element.style.left=t+s)},getPosition:function(){return{top:this._element.style.top?parseInt(this._element.style.top,10):0,left:this._element.style.left?parseInt(this._element.style.left,10):0}},setSize:function(e,t){e&&(this._element.style.width=e+s),t&&(this._element.style.height=t+s)},getSize:function(){return{width:this._element.style.width?parseInt(this._element.style.width,10):0,height:this._element.style.height?parseInt(this._element.style.height,10):0}},setOffset:function(e,t){e&&(this._element.style.marginTop=e+s),t&&(this._element.style.marginLeft=t+s)},getOffset:function(){return{top:this._element.style.marginTop?parseInt(this._element.style.marginTop,10):0,left:this._element.style.marginLeft?parseInt(this._element.style.marginLeft,10):0}}},{})},{}],105:[function(e,t,o){"use strict";Object.defineProperties(o,{BacklightUI:{get:function(){return l}},__esModule:{value:!0}});var n,r,i=(n=e("_base"),n&&n.__esModule&&n||{default:n}).BaseUI,s=(r=e("helpers/dom/element"),r&&r.__esModule&&r||{default:r}).addClass,a="ht__manualRowMove--backlight",l=function(e){$traceurRuntime.superConstructor(u).call(this,e)},u=l;$traceurRuntime.createClass(l,{build:function(){$traceurRuntime.superGet(this,u.prototype,"build").call(this),s(this._element,a)}},{},i)},{_base:104,"helpers/dom/element":47}],106:[function(e,t,o){"use strict";Object.defineProperties(o,{GuidelineUI:{get:function(){return l}},__esModule:{value:!0}});var n,r,i=(n=e("_base"),n&&n.__esModule&&n||{default:n}).BaseUI,s=(r=e("helpers/dom/element"),r&&r.__esModule&&r||{default:r}).addClass,a="ht__manualRowMove--guideline",l=function(e){$traceurRuntime.superConstructor(u).call(this,e)},u=l;$traceurRuntime.createClass(l,{build:function(){$traceurRuntime.superGet(this,u.prototype,"build").call(this),s(this._element,a)}},{},i)},{_base:104,"helpers/dom/element":47}],107:[function(e,t,o){"use strict";Object.defineProperties(o,{ManualRowResize:{get:function(){return M}},__esModule:{value:!0}});var n,r,i,s,a,l,u,c,d=(n=e("browser"),n&&n.__esModule&&n||{default:n}).default,h=(r=e("_base.js"),r&&r.__esModule&&r||{default:r}).default,f=(i=e("helpers/dom/element"),i&&i.__esModule&&i||{default:i}),p=f.addClass,g=f.hasClass,m=f.removeClass,w=f.outerWidth,v=(s=e("eventManager"),s&&s.__esModule&&s||{default:s}).eventManager,y=(a=e("helpers/dom/event"),a&&a.__esModule&&a||{default:a}),b=(y.pageX,y.pageY),C=(l=e("helpers/array"),l&&l.__esModule&&l||{default:l}).arrayEach,_=(u=e("helpers/number"),u&&u.__esModule&&u||{default:u}).rangeEach,R=(c=e("plugins"),c&&c.__esModule&&c||{default:c}).registerPlugin,M=function(e){$traceurRuntime.superConstructor(S).call(this,e),this.currentTH=null,this.currentRow=null,this.selectedRows=[],this.currentHeight=null,this.newSize=null,this.startY=null,this.startHeight=null,this.startOffset=null,this.handle=document.createElement("DIV"),this.guide=document.createElement("DIV"),this.eventManager=v(this),this.pressed=null,this.dblclick=0,this.autoresizeTimeout=null,this.manualRowHeights=[],p(this.handle,"manualRowResizer"),p(this.guide,"manualRowResizerGuide")},S=M;$traceurRuntime.createClass(M,{isEnabled:function(){return this.hot.getSettings().manualRowResize},enablePlugin:function(){var e=this;if(!this.enabled){this.manualRowHeights=[];var t=this.hot.getSettings().manualRowResize,o=this.loadManualRowHeights();"undefined"!=typeof o?this.manualRowHeights=o:Array.isArray(t)?this.manualRowHeights=t:this.manualRowHeights=[],this.addHook("modifyRowHeight",function(t,o){return e.onModifyRowHeight(t,o)}),d.hooks.register("beforeRowResize"),d.hooks.register("afterRowResize"),this.bindEvents(),$traceurRuntime.superGet(this,S.prototype,"enablePlugin").call(this)}},updatePlugin:function(){var e=this.hot.getSettings().manualRowResize;Array.isArray(e)?this.manualRowHeights=e:e||(this.manualRowHeights=[])},disablePlugin:function(){$traceurRuntime.superGet(this,S.prototype,"disablePlugin").call(this)},saveManualRowHeights:function(){this.hot.runHooks("persistentStateSave","manualRowHeights",this.manualRowHeights)},loadManualRowHeights:function(){var e={};return this.hot.runHooks("persistentStateLoad","manualRowHeights",e),e.value},setupHandlePosition:function(e){var t=this;this.currentTH=e;var o=this.hot.view.wt.wtTable.getCoords(e).row,n=w(this.currentTH);if(o>=0){var r=this.currentTH.getBoundingClientRect();if(this.currentRow=o,this.selectedRows=[],this.hot.selection.isSelected()&&this.hot.selection.selectedHeader.rows){var i=this.hot.getSelectedRange(),s=i.from,a=i.to,l=s.row,u=a.row;l>=u&&(l=a.row,u=s.row),this.currentRow>=l&&this.currentRow<=u?_(l,u,function(e){return t.selectedRows.push(e)}):this.selectedRows.push(this.currentRow)}else this.selectedRows.push(this.currentRow);this.startOffset=r.top-6,this.startHeight=parseInt(r.height,10),this.handle.style.left=r.left+"px",this.handle.style.top=this.startOffset+this.startHeight+"px",this.handle.style.width=n+"px",this.hot.rootElement.appendChild(this.handle)}},refreshHandlePosition:function(){this.handle.style.top=this.startOffset+this.currentHeight+"px"},setupGuidePosition:function(){var e=parseInt(w(this.handle),10),t=parseInt(this.handle.style.left,10)+e,o=parseInt(this.hot.view.maximumVisibleElementWidth(0),10);p(this.handle,"active"),p(this.guide,"active"),this.guide.style.top=this.handle.style.top,this.guide.style.left=t+"px",this.guide.style.width=o-e+"px",this.hot.rootElement.appendChild(this.guide)},refreshGuidePosition:function(){this.guide.style.top=this.handle.style.top},hideHandleAndGuide:function(){m(this.handle,"active"),m(this.guide,"active")},checkIfRowHeader:function(e){if(e!=this.hot.rootElement){var t=e.parentNode;return"TBODY"===t.tagName||this.checkIfRowHeader(t)}return!1},getTHFromTargetElement:function(e){return"TABLE"!=e.tagName?"TH"==e.tagName?e:this.getTHFromTargetElement(e.parentNode):null},onMouseOver:function(e){if(this.checkIfRowHeader(e.target)){var t=this.getTHFromTargetElement(e.target);t&&(this.pressed||this.setupHandlePosition(t))}},afterMouseDownTimeout:function(){var e=this,t=function(){e.hot.forceFullRender=!0,e.hot.view.render(),e.hot.view.wt.wtOverlays.adjustElementsSize(!0)},o=function(o,n){var r=e.hot.runHooks("beforeRowResize",o,e.newSize,!0);void 0!==r&&(e.newSize=r),e.setManualSize(o,e.newSize),n&&t(),e.hot.runHooks("afterRowResize",o,e.newSize,!0)};if(this.dblclick>=2){var n=this.selectedRows.length;n>1?(C(this.selectedRows,function(e){o(e)}),t()):C(this.selectedRows,function(e){o(e,!0)})}this.dblclick=0,this.autoresizeTimeout=null},onMouseDown:function(e){var t=this;g(e.target,"manualRowResizer")&&(this.setupGuidePosition(),this.pressed=this.hot,null==this.autoresizeTimeout&&(this.autoresizeTimeout=setTimeout(function(){return t.afterMouseDownTimeout()},500),this.hot._registerTimeout(this.autoresizeTimeout)),this.dblclick++,this.startY=b(e),this.newSize=this.startHeight)},onMouseMove:function(e){var t=this;this.pressed&&(this.currentHeight=this.startHeight+(b(e)-this.startY),C(this.selectedRows,function(e){t.newSize=t.setManualSize(e,t.currentHeight)}),this.refreshHandlePosition(),this.refreshGuidePosition())},onMouseUp:function(e){var t=this,o=function(){t.hot.forceFullRender=!0,t.hot.view.render(),t.hot.view.wt.wtOverlays.adjustElementsSize(!0)},n=function(e,n){t.hot.runHooks("beforeRowResize",e,t.newSize),n&&o(),t.saveManualRowHeights(),t.hot.runHooks("afterRowResize",e,t.newSize)};if(this.pressed){if(this.hideHandleAndGuide(),this.pressed=!1,this.newSize!=this.startHeight){var r=this.selectedRows.length;r>1?(C(this.selectedRows,function(e){n(e)}),o()):C(this.selectedRows,function(e){n(e,!0)})}this.setupHandlePosition(this.currentTH)}},bindEvents:function(){var e=this;this.eventManager.addEventListener(this.hot.rootElement,"mouseover",function(t){return e.onMouseOver(t)}),this.eventManager.addEventListener(this.hot.rootElement,"mousedown",function(t){return e.onMouseDown(t)}),this.eventManager.addEventListener(window,"mousemove",function(t){return e.onMouseMove(t)}),this.eventManager.addEventListener(window,"mouseup",function(t){return e.onMouseUp(t)})},setManualSize:function(e,t){return e=this.hot.runHooks("modifyRow",e),this.manualRowHeights[e]=t,t},onModifyRowHeight:function(e,t){if(this.enabled){var o=this.hot.getPlugin("autoRowSize"),n=o?o.heights[t]:null;t=this.hot.runHooks("modifyRow",t);var r=this.manualRowHeights[t];if(void 0!==r&&(r===n||r>(e||0)))return r}return e}},{},h),R("manualRowResize",M)},{"_base.js":62,browser:24,eventManager:42,"helpers/array":43,"helpers/dom/element":47,"helpers/dom/event":48,"helpers/number":52,plugins:61}],108:[function(e,t,o){"use strict";function n(){var e=[];return e.getInfo=function(e,t){for(var o=0,n=this.length;o=e&&this[o].col<=t&&this[o].col+this[o].colspan-1>=t)return this[o]},e.setInfo=function(e){for(var t=0,o=this.length;t=e.row&&t.row<=e.row+e.rowspan-1},r=function(e,t){return t.col>=e.col&&t.col<=e.col+e.colspan-1},i=function(e){return new v(t.to.row+e.row,t.to.col+e.col)},s={row:o.row,col:o.col};if("modifyTransformStart"==e){this.lastDesiredCoords||(this.lastDesiredCoords=new v(null,null));for(var a,l=new v(t.highlight.row,t.highlight.col),u=this.mergedCellInfoCollection.getInfo(l.row,l.col),c=0,d=this.mergedCellInfoCollection.length;c0?s.row=u.row+u.rowspan-1-l.row+o.row:o.row<0&&(s.row=l.row-u.row+o.row),o.col>0?s.col=u.col+u.colspan-1-l.col+o.col:o.col<0&&(s.col=l.col-u.col+o.col)}var m=new v(t.highlight.row+s.row,t.highlight.col+s.col),w=this.mergedCellInfoCollection.getInfo(m.row,m.col);w&&(this.lastDesiredCoords=m,s={row:w.row-l.row,col:w.col-l.col})}else if("modifyTransformEnd"==e)for(var c=0,d=this.mergedCellInfoCollection.length;c0){var R=t.highlight.isEqual(C.from);_.indexOf("top")>-1?t.to.isSouthEastOf(C.from)&&R?t.setDirection("NW-SE"):t.to.isSouthWestOf(C.from)&&R&&t.setDirection("NE-SW"):_.indexOf("bottom")>-1&&(t.to.isNorthEastOf(C.from)&&R?t.setDirection("SW-NE"):t.to.isNorthWestOf(C.from)&&R&&t.setDirection("SE-NW"))}var m=i(s),M=n(b,m),S=r(b,m);t.includesRange(C)&&(C.includes(m)||M||S)&&(M&&(s.row<0?s.row-=b.rowspan-1:s.row>0&&(s.row+=b.rowspan-1)),S&&(s.col<0?s.col-=b.colspan-1:s.col>0&&(s.col+=b.colspan-1)))}0!==s.row&&(o.row=s.row),0!==s.col&&(o.col=s.col)},r.prototype.shiftCollection=function(e,t,o){var n=[0,0];switch(e){case"right":n[0]+=1;break;case"left":n[0]-=1;break;case"down":n[1]+=1;break;case"up":n[1]-=1}for(var r=0;r0&&n.from.row>=r&&(n.from.row=n.from-1),n.from.col<0?n.from.col=0:n.from.col>0&&n.from.col>=i&&(n.from.col=i-1)}}}},T=function(e){this.lastDesiredCoords=null;var t=this.getSettings().mergeCells;if(t){var o=this.getSelectedRange();o.highlight=new v(o.highlight.row,o.highlight.col),o.to=e;var n=!1;do{n=!1;for(var r=0,i=this.mergeCells.mergedCellInfoCollection.length;re.endRow)return e.endRow=i,x.call(this,e)}}},H=function(e){var t=this.getSettings().mergeCells;if(t)for(var o,n=this.countRows(),r=0;re.endColumn)return e.endColumn=i,H.call(this,e)}}},A=function(e){if(e&&this.mergeCells){var t=this.mergeCells.mergedCellInfoCollection,o=this.getSelectedRange();for(var n in t)if(o.highlight.row==t[n].row&&o.highlight.col==t[n].col&&o.to.row==t[n].row+t[n].rowspan-1&&o.to.col==t[n].col+t[n].colspan-1)return!1}return e};m.hooks.add("beforeInit",C),m.hooks.add("afterInit",_),m.hooks.add("afterUpdateSettings",R),m.hooks.add("beforeKeyDown",M),m.hooks.add("modifyTransformStart",O("modifyTransformStart")),m.hooks.add("modifyTransformEnd",O("modifyTransformEnd")),m.hooks.add("beforeSetRangeEnd",T),m.hooks.add("beforeDrawBorders",k),m.hooks.add("afterIsMultipleSelection",A),m.hooks.add("afterRenderer",E),m.hooks.add("afterContextMenuDefaultOptions",S),m.hooks.add("afterGetCellMeta",D),m.hooks.add("afterViewportRowCalculatorOverride",x),m.hooks.add("afterViewportColumnCalculatorOverride",H),m.hooks.add("modifyAutofillRange",i),m.hooks.add("afterCreateCol",s),m.hooks.add("afterRemoveCol",a),m.hooks.add("afterCreateRow",l),m.hooks.add("afterRemoveRow",u),m.MergeCells=r},{"3rdparty/walkontable/src/cell/coords":6,"3rdparty/walkontable/src/cell/range":7,"3rdparty/walkontable/src/table":21,browser:24,"helpers/dom/event":48,plugins:61}],109:[function(e,t,o){"use strict";Object.defineProperties(o,{MultipleSelectionHandles:{get:function(){return w}},__esModule:{value:!0}});var n,r,i,s,a,l,u=((n=e("browser"),n&&n.__esModule&&n||{default:n}).default,r=e("helpers/dom/element"),r&&r.__esModule&&r||{default:r}),c=u.getWindowScrollTop,d=u.hasClass,h=u.getWindowScrollLeft,f=(i=e("helpers/browser"),i&&i.__esModule&&i||{default:i}).isMobileBrowser,p=(s=e("_base"),s&&s.__esModule&&s||{default:s}).default,g=(a=e("eventManager"),a&&a.__esModule&&a||{default:a}).EventManager,m=(l=e("plugins"),l&&l.__esModule&&l||{default:l}).registerPlugin,w=function(e){$traceurRuntime.superConstructor(v).call(this,e),this.dragged=[],this.eventManager=null,this.lastSetCell=null},v=w;$traceurRuntime.createClass(w,{isEnabled:function(){return f()},enablePlugin:function(){this.enabled||(this.eventManager||(this.eventManager=new g(this)),this.registerListeners(),$traceurRuntime.superGet(this,v.prototype,"enablePlugin").call(this))},registerListeners:function(){function e(e){if(1===t.dragged.length)return t.dragged.splice(0,t.dragged.length),!0;var o=t.dragged.indexOf(e);return o!=-1&&void(0===o?t.dragged=t.dragged.slice(0,1):1==o&&(t.dragged=t.dragged.slice(-1)))}var t=this;this.eventManager.addEventListener(this.hot.rootElement,"touchstart",function(e){var o;return d(e.target,"topLeftSelectionHandle-HitArea")?(o=t.hot.getSelectedRange(),t.dragged.push("topLeft"),t.touchStartRange={width:o.getWidth(),height:o.getHeight(),direction:o.getDirection()},e.preventDefault(),!1):d(e.target,"bottomRightSelectionHandle-HitArea")?(o=t.hot.getSelectedRange(),t.dragged.push("bottomRight"),t.touchStartRange={width:o.getWidth(),height:o.getHeight(),direction:o.getDirection()},e.preventDefault(),!1):void 0}),this.eventManager.addEventListener(this.hot.rootElement,"touchend",function(o){return d(o.target,"topLeftSelectionHandle-HitArea")?(e.call(t,"topLeft"),t.touchStartRange=void 0,o.preventDefault(),!1):d(o.target,"bottomRightSelectionHandle-HitArea")?(e.call(t,"bottomRight"),t.touchStartRange=void 0,o.preventDefault(),!1):void 0}),this.eventManager.addEventListener(this.hot.rootElement,"touchmove",function(e){var o,n,r,i,s,a,l,u=c(),d=h();0!==t.dragged.length&&(o=document.elementFromPoint(e.touches[0].screenX-d,e.touches[0].screenY-u),o&&o!==t.lastSetCell&&("TD"!=o.nodeName&&"TH"!=o.nodeName||(n=t.hot.getCoords(o),n.col==-1&&(n.col=0),r=t.hot.getSelectedRange(),i=r.getWidth(),s=r.getHeight(),a=r.getDirection(),1==i&&1==s&&t.hot.selection.setRangeEnd(n),l=t.getCurrentRangeCoords(r,n,t.touchStartRange.direction,a,t.dragged[0]),null!==l.start&&t.hot.selection.setRangeStart(l.start),t.hot.selection.setRangeEnd(l.end),t.lastSetCell=o),e.preventDefault()))})},getCurrentRangeCoords:function(e,t,o,n,r){var i=e.getTopLeftCorner(),s=e.getBottomRightCorner(),a=e.getBottomLeftCorner(),l=e.getTopRightCorner(),u={start:null,end:null};switch(o){case"NE-SW":switch(n){case"NE-SW":case"NW-SE":u="topLeft"==r?{start:new WalkontableCellCoords(t.row,e.highlight.col),end:new WalkontableCellCoords(a.row,t.col)}:{start:new WalkontableCellCoords(e.highlight.row,t.col),end:new WalkontableCellCoords(t.row,i.col)};break;case"SE-NW":"bottomRight"==r&&(u={start:new WalkontableCellCoords(s.row,t.col),end:new WalkontableCellCoords(t.row,i.col)})}break;case"NW-SE":switch(n){case"NE-SW":"topLeft"==r?u={start:t,end:a}:u.end=t;break;case"NW-SE":"topLeft"==r?u={start:t,end:s}:u.end=t;break;case"SE-NW":"topLeft"==r?u={start:t,end:i}:u.end=t;break;case"SW-NE":"topLeft"==r?u={start:t,end:l}:u.end=t}break;case"SW-NE":switch(n){case"NW-SE":u="bottomRight"==r?{start:new WalkontableCellCoords(t.row,i.col),end:new WalkontableCellCoords(a.row,t.col)}:{start:new WalkontableCellCoords(i.row,t.col),end:new WalkontableCellCoords(t.row,s.col)};break;case"SW-NE":u="topLeft"==r?{start:new WalkontableCellCoords(e.highlight.row,t.col),end:new WalkontableCellCoords(t.row,s.col)}:{start:new WalkontableCellCoords(t.row,i.col),end:new WalkontableCellCoords(i.row,t.col)};break;case"SE-NW":"bottomRight"==r?u={start:new WalkontableCellCoords(t.row,l.col),end:new WalkontableCellCoords(i.row,t.col)}:"topLeft"==r&&(u={start:a,end:t})}break;case"SE-NW":switch(n){case"NW-SE":case"NE-SW":case"SW-NE":"topLeft"==r&&(u.end=t);break;case"SE-NW":"topLeft"==r?u.end=t:u={start:t,end:i}}}return u},isDragged:function(){return this.dragged.length>0}},{},p),m("multipleSelectionHandles",w)},{_base:62,browser:24,eventManager:42,"helpers/browser":44,"helpers/dom/element":47,plugins:61}],110:[function(e,t,o){"use strict";Object.defineProperties(o,{DataObserver:{get:function(){return d}},__esModule:{value:!0}});var n,r,i,s,a=(n=e("jsonpatch"),n&&n.__esModule&&n||{default:n}).default,l=(r=e("../../mixins/localHooks"),r&&r.__esModule&&r||{default:r}).localHooks,u=(i=e("../../helpers/object"),i&&i.__esModule&&i||{default:i}).mixin,c=(s=e("utils"),s&&s.__esModule&&s||{default:s}).cleanPatches,d=function(e){this.observedData=null,this.observer=null,this.paused=!1,this.setObservedData(e)};$traceurRuntime.createClass(d,{setObservedData:function(e){var t=this;this.observer&&a.unobserve(this.observedData,this.observer),this.observedData=e,this.observer=a.observe(this.observedData,function(e){return t.onChange(e)})},isPaused:function(){return this.paused},pause:function(){this.paused=!0},resume:function(){this.paused=!1},onChange:function(e){this.runLocalHooks("change",c(e))},destroy:function(){a.unobserve(this.observedData,this.observer),this.observedData=null,this.observer=null}},{}),u(d,l)},{"../../helpers/object":53,"../../mixins/localHooks":58,jsonpatch:"jsonpatch",utils:112}],111:[function(e,t,o){"use strict";Object.defineProperties(o,{ObserveChanges:{get:function(){return p}},__esModule:{value:!0}});var n,r,i,s,a,l,u=(n=e("browser"),n&&n.__esModule&&n||{default:n}).default,c=(r=e("_base"),r&&r.__esModule&&r||{default:r}).default,d=((i=e("jsonpatch"),i&&i.__esModule&&i||{default:i}).default,(s=e("dataObserver"),s&&s.__esModule&&s||{default:s}).DataObserver),h=(a=e("helpers/array"),a&&a.__esModule&&a||{default:a}).arrayEach,f=(l=e("plugins"),l&&l.__esModule&&l||{default:l}).registerPlugin;u.hooks.register("afterChangesObserved");var p=function(e){$traceurRuntime.superConstructor(g).call(this,e),this.observer=null},g=p;$traceurRuntime.createClass(p,{isEnabled:function(){return this.hot.getSettings().observeChanges},enablePlugin:function(){var e=this;this.enabled||(this.observer||(this.observer=new d(this.hot.getSourceData()),this._exposePublicApi()),this.observer.addLocalHook("change",function(t){return e.onDataChange(t)}),this.addHook("afterCreateRow",function(){return e.onAfterTableAlter()}),this.addHook("afterRemoveRow",function(){return e.onAfterTableAlter()}),this.addHook("afterCreateCol",function(){return e.onAfterTableAlter()}),this.addHook("afterRemoveCol",function(){return e.onAfterTableAlter()}),this.addHook("afterChange",function(t,o){return e.onAfterTableAlter(o)}),this.addHook("afterLoadData",function(t){return e.onAfterLoadData(t)}),$traceurRuntime.superGet(this,g.prototype,"enablePlugin").call(this))},disablePlugin:function(){this.observer&&(this.observer.destroy(),this.observer=null,this._deletePublicApi()),$traceurRuntime.superGet(this,g.prototype,"disablePlugin").call(this)},onDataChange:function(e){var t=this;if(!this.observer.isPaused()){var o={add:function(e){isNaN(e.col)?t.hot.runHooks("afterCreateRow",e.row):t.hot.runHooks("afterCreateCol",e.col)},remove:function(e){isNaN(e.col)?t.hot.runHooks("afterRemoveRow",e.row,1):t.hot.runHooks("afterRemoveCol",e.col,1)},replace:function(e){t.hot.runHooks("afterChange",[e.row,e.col,null,e.value],"external")}};h(e,function(e){o[e.op]&&o[e.op](e)}),this.hot.render()}this.hot.runHooks("afterChangesObserved")},onAfterTableAlter:function(e){var t=this;"loadData"!==e&&(this.observer.pause(),this.hot.addHookOnce("afterChangesObserved",function(){return t.observer.resume()}))},onAfterLoadData:function(e){e||this.observer.setObservedData(this.hot.getSourceData())},destroy:function(){this.observer&&(this.observer.destroy(),this._deletePublicApi()),$traceurRuntime.superGet(this,g.prototype,"destroy").call(this)},_exposePublicApi:function(){var e=this,t=this.hot;t.pauseObservingChanges=function(){return e.observer.pause()},t.resumeObservingChanges=function(){return e.observer.resume()},t.isPausedObservingChanges=function(){return e.observer.isPaused()}},_deletePublicApi:function(){var e=this.hot;delete e.pauseObservingChanges,delete e.resumeObservingChanges,delete e.isPausedObservingChanges}},{},c),f("observeChanges",p)},{_base:62,browser:24,dataObserver:110,"helpers/array":43,jsonpatch:"jsonpatch",plugins:61}],112:[function(e,t,o){"use strict";function n(e){var t=[];return e=a(e,function(e){return!/[\/]length/gi.test(e.path)&&!!r(e.path)}),e=l(e,function(e){var t=r(e.path);return e.row=t.row,e.col=t.col,e}),e=a(e,function(e){if(["add","remove"].indexOf(e.op)!==-1&&!isNaN(e.col)){if(t.indexOf(e.col)!==-1)return!1;t.push(e.col)}return!0}),t.length=0,e}function r(e){var t=e.match(/^\/(\d+)\/?(.*)?$/);if(!t)return null;var o=t,n=o[1],r=o[2];return{row:parseInt(n,10),col:/^\d*$/.test(r)?parseInt(r,10):r}}Object.defineProperties(o,{cleanPatches:{get:function(){return n}},parsePath:{get:function(){return r}},__esModule:{value:!0}});var i,s=(i=e("../../helpers/array"),i&&i.__esModule&&i||{default:i}),a=s.arrayFilter,l=s.arrayMap},{"../../helpers/array":43}],113:[function(e,t,o){"use strict";function n(e){var t,o=function(){window.localStorage[e+"__persistentStateKeys"]=JSON.stringify(t)},n=function(){var o=window.localStorage[e+"__persistentStateKeys"],n="string"==typeof o?JSON.parse(o):void 0;t=n?n:[]},r=function(){t=[],o()};n(),this.saveValue=function(n,r){window.localStorage[e+"_"+n]=JSON.stringify(r),t.indexOf(n)==-1&&(t.push(n),o())},this.loadValue=function(t,o){t="undefined"==typeof t?o:t;var n=window.localStorage[e+"_"+t];return"undefined"==typeof n?void 0:JSON.parse(n)},this.reset=function(t){window.localStorage.removeItem(e+"_"+t)},this.resetAll=function(){for(var o=0;o0},f.UndoRedo.prototype.isRedoAvailable=function(){return this.undoneActions.length>0},f.UndoRedo.prototype.clear=function(){this.doneActions.length=0,this.undoneActions.length=0},f.UndoRedo.Action=function(){},f.UndoRedo.Action.prototype.undo=function(){},f.UndoRedo.Action.prototype.redo=function(){},f.UndoRedo.ChangeAction=function(e){this.changes=e,this.actionType="change"},w(f.UndoRedo.ChangeAction,f.UndoRedo.Action),f.UndoRedo.ChangeAction.prototype.undo=function(e,t){for(var o=v(this.changes),n=e.countEmptyRows(!0),r=e.countEmptyCols(!0),i=0,s=o.length;i=o&&this.index-nthis.target?this.rows[0]+this.rows.length:this.rows[0],i=[],s=this.rows.length+n,a=n;a1){var o=arguments[0],n=arguments[1],r=arguments[2];if(r.checkedTemplate){var i=e.getDataAtCell(o,n);null===t?i===r.checkedTemplate?e.setDataAtCell(o,n,r.uncheckedTemplate):i===r.uncheckedTemplate&&e.setDataAtCell(o,n,r.checkedTemplate):e.setDataAtCell(o,n,r.uncheckedTemplate)}}else for(var s=arguments[0],a=0,l=s.length;a0&&!a.readOnly&&t(u)}}}S("base").apply(this,arguments);var p=r(e),g=i(),m=u.label,w=!1;if("undefined"==typeof u.checkedTemplate&&(u.checkedTemplate=!0),"undefined"==typeof u.uncheckedTemplate&&(u.uncheckedTemplate=!1),y(t),l===u.checkedTemplate||_(l,u.checkedTemplate)?g.checked=!0:l===u.uncheckedTemplate||_(l,u.uncheckedTemplate)?g.checked=!1:null===l?b(g,"noValue"):(g.style.display="none",b(g,P),w=!0),g.setAttribute("data-row",o),g.setAttribute("data-col",n),!w&&m){var v="";m.value?v="function"==typeof m.value?m.value.call(this,o,n,a,l):m.value:m.property&&(v=e.getDataAtRowProp(o,m.property));var R=s(v);"before"===m.position?R.appendChild(g):R.insertBefore(g,R.firstChild),g=R}t.appendChild(g),w&&t.appendChild(document.createTextNode("#bad-value#")),H.has(e)||(H.set(e,!0),e.addHook("beforeKeyDown",c))}function r(e){var t=A.get(e);return t||(t=new R(e),t.addEventListener(e.rootElement,"click",function(t){return l(t,e)}),t.addEventListener(e.rootElement,"mouseup",function(t){return a(t,e)}),t.addEventListener(e.rootElement,"change",function(t){return u(t,e)}),A.set(e,t)),t}function i(){var e=document.createElement("input");return e.className="htCheckboxRendererInput",e.type="checkbox",e.setAttribute("autocomplete","off"),e.setAttribute("tabindex","-1"),e.cloneNode(!1)}function s(e){var t=document.createElement("label");return t.className="htCheckboxRendererLabel",t.appendChild(document.createTextNode(e)),t.cloneNode(!0)}function a(e,t){c(e.target)&&setTimeout(t.listen,10)}function l(e,t){if(!c(e.target))return!1;var o=parseInt(e.target.getAttribute("data-row"),10),n=parseInt(e.target.getAttribute("data-col"),10),r=t.getCellMeta(o,n);r.readOnly&&e.preventDefault()}function u(e,t){if(!c(e.target))return!1;var o=parseInt(e.target.getAttribute("data-row"),10),n=parseInt(e.target.getAttribute("data-col"),10),r=t.getCellMeta(o,n);if(!r.readOnly){var i=null;i=e.target.checked?void 0===r.checkedTemplate||r.checkedTemplate:void 0!==r.uncheckedTemplate&&r.uncheckedTemplate,t.setDataAtCell(o,n,i)}}function c(e){return"INPUT"===e.tagName&&"checkbox"===e.getAttribute("type")}Object.defineProperties(o,{checkboxRenderer:{get:function(){return n}},__esModule:{value:!0}});var d,h,f,p,g,m,w,v=(d=e("helpers/dom/element"),d&&d.__esModule&&d||{default:d}),y=v.empty,b=v.addClass,C=v.hasClass,_=(h=e("helpers/string"),h&&h.__esModule&&h||{default:h}).equalsIgnoreCase,R=(f=e("eventManager"),f&&f.__esModule&&f||{default:f}).EventManager,M=(p=e("renderers"),p&&p.__esModule&&p||{default:p}),S=M.getRenderer,E=M.registerRenderer,O=(g=e("helpers/unicode"),g&&g.__esModule&&g||{default:g}).isKey,T=(m=e("helpers/function"),m&&m.__esModule&&m||{default:m}).partial,k=(w=e("helpers/dom/event"),w&&w.__esModule&&w||{default:w}),D=k.stopImmediatePropagation,x=k.isImmediatePropagationStopped,H=new WeakMap,A=new WeakMap,P="htBadValue";E("checkbox",n)},{eventManager:42,"helpers/dom/element":47,"helpers/dom/event":48,"helpers/function":50,"helpers/string":55,"helpers/unicode":56,renderers:117}],121:[function(e,t,o){"use strict";function n(e,t,o,n,r,i,a){l("base").apply(this,arguments),null!==i&&void 0!==i||(i=""),s(t,i)}Object.defineProperties(o,{htmlRenderer:{get:function(){return n}},__esModule:{value:!0}});var r,i,s=(r=e("helpers/dom/element"),r&&r.__esModule&&r||{default:r}).fastInnerHTML,a=(i=e("renderers"),i&&i.__esModule&&i||{default:i}),l=a.getRenderer,u=a.registerRenderer;u("html",n)},{"helpers/dom/element":47,renderers:117}],122:[function(e,t,o){"use strict";function n(e,t,o,n,r,i,s){if(d(i)){"undefined"!=typeof s.language&&a.culture(s.language),i=a(i).format(s.format||"0");var l=s.className||"",c=l.length?l.split(" "):[];c.indexOf("htLeft")<0&&c.indexOf("htCenter")<0&&c.indexOf("htRight")<0&&c.indexOf("htJustify")<0&&c.push("htRight"),c.indexOf("htNumeric")<0&&c.push("htNumeric"),s.className=c.join(" ")}u("text")(e,t,o,n,r,i,s)}Object.defineProperties(o,{numericRenderer:{get:function(){return n}},__esModule:{value:!0}});var r,i,s,a=(r=e("numbro"),r&&r.__esModule&&r||{default:r}).default,l=(i=e("renderers"),i&&i.__esModule&&i||{default:i}),u=l.getRenderer,c=l.registerRenderer,d=(s=e("helpers/number"),s&&s.__esModule&&s||{default:s}).isNumeric;c("numeric",n)},{"helpers/number":52,numbro:"numbro",renderers:117}],123:[function(e,t,o){"use strict";function n(e,t,o,n,r,i,a){l("text").apply(this,arguments),i=t.innerHTML;var u,c=a.hashLength||i.length,d=a.hashSymbol||"*";for(u="";u.split(d).length-13?("function"==typeof n&&(e.__proto__=n),e.prototype=d(a(n),i(t))):e.prototype=t,f(e,"prototype",{configurable:!1,writable:!1}),h(e,i(o))}function a(e){if("function"==typeof e){var t=e.prototype;if(u(t)===t||null===t)return e.prototype;throw new c("super prototype must be an Object or null")}if(null===e)return null;throw new c("Super expression must either be null or a function, not "+typeof e+".")}function l(e,t,n){null!==g(t)&&o(e,t,"constructor",n)}var u=Object,c=TypeError,d=u.create,h=$traceurRuntime.defineProperties,f=$traceurRuntime.defineProperty,p=$traceurRuntime.getOwnPropertyDescriptor,g=Object.getPrototypeOf,m=$traceurRuntime.toProperty,w=Object,v=w.getOwnPropertyNames,y=w.getOwnPropertySymbols;$traceurRuntime.createClass=s,$traceurRuntime.defaultSuperCall=l,$traceurRuntime.superCall=o,$traceurRuntime.superConstructor=t,$traceurRuntime.superGet=n,$traceurRuntime.superSet=r}()},{}],126:[function(e,t,o){"use strict";function n(e){var t=this,o=this;this.eventManager=M(e),this.instance=e,this.settings=e.getSettings(),this.selectionMouseDown=!1;var n=e.rootElement.getAttribute("style");n&&e.rootElement.setAttribute("data-originalstyle",n),p(e.rootElement,"handsontable");var r=document.createElement("TABLE");p(r,"htCore"),e.getSettings().tableClassName&&p(r,e.getSettings().tableClassName),this.THEAD=document.createElement("THEAD"),r.appendChild(this.THEAD),this.TBODY=document.createElement("TBODY"),r.appendChild(this.TBODY),e.table=r,e.container.insertBefore(r,e.container.firstChild),this.eventManager.addEventListener(e.rootElement,"mousedown",function(e){this.selectionMouseDown=!0,o.isTextSelectionAllowed(e.target)||(s(),e.preventDefault(),window.focus())}),this.eventManager.addEventListener(e.rootElement,"mouseup",function(e){this.selectionMouseDown=!1}),this.eventManager.addEventListener(e.rootElement,"mousemove",function(e){this.selectionMouseDown&&!o.isTextSelectionAllowed(e.target)&&(s(),e.preventDefault())}),this.eventManager.addEventListener(document.documentElement,"keyup",function(t){e.selection.isInProgress()&&!t.shiftKey&&e.selection.finish()});var i;this.isMouseDown=function(){return i},this.eventManager.addEventListener(document.documentElement,"mouseup",function(t){e.selection.isInProgress()&&1===t.which&&e.selection.finish(),i=!1,_(document.activeElement)&&e.unlisten()}),this.eventManager.addEventListener(document.documentElement,"mousedown",function(t){var n=t.target,r=t.target,s=t.x||t.clientX,a=t.y||t.clientY;if(!i&&e.rootElement){if(r===e.view.wt.wtTable.holder){var l=v();if(document.elementFromPoint(s+l,a)!==e.view.wt.wtTable.holder||document.elementFromPoint(s,a+l)!==e.view.wt.wtTable.holder)return}else for(;r!==document.documentElement;){if(null===r){if(t.isTargetWebComponent)break;return}if(r===e.rootElement)return;r=r.parentNode}var u="function"==typeof o.settings.outsideClickDeselects?o.settings.outsideClickDeselects(n):o.settings.outsideClickDeselects;u?e.deselectCell():e.destroyEditor()}}),this.eventManager.addEventListener(r,"selectstart",function(e){o.settings.fragmentSelection||C(e.target)||e.preventDefault()});var s=function(){window.getSelection?window.getSelection().empty?window.getSelection().empty():window.getSelection().removeAllRanges&&window.getSelection().removeAllRanges():document.selection&&document.selection.empty()},a=[new x({className:"current",border:{width:2,color:"#5292F7",cornerVisible:function(){return o.settings.fillHandle&&!o.isCellEdited()&&!e.selection.isMultiple()},multipleSelectionHandlesVisible:function(){return!o.isCellEdited()&&!e.selection.isMultiple()}}}),new x({className:"area",border:{width:1,color:"#89AFF9",cornerVisible:function(){return o.settings.fillHandle&&!o.isCellEdited()&&e.selection.isMultiple()},multipleSelectionHandlesVisible:function(){return!o.isCellEdited()&&e.selection.isMultiple()}}}),new x({className:"highlight",highlightHeaderClassName:o.settings.currentHeaderClassName,highlightRowClassName:o.settings.currentRowClassName,highlightColumnClassName:o.settings.currentColClassName}),new x({className:"fill",border:{width:1,color:"red"}})];a.current=a[0],a.area=a[1],a.highlight=a[2],a.fill=a[3];var l={debug:function(){return o.settings.debug},externalRowCalculator:this.instance.getPlugin("autoRowSize")&&this.instance.getPlugin("autoRowSize").isEnabled(),table:r,preventOverflow:function(){return t.settings.preventOverflow},stretchH:function(){return o.settings.stretchH},data:e.getDataAtCell,totalRows:function(){return e.countRows()},totalColumns:function(){return e.countCols()},fixedColumnsLeft:function(){return o.settings.fixedColumnsLeft},fixedRowsTop:function(){return o.settings.fixedRowsTop},fixedRowsBottom:function(){return o.settings.fixedRowsBottom},minSpareRows:function(){return o.settings.minSpareRows},renderAllRows:o.settings.renderAllRows,rowHeaders:function(){var t=[];return e.hasRowHeaders()&&t.push(function(e,t){o.appendRowHeader(e,t)}),h.hooks.run(e,"afterGetRowHeaderRenderers",t),t},columnHeaders:function(){var t=[];return e.hasColHeaders()&&t.push(function(e,t){o.appendColHeader(e,t)}),h.hooks.run(e,"afterGetColumnHeaderRenderers",t),t},columnWidth:e.getColWidth,rowHeight:e.getRowHeight,cellRenderer:function(e,t,n){var r=o.instance.getCellMeta(e,t),i=o.instance.colToProp(t),s=o.instance.getDataAtRowProp(e,i);o.instance.hasHook("beforeValueRender")&&(s=o.instance.runHooks("beforeValueRender",s)),o.instance.runHooks("beforeRenderer",n,e,t,i,s,r),o.instance.getCellRenderer(r)(o.instance,n,e,t,i,s,r),o.instance.runHooks("afterRenderer",n,e,t,i,s,r)},selections:a,hideBorderOnMouseDownOver:function(){return o.settings.fragmentSelection},onCellMouseDown:function(t,n,r,s){var a={row:!1,column:!1,cells:!1};if(e.listen(),o.activeWt=s,i=!0,h.hooks.run(e,"beforeOnCellMouseDown",t,n,r,a),!O(t)){var l=e.getSelectedRange(),u=e.selection,c=u.selectedHeader;if(t.shiftKey&&l)n.row>=0&&n.col>=0&&!a.cells?(u.setSelectedHeaders(!1,!1),u.setRangeEnd(n)):(c.cols||c.rows)&&n.row>=0&&n.col>=0&&!a.cells?(u.setSelectedHeaders(!1,!1),u.setRangeEnd(new D(n.row,n.col))):c.cols&&n.row<0&&!a.column?u.setRangeEnd(new D(l.to.row,n.col)):c.rows&&n.col<0&&!a.row?u.setRangeEnd(new D(n.row,l.to.col)):(!c.cols&&!c.rows&&n.col<0||c.cols&&n.col<0)&&!a.row?(u.setSelectedHeaders(!0,!1),u.setRangeStartOnly(new D(l.from.row,0)),u.setRangeEnd(new D(n.row,e.countCols()-1))):(!c.cols&&!c.rows&&n.row<0||c.rows&&n.row<0)&&!a.column&&(u.setSelectedHeaders(!1,!0),u.setRangeStartOnly(new D(0,l.from.col)),u.setRangeEnd(new D(e.countRows()-1,n.col)));else{var d=!0;if(l){var f=l,g=f.from,m=f.to,w=!u.inInSelection(n);if(n.row<0&&c.cols){var v=Math.min(g.col,m.col),y=Math.max(g.col,m.col);d=n.coly}else if(n.col<0&&c.rows){var b=Math.min(g.row,m.row),C=Math.max(g.row,m.row);d=n.rowC}else d=w}var _=T(t),M=k(t)||"touchstart"===t.type;n.row<0&&n.col>=0&&!a.column?(u.setSelectedHeaders(!1,!0),(M||_&&d)&&(u.setRangeStartOnly(new D(0,n.col)),u.setRangeEnd(new D(Math.max(e.countRows()-1,0),n.col),!1))):n.col<0&&n.row>=0&&!a.row?(u.setSelectedHeaders(!0,!1),(M||_&&d)&&(u.setRangeStartOnly(new D(n.row,0)),u.setRangeEnd(new D(n.row,Math.max(e.countCols()-1,0)),!1))):n.col>=0&&n.row>=0&&!a.cells?(M||_&&d)&&(u.setSelectedHeaders(!1,!1),u.setRangeStart(n)):n.col<0&&n.row<0&&(n.row=0,n.col=0,u.setSelectedHeaders(!1,!1,!0),u.setRangeStart(n))}u.selectedHeader.rows?(R(e.rootElement,"ht__selection--columns"),p(e.rootElement,"ht__selection--rows")):u.selectedHeader.cols?(R(e.rootElement,"ht__selection--rows"),p(e.rootElement,"ht__selection--columns")):R(e.rootElement,["ht__selection--rows","ht__selection--columns"]),h.hooks.run(e,"afterOnCellMouseDown",t,n,r),o.activeWt=o.wt}},onCellMouseOver:function(t,n,r,s){var a={row:!1,column:!1,cell:!1};o.activeWt=s,h.hooks.run(e,"beforeOnCellMouseOver",t,n,r,a),O(t)||(0===t.button&&i&&(n.row>=0&&n.col>=0?e.selection.selectedHeader.cols&&!a.column?e.selection.setRangeEnd(new D(e.countRows()-1,n.col),!1):e.selection.selectedHeader.rows&&!a.row?e.selection.setRangeEnd(new D(n.row,e.countCols()-1),!1):a.cell||e.selection.setRangeEnd(n):e.selection.selectedHeader.cols&&!a.column?e.selection.setRangeEnd(new D(e.countRows()-1,n.col),!1):e.selection.selectedHeader.rows&&!a.row?e.selection.setRangeEnd(new D(n.row,e.countCols()-1),!1):a.cell||e.selection.setRangeEnd(n)),h.hooks.run(e,"afterOnCellMouseOver",t,n,r),o.activeWt=o.wt)},onCellMouseUp:function(t,n,r,i){o.activeWt=i,h.hooks.run(e,"beforeOnCellMouseUp",t,n,r),h.hooks.run(e,"afterOnCellMouseUp",t,n,r),o.activeWt=o.wt},onCellCornerMouseDown:function(t){t.preventDefault(),h.hooks.run(e,"afterOnCellCornerMouseDown",t)},onCellCornerDblClick:function(t){t.preventDefault(),h.hooks.run(e,"afterOnCellCornerDblClick",t)},beforeDraw:function(e,t){o.beforeRender(e,t)},onDraw:function(e){o.onDraw(e)},onScrollVertically:function(){e.runHooks("afterScrollVertically")},onScrollHorizontally:function(){e.runHooks("afterScrollHorizontally")},onBeforeDrawBorders:function(t,o){e.runHooks("beforeDrawBorders",t,o)},onBeforeTouchScroll:function(){e.runHooks("beforeTouchScroll")},onAfterMomentumScroll:function(){e.runHooks("afterMomentumScroll")},onBeforeStretchingColumnWidth:function(t,o){return e.runHooks("beforeStretchingColumnWidth",t,o)},onModifyRowHeaderWidth:function(t){return e.runHooks("modifyRowHeaderWidth",t)},viewportRowCalculatorOverride:function(t){var n=e.countRows(),r=o.settings.viewportRowRenderingOffset;if("auto"===r&&o.settings.fixedRowsTop&&(r=10),"number"==typeof r&&(t.startRow=Math.max(t.startRow-r,0),t.endRow=Math.min(t.endRow+r,n-1)),"auto"===r){var i=t.startRow+t.endRow-t.startRow,s=Math.ceil(i/n*12);t.startRow=Math.max(t.startRow-s,0),t.endRow=Math.min(t.endRow+s,n-1)}e.runHooks("afterViewportRowCalculatorOverride",t)},viewportColumnCalculatorOverride:function(t){var n=e.countCols(),r=o.settings.viewportColumnRenderingOffset;if("auto"===r&&o.settings.fixedColumnsLeft&&(r=10),"number"==typeof r&&(t.startColumn=Math.max(t.startColumn-r,0),t.endColumn=Math.min(t.endColumn+r,n-1)),"auto"===r){var i=t.startColumn+t.endColumn-t.startColumn,s=Math.ceil(i/n*12);t.startRow=Math.max(t.startColumn-s,0),t.endColumn=Math.min(t.endColumn+s,n-1)}e.runHooks("afterViewportColumnCalculatorOverride",t)},rowHeaderWidth:function(){return o.settings.rowHeaderWidth},columnHeaderHeight:function(){var t=e.runHooks("modifyColumnHeaderHeight");return o.settings.columnHeaderHeight||t}};h.hooks.run(e,"beforeInitWalkontable",l),this.wt=new H(l),this.activeWt=this.wt,this.eventManager.addEventListener(o.wt.wtTable.spreader,"mousedown",function(e){e.target===o.wt.wtTable.spreader&&3===e.which&&E(e)}),this.eventManager.addEventListener(o.wt.wtTable.spreader,"contextmenu",function(e){e.target===o.wt.wtTable.spreader&&3===e.which&&E(e)}),this.eventManager.addEventListener(document.documentElement,"click",function(){o.settings.observeDOMVisibility&&o.wt.drawInterrupted&&(o.instance.forceFullRender=!0,o.render())})}Object.defineProperties(o,{TableView:{get:function(){return n}},__esModule:{value:!0}});var r,i,s,a,l,u,c,d,h=(r=e("browser"),r&&r.__esModule&&r||{default:r}).default,f=(i=e("helpers/dom/element"),i&&i.__esModule&&i||{default:i}),p=f.addClass,g=f.empty,m=f.fastInnerHTML,w=f.fastInnerText,v=f.getScrollbarWidth,y=f.hasClass,b=f.isChildOf,C=f.isInput,_=f.isOutsideInput,R=f.removeClass,M=((s=e("helpers/object"),s&&s.__esModule&&s||{default:s}).createObjectPropListener,(a=e("eventManager"),a&&a.__esModule&&a||{default:a}).eventManager),S=(l=e("helpers/dom/event"),l&&l.__esModule&&l||{default:l}),E=S.stopPropagation,O=S.isImmediatePropagationStopped,T=S.isRightClick,k=S.isLeftClick,D=(u=e("3rdparty/walkontable/src/cell/coords"),u&&u.__esModule&&u||{default:u}).WalkontableCellCoords,x=(c=e("3rdparty/walkontable/src/selection"),c&&c.__esModule&&c||{default:c}).WalkontableSelection,H=(d=e("3rdparty/walkontable/src/core"),d&&d.__esModule&&d||{default:d}).Walkontable;h.TableView=n,n.prototype.isTextSelectionAllowed=function(e){if(C(e))return!0;var t=b(e,this.instance.view.wt.wtTable.spreader);return!(this.settings.fragmentSelection!==!0||!t)||(!("cell"!==this.settings.fragmentSelection||!this.isSelectedOnlyCell()||!t)||!(this.settings.fragmentSelection||!this.isCellEdited()||!this.isSelectedOnlyCell()))},n.prototype.isSelectedOnlyCell=function(){var e=this.instance.getSelected()||[],t=e[0],o=e[1],n=e[2],r=e[3];return void 0!==t&&t===n&&o===r},n.prototype.isCellEdited=function(){var e=this.instance.getActiveEditor();return e&&e.isOpened()},n.prototype.beforeRender=function(e,t){e&&h.hooks.run(this.instance,"beforeRender",this.instance.forceFullRender,t)},n.prototype.onDraw=function(e){e&&h.hooks.run(this.instance,"afterRender",this.instance.forceFullRender)},n.prototype.render=function(){this.wt.draw(!this.instance.forceFullRender),this.instance.forceFullRender=!1,this.instance.renderCall=!1},n.prototype.getCellAtCoords=function(e,t){var o=this.wt.getCell(e,t);return o<0?null:o},n.prototype.scrollViewport=function(e){this.wt.scrollViewport(e)},n.prototype.appendRowHeader=function(e,t){if(t.firstChild){var o=t.firstChild;if(!y(o,"relative"))return g(t),void this.appendRowHeader(e,t);this.updateCellHeader(o.querySelector(".rowHeader"),e,this.instance.getRowHeader)}else{var n=document.createElement("div"),r=document.createElement("span");n.className="relative",r.className="rowHeader",this.updateCellHeader(r,e,this.instance.getRowHeader),n.appendChild(r),t.appendChild(n)}h.hooks.run(this.instance,"afterGetRowHeader",e,t)},n.prototype.appendColHeader=function(e,t){if(t.firstChild){var o=t.firstChild;y(o,"relative")?this.updateCellHeader(o.querySelector(".colHeader"),e,this.instance.getColHeader):(g(t),this.appendColHeader(e,t))}else{var n=document.createElement("div"),r=document.createElement("span");n.className="relative",r.className="colHeader",this.updateCellHeader(r,e,this.instance.getColHeader),n.appendChild(r),t.appendChild(n)}h.hooks.run(this.instance,"afterGetColHeader",e,t)},n.prototype.updateCellHeader=function(e,t,o){var n=t,r=this.wt.wtOverlays.getParentOverlay(e)||this.wt;e.parentNode&&(y(e,"colHeader")?n=r.wtTable.columnFilter.sourceToRendered(t):y(e,"rowHeader")&&(n=r.wtTable.rowFilter.sourceToRendered(t))),n>-1?m(e,o(t)):(w(e,String.fromCharCode(160)),p(e,"cornerHeader"))},n.prototype.maximumVisibleElementWidth=function(e){var t=this.wt.wtViewport.getWorkspaceWidth(),o=t-e;return o>0?o:0},n.prototype.maximumVisibleElementHeight=function(e){var t=this.wt.wtViewport.getWorkspaceHeight(),o=t-e;return o>0?o:0},n.prototype.mainViewIsActive=function(){return this.wt===this.activeWt},n.prototype.destroy=function(){this.wt.destroy(),this.eventManager.destroy()}},{"3rdparty/walkontable/src/cell/coords":6,"3rdparty/walkontable/src/core":8,"3rdparty/walkontable/src/selection":19,browser:24,eventManager:42,"helpers/dom/element":47,"helpers/dom/event":48,"helpers/object":53}],127:[function(e,t,o){"use strict";Object.defineProperties(o,{GhostTable:{get:function(){return g}},__esModule:{value:!0}});var n,r,i,s,a,l,u=(n=e("browser"),n&&n.__esModule&&n||{default:n}).default,c=(r=e("helpers/dom/element"),r&&r.__esModule&&r||{default:r}),d=c.addClass,h=c.outerHeight,f=c.outerWidth,p=(i=e("helpers/array"),i&&i.__esModule&&i||{default:i}).arrayEach,g=((s=e("helpers/object"),s&&s.__esModule&&s||{default:s}).objectEach,(a=e("helpers/number"),a&&a.__esModule&&a||{default:a}).rangeEach,(l=e("helpers/mixed"),l&&l.__esModule&&l||{default:l}).stringify,function(e){this.hot=e,this.container=null,this.injected=!1,this.rows=[],this.columns=[],this.samples=null,this.settings={useHeaders:!0}});$traceurRuntime.createClass(g,{addRow:function(e,t){if(this.columns.length)throw new Error("Doesn't support multi-dimensional table");this.rows.length||(this.container=this.createContainer(this.hot.rootElement.className));var o={row:e};this.rows.push(o),this.samples=t,this.table=this.createTable(this.hot.table.className),this.table.colGroup.appendChild(this.createColGroupsCol()),this.table.tr.appendChild(this.createRow(e)),this.container.container.appendChild(this.table.fragment),o.table=this.table.table},addColumnHeadersRow:function(e){if(null!=this.hot.getColHeader(0)){var t={row:-1};this.rows.push(t),this.container=this.createContainer(this.hot.rootElement.className),this.samples=e,this.table=this.createTable(this.hot.table.className),this.table.colGroup.appendChild(this.createColGroupsCol()),this.table.tHead.appendChild(this.createColumnHeadersRow()),this.container.container.appendChild(this.table.fragment),t.table=this.table.table}},addColumn:function(e,t){if(this.rows.length)throw new Error("Doesn't support multi-dimensional table");this.columns.length||(this.container=this.createContainer(this.hot.rootElement.className));var o={col:e};this.columns.push(o),this.samples=t,this.table=this.createTable(this.hot.table.className),this.getSetting("useHeaders")&&null!==this.hot.getColHeader(e)&&this.hot.view.appendColHeader(e,this.table.th), -this.table.tBody.appendChild(this.createCol(e)),this.container.container.appendChild(this.table.fragment),o.table=this.table.table},getHeights:function(e){this.injected||this.injectTable(),p(this.rows,function(t){e(t.row,h(t.table)-1)})},getWidths:function(e){this.injected||this.injectTable(),p(this.columns,function(t){e(t.col,f(t.table))})},setSettings:function(e){this.settings=e},setSetting:function(e,t){this.settings||(this.settings={}),this.settings[e]=t},getSettings:function(){return this.settings},getSetting:function(e){return this.settings?this.settings[e]:null},createColGroupsCol:function(){var e=this,t=document,o=t.createDocumentFragment();return this.hot.hasRowHeaders()&&o.appendChild(this.createColElement(-1)),this.samples.forEach(function(t){p(t.strings,function(t){o.appendChild(e.createColElement(t.col))})}),o},createRow:function(e){var t=this,o=document,n=o.createDocumentFragment(),r=o.createElement("th");return this.hot.hasRowHeaders()&&(this.hot.view.appendRowHeader(e,r),n.appendChild(r)),this.samples.forEach(function(r){p(r.strings,function(r){var i=r.col,s=t.hot.getCellMeta(e,i);s.col=i,s.row=e;var a=t.hot.getCellRenderer(s),l=o.createElement("td");a(t.hot,l,e,i,t.hot.colToProp(i),r.value,s),n.appendChild(l)})}),n},createColumnHeadersRow:function(){var e=this,t=document,o=t.createDocumentFragment();if(this.hot.hasRowHeaders()){var n=t.createElement("th");this.hot.view.appendColHeader(-1,n),o.appendChild(n)}return this.samples.forEach(function(n){p(n.strings,function(n){var r=n.col,i=t.createElement("th");e.hot.view.appendColHeader(r,i),o.appendChild(i)})}),o},createCol:function(e){var t=this,o=document,n=o.createDocumentFragment();return this.samples.forEach(function(r){p(r.strings,function(r){var i=r.row,s=t.hot.getCellMeta(i,e);s.col=e,s.row=i;var a=t.hot.getCellRenderer(s),l=o.createElement("td"),u=o.createElement("tr");a(t.hot,l,i,e,t.hot.colToProp(e),r.value,s),u.appendChild(l),n.appendChild(u)})}),n},clean:function(){this.rows.length=0,this.rows[-1]=void 0,this.columns.length=0,this.samples&&this.samples.clear(),this.samples=null,this.removeTable()},injectTable:function(){var e=void 0!==arguments[0]?arguments[0]:null;this.injected||((e||this.hot.rootElement).appendChild(this.container.fragment),this.injected=!0)},removeTable:function(){this.injected&&this.container.container.parentNode&&(this.container.container.parentNode.removeChild(this.container.container),this.container=null,this.injected=!1)},createColElement:function(e){var t=document,o=t.createElement("col");return o.style.width=this.hot.view.wt.wtTable.getStretchedColumnWidth(e)+"px",o},createTable:function(){var e=void 0!==arguments[0]?arguments[0]:"",t=document,o=t.createDocumentFragment(),n=t.createElement("table"),r=t.createElement("thead"),i=t.createElement("tbody"),s=t.createElement("colgroup"),a=t.createElement("tr"),l=t.createElement("th");return this.isVertical()&&n.appendChild(s),this.isHorizontal()&&(a.appendChild(l),r.appendChild(a),n.style.tableLayout="auto",n.style.width="auto"),n.appendChild(r),this.isVertical()&&i.appendChild(a),n.appendChild(i),d(n,e),o.appendChild(n),{fragment:o,table:n,tHead:r,tBody:i,colGroup:s,tr:a,th:l}},createContainer:function(){var e=void 0!==arguments[0]?arguments[0]:"",t=document,o=t.createDocumentFragment(),n=t.createElement("div");return e="htGhostTable htAutoSize "+e.trim(),d(n,e),o.appendChild(n),{fragment:o,container:n}},isVertical:function(){return!(!this.rows.length||this.columns.length)},isHorizontal:function(){return!(!this.columns.length||this.rows.length)}},{}),u.utils.GhostTable=g},{browser:24,"helpers/array":43,"helpers/dom/element":47,"helpers/mixed":51,"helpers/number":52,"helpers/object":53}],128:[function(e,t,o){"use strict";function n(e){return"string"==typeof e&&/fps$/.test(e)&&(e=1e3/parseInt(e.replace("fps","")||0,10)),e}Object.defineProperties(o,{Interval:{get:function(){return c}},__esModule:{value:!0}});var r,i,s=(r=e("browser"),r&&r.__esModule&&r||{default:r}).default,a=(i=e("helpers/feature"),i&&i.__esModule&&i||{default:i}),l=a.requestAnimationFrame,u=a.cancelAnimationFrame,c=function(e,t){var o=this;this.timer=null,this.func=e,this.delay=n(t),this.stopped=!0,this._then=null,this._callback=function(){return o.__callback()}},d=c;$traceurRuntime.createClass(c,{start:function(){return this.stopped&&(this._then=Date.now(),this.stopped=!1,this.timer=l(this._callback)),this},stop:function(){return this.stopped||(this.stopped=!0,u(this.timer),this.timer=null),this},__callback:function(){if(this.timer=l(this._callback),this.delay){var e=Date.now(),t=e-this._then;t>this.delay&&(this._then=e-t%this.delay,this.func())}else this.func()}},{create:function(e,t){return new d(e,t)}}),s.utils.Interval=c},{browser:24,"helpers/feature":49}],129:[function(e,t,o){"use strict";function n(e,t){c.set(e,t)}function r(e){var t;if(!(e instanceof a.Core)){if(!c.has(e))throw Error("Record translator was not registered for this object identity");e=c.get(e)}return d.has(e)?t=d.get(e):(t=new u(e),d.set(e,t)),t}Object.defineProperties(o,{registerIdentity:{get:function(){return n}},getTranslator:{get:function(){return r}},__esModule:{value:!0}});var i,s,a=(i=e("browser"),i&&i.__esModule&&i||{default:i}).default,l=(s=e("helpers/object"),s&&s.__esModule&&s||{default:s}).isObject,u=function(e){this.hot=e};$traceurRuntime.createClass(u,{toVisualRow:function(e){return this.hot.runHooks("unmodifyRow",e)},toVisualColumn:function(e){return this.hot.runHooks("unmodifyCol",e)},toVisual:function(e,t){var o;return o=l(e)?{row:this.toVisualRow(e.row),column:this.toVisualColumn(e.column)}:[this.toVisualRow(e),this.toVisualColumn(t)]},toPhysicalRow:function(e){return this.hot.runHooks("modifyRow",e)},toPhysicalColumn:function(e){return this.hot.runHooks("modifyCol",e)},toPhysical:function(e,t){var o;return o=l(e)?{row:this.toPhysicalRow(e.row),column:this.toPhysicalColumn(e.column)}:[this.toPhysicalRow(e),this.toPhysicalColumn(t)]}},{});var c=new WeakMap,d=new WeakMap;a.utils.RecordTranslator=u,a.utils.RecordTranslatorUtils={registerIdentity:n,getTranslator:r}},{browser:24,"helpers/object":53}],130:[function(e,t,o){"use strict";var n;Object.defineProperties(o,{SamplesGenerator:{get:function(){return m}},__esModule:{value:!0}});var r,i,s,a,l,u,c=(r=e("browser"),r&&r.__esModule&&r||{default:r}).default,d=(i=e("helpers/dom/element"),i&&i.__esModule&&i||{default:i}),h=(d.addClass,d.outerHeight,d.outerWidth,(s=e("helpers/array"),s&&s.__esModule&&s||{default:s}).arrayEach,a=e("helpers/object"),a&&a.__esModule&&a||{default:a}),f=(h.objectEach,h.isObject),p=(l=e("helpers/number"),l&&l.__esModule&&l||{default:l}).rangeEach,g=(u=e("helpers/mixed"),u&&u.__esModule&&u||{default:u}).stringify,m=function(e){this.samples=null,this.dataFactory=e,this.customSampleCount=null,this.allowDuplicates=!1},w=m;$traceurRuntime.createClass(m,(n={},Object.defineProperty(n,"getSampleCount",{value:function(){return this.customSampleCount?this.customSampleCount:w.SAMPLE_COUNT},configurable:!0,enumerable:!0,writable:!0}),Object.defineProperty(n,"setSampleCount",{value:function(e){this.customSampleCount=e},configurable:!0,enumerable:!0,writable:!0}),Object.defineProperty(n,"setAllowDuplicates",{value:function(e){this.allowDuplicates=e},configurable:!0,enumerable:!0,writable:!0}),Object.defineProperty(n,"generateRowSamples",{value:function(e,t){return this.generateSamples("row",t,e)},configurable:!0,enumerable:!0,writable:!0}),Object.defineProperty(n,"generateColumnSamples",{value:function(e,t){return this.generateSamples("col",t,e)},configurable:!0,enumerable:!0,writable:!0}),Object.defineProperty(n,"generateSamples",{value:function(e,t,o){var n=this,r=new Map;return"number"==typeof o&&(o={from:o,to:o}),p(o.from,o.to,function(o){var i=n.generateSample(e,t,o);r.set(o,i)}),r},configurable:!0,enumerable:!0,writable:!0}),Object.defineProperty(n,"generateSample",{value:function(e,t,o){var n,r=this,i=new Map,s=[];return p(t.from,t.to,function(t){var a,l;if("row"===e)l=r.dataFactory(o,t);else{if("col"!==e)throw new Error("Unsupported sample type");l=r.dataFactory(t,o)}n=f(l)?Object.keys(l).length:Array.isArray(l)?l.length:g(l).length,i.has(n)||i.set(n,{needed:r.getSampleCount(),strings:[]});var u=i.get(n);if(u.needed){var c=s.indexOf(l)>-1;if(!c||r.allowDuplicates){var d="row"===e?"col":"row";u.strings.push((a={},Object.defineProperty(a,"value",{value:l,configurable:!0,enumerable:!0,writable:!0}),Object.defineProperty(a,d,{value:t,configurable:!0,enumerable:!0,writable:!0}),a)),s.push(l),u.needed--}}}),i},configurable:!0,enumerable:!0,writable:!0}),n),{get SAMPLE_COUNT(){return 3}}),c.utils.SamplesGenerator=m},{browser:24,"helpers/array":43,"helpers/dom/element":47,"helpers/mixed":51,"helpers/number":52,"helpers/object":53}],131:[function(e,t,o){"use strict";function n(e,t){var o=e;return function(e){for(var n=!1,r=0,i=e.length;r-1;return o=n.isValid()&&n.format("x")===r.format("x")||!r.isValid()||i?n:r,o.format(t)}},{"../helpers/date":46,browser:24,editors:30,moment:"moment"}],133:[function(e,t,o){"use strict";var n,r=(n=e("browser"),n&&n.__esModule&&n||{default:n}).default;r.NumericValidator=function(e,t){null==e&&(e=""),t(this.allowEmpty&&""===e?!0:""===e?!1:/^-?\d*(\.|\,)?\d*$/.test(e))}},{browser:24}],134:[function(e,t,o){"use strict";var n,r,i=(n=e("browser"),n&&n.__esModule&&n||{default:n}).default,s=(r=e("moment"),r&&r.__esModule&&r||{default:r}).default,a=["YYYY-MM-DDTHH:mm:ss.SSSZ","X","x"];i.TimeValidator=function(e,t){var o=!0,n=this.timeFormat||"h:mm:ss a";null===e&&(e=""),e=/^\d{3,}$/.test(e)?parseInt(e,10):e;var r=/^\d{1,2}$/.test(e);r&&(e+=":00");var i=s(e,a,!0).isValid()?s(e):s(e,n),l=i.isValid(),u=s(e,n,!0).isValid()&&!r;if(this.allowEmpty&&""===e&&(l=!0,u=!0),l||(o=!1),!l&&u&&(o=!0),l&&!u)if(this.correctFormat===!0){var c=i.format(n),d=this.instance.runHooks("unmodifyRow",this.row),h=this.instance.runHooks("unmodifyCol",this.col);this.instance.setDataAtCell(d,h,c,"timeValidator"),o=!0}else o=!1;t(o)}},{browser:24,moment:"moment"}],SheetClip:[function(e,t,o){!function(e){"use strict";function t(e){return e.split('"').length-1}var n={parse:function(e){var o,n,r,i,s,a,l,u=[],c=0;for(r=e.split("\n"),r.length>1&&""===r[r.length-1]&&r.pop(),o=0,n=r.length;o0&&(s+="\t"),i=e[t][n],s+="string"==typeof i?i.indexOf("\n")>-1?'"'+i.replace(/"/g,'""')+'"':i:null===i||void 0===i?"":i;s+="\n"}return s}};"undefined"!=typeof o?(o.parse=n.parse,o.stringify=n.stringify):e.SheetClip=n}(window)},{}],autoResize:[function(e,t,o){function n(){function e(e){return e.currentStyle||document.defaultView.getComputedStyle(e)}var t,o={minHeight:200,maxHeight:300,minWidth:100,maxWidth:300},n=document.body,r=document.createTextNode(""),i=document.createElement("SPAN"),s=function(e,t,o){window.attachEvent?e.attachEvent("on"+t,o):e.addEventListener(t,o,!1)},a=function(e,t,o){window.removeEventListener?e.removeEventListener(t,o,!1):e.detachEvent("on"+t,o)},l=function(s){var a,l;s?/^[a-zA-Z \.,\\\/\|0-9]$/.test(s)||(s="."):s="",void 0!==r.textContent?r.textContent=t.value+s:r.data=t.value+s,i.style.fontSize=e(t).fontSize,i.style.fontFamily=e(t).fontFamily,i.style.whiteSpace="pre",n.appendChild(i),a=i.clientWidth+2,n.removeChild(i),t.style.height=o.minHeight+"px",o.minWidth>a?t.style.width=o.minWidth+"px":a>o.maxWidth?t.style.width=o.maxWidth+"px":t.style.width=a+"px",l=t.scrollHeight?t.scrollHeight-1:0,o.minHeight>l?t.style.height=o.minHeight+"px":o.maxHeight-1||"true"===e.contentEditable}var o=this,n=!1;if(e.metaKey?n=!0:e.ctrlKey&&navigator.userAgent.indexOf("Mac")===-1&&(n=!0),n){if(document.activeElement!==this.elTextarea&&(""!==this.getSelectionText()||t()))return;this.selectNodeText(this.elTextarea),setTimeout(function(){document.activeElement!==o.elTextarea&&o.selectNodeText(o.elTextarea)},0)}e.isImmediatePropagationEnabled===!1||!n||67!==e.keyCode&&86!==e.keyCode&&88!==e.keyCode||(88===e.keyCode?setTimeout(function(){o.triggerCut(e)},0):86===e.keyCode&&setTimeout(function(){o.triggerPaste(e)},0))},r.prototype.selectNodeText=function(e){e&&e.select()},r.prototype.getSelectionText=function(){var e="";return window.getSelection?e=window.getSelection().toString():document.selection&&"Control"!==document.selection.type&&(e=document.selection.createRange().text),e},r.prototype.copyable=function(e){if("string"!=typeof e&&void 0===e.toString)throw new Error("copyable requires string parameter");this.elTextarea.value=e,this.selectNodeText(this.elTextarea)},r.prototype.onCut=function(e){this.cutCallbacks.push(e)},r.prototype.onPaste=function(e){this.pasteCallbacks.push(e)},r.prototype.removeCallback=function(e){var t,o;for(t=0,o=this.copyCallbacks.length;t0&&(e.patches=[],e.callback&&e.callback(r)),r}function h(e,t,n,r){for(var i=y(t),s=y(e),a=!1,l=!1,c=s.length-1;c>=0;c--){var d=s[c],f=e[d];if(t.hasOwnProperty(d)){var p=t[d];"object"==typeof f&&null!=f&&"object"==typeof p&&null!=p?h(f,p,n,r+"/"+o(d)):f!=p&&(a=!0,n.push({op:"replace",path:r+"/"+o(d),value:u(p)}))}else n.push({op:"remove",path:r+"/"+o(d)}),l=!0}if(l||i.length!=s.length)for(var c=0;c=48&&t<=57))return!1;o++}}return!0}function p(e,t,o){for(var n,r,i=!1,s=0,a=t.length;s=h){i=_[n.op].call(n,c,r,e);break}if(E(c)){if("-"===r)r=c.length;else{if(o&&!f(r))throw new O("Expected an unsigned base-10 integer value, making the new referenced value the array element with the zero-based index","OPERATION_PATH_ILLEGAL_ARRAY_INDEX",s-1,n.path,n);r=parseInt(r,10)}if(d>=h){if(o&&"add"===n.op&&r>c.length)throw new O("The specified index MUST NOT be greater than the number of elements in the array","OPERATION_VALUE_OUT_OF_BOUNDS",s-1,n.path,n);i=C[n.op].call(n,c,r,e);break}}else if(r&&r.indexOf("~")!=-1&&(r=r.replace(/~1/g,"/").replace(/~0/g,"~")),d>=h){i=b[n.op].call(n,c,r,e);break}c=c[r]}}return i}function g(e,t){var o=[];return h(e,t,o,""),o}function m(e){if(void 0===e)return!0;if("array"==typeof e||"object"==typeof e)for(var t in e)if(m(e[t]))return!0;return!1}function w(t,o,n,r){if("object"!=typeof t||null===t||E(t))throw new O("Operation is not an object","OPERATION_NOT_AN_OBJECT",o,t,n);if(!b[t.op])throw new O("Operation `op` property is not one of operations defined in RFC-6902","OPERATION_OP_INVALID",o,t,n);if("string"!=typeof t.path)throw new O("Operation `path` property is not a string","OPERATION_PATH_INVALID",o,t,n);if(("move"===t.op||"copy"===t.op)&&"string"!=typeof t.from)throw new O("Operation `from` property is not present (applicable in `move` and `copy` operations)","OPERATION_FROM_REQUIRED",o,t,n);if(("add"===t.op||"replace"===t.op||"test"===t.op)&&void 0===t.value)throw new O("Operation `value` property is not present (applicable in `add`, `replace` and `test` operations)","OPERATION_VALUE_REQUIRED",o,t,n);if(("add"===t.op||"replace"===t.op||"test"===t.op)&&m(t.value))throw new O("Operation `value` property is not present (applicable in `add`, `replace` and `test` operations)","OPERATION_VALUE_CANNOT_CONTAIN_UNDEFINED",o,t,n);if(n)if("add"==t.op){var i=t.path.split("/").length,s=r.split("/").length;if(i!==s+1&&i!==s)throw new O("Cannot perform an `add` operation at the desired path","OPERATION_PATH_CANNOT_ADD",o,t,n)}else if("replace"===t.op||"remove"===t.op||"_get"===t.op){if(t.path!==r)throw new O("Cannot perform the operation at a path that does not exist","OPERATION_PATH_UNRESOLVABLE",o,t,n)}else if("move"===t.op||"copy"===t.op){var a={op:"_get",path:t.from,value:void 0},l=e.validate([a],n);if(l&&"OPERATION_PATH_UNRESOLVABLE"===l.name)throw new O("Cannot perform the operation from a path that does not exist","OPERATION_FROM_UNRESOLVABLE",o,t,n)}}function v(e,t){try{if(!E(e))throw new O("Patch sequence must be an array","SEQUENCE_NOT_AN_ARRAY");if(t)t=JSON.parse(JSON.stringify(t)),p.call(this,t,e,!0);else for(var o=0;o0)for(o in Cn)n=Cn[o],r=t[n],w(r)||(e[n]=r);return e}function y(t){v(this,t),this._d=new Date(null!=t._d?t._d.getTime():NaN),this.isValid()||(this._d=new Date(NaN)),_n===!1&&(_n=!0,e.updateOffset(this),_n=!1)}function b(e){return e instanceof y||null!=e&&null!=e._isAMomentObject}function C(e){return e<0?Math.ceil(e)||0:Math.floor(e)}function _(e){var t=+e,o=0;return 0!==t&&isFinite(t)&&(o=C(t)),o}function R(e,t,o){var n,r=Math.min(e.length,t.length),i=Math.abs(e.length-t.length),s=0;for(n=0;n0?"future":"past"];return O(o)?o(t):o.replace(/%s/i,t)}function I(e,t){var o=e.toLowerCase();An[o]=An[o+"s"]=An[t]=e}function W(e){return"string"==typeof e?An[e]||An[e.toLowerCase()]:void 0}function j(e){var t,o,n={};for(o in e)c(e,o)&&(t=W(o),t&&(n[t]=e[o]));return n}function V(e,t){Pn[e]=t}function B(e){var t=[];for(var o in e)t.push({unit:o,priority:Pn[o]});return t.sort(function(e,t){return e.priority-t.priority}),t}function F(t,o){return function(n){return null!=n?(Y(this,t,n),e.updateOffset(this,o),this):z(this,t)}}function z(e,t){return e.isValid()?e._d["get"+(e._isUTC?"UTC":"")+t]():NaN}function Y(e,t,o){e.isValid()&&e._d["set"+(e._isUTC?"UTC":"")+t](o)}function U(e){return e=W(e),O(this[e])?this[e]():this}function G(e,t){if("object"==typeof e){e=j(e);for(var o=B(e),n=0;n=0;return(i?o?"+":"":"-")+Math.pow(10,Math.max(0,r)).toString().substr(1)+n}function K(e,t,o,n){var r=n;"string"==typeof n&&(r=function(){return this[n]()}),e&&(Wn[e]=r),t&&(Wn[t[0]]=function(){return $(r.apply(this,arguments),t[1],t[2])}),o&&(Wn[o]=function(){return this.localeData().ordinal(r.apply(this,arguments),e)})}function X(e){return e.match(/\[[\s\S]/)?e.replace(/^\[|\]$/g,""):e.replace(/\\/g,"")}function q(e){var t,o,n=e.match(Nn);for(t=0,o=n.length;t=0&&Ln.test(e);)e=e.replace(Ln,o),Ln.lastIndex=0,n-=1;return e}function Q(e,t,o){or[e]=O(t)?t:function(e,n){return e&&o?o:t}}function ee(e,t){return c(or,e)?or[e](t._strict,t._locale):new RegExp(te(e))}function te(e){return oe(e.replace("\\","").replace(/\\(\[)|\\(\])|\[([^\]\[]*)\]|\\(.)/g,function(e,t,o,n,r){return t||o||n||r}))}function oe(e){return e.replace(/[-\/\\^$*+?.()|[\]{}]/g,"\\$&")}function ne(e,t){var o,n=t;for("string"==typeof e&&(e=[e]),a(t)&&(n=function(e,o){o[t]=_(e)}),o=0;o=0&&isFinite(a.getFullYear())&&a.setFullYear(e),a}function Ce(e){var t=new Date(Date.UTC.apply(null,arguments));return e<100&&e>=0&&isFinite(t.getUTCFullYear())&&t.setUTCFullYear(e),t}function _e(e,t,o){var n=7+t-o,r=(7+Ce(e,0,n).getUTCDay()-t)%7;return-r+n-1}function Re(e,t,o,n,r){var i,s,a=(7+o-n)%7,l=_e(e,n,r),u=1+7*(t-1)+a+l;return u<=0?(i=e-1,s=we(i)+u):u>we(e)?(i=e+1,s=u-we(e)):(i=e,s=u),{year:i,dayOfYear:s}}function Me(e,t,o){var n,r,i=_e(e.year(),t,o),s=Math.floor((e.dayOfYear()-i-1)/7)+1;return s<1?(r=e.year()-1,n=s+Se(r,t,o)):s>Se(e.year(),t,o)?(n=s-Se(e.year(),t,o),r=e.year()+1):(r=e.year(),n=s),{week:n,year:r}}function Se(e,t,o){var n=_e(e,t,o),r=_e(e+1,t,o);return(we(e)-n+r)/7}function Ee(e){return Me(e,this._week.dow,this._week.doy).week}function Oe(){return this._week.dow}function Te(){return this._week.doy}function ke(e){var t=this.localeData().week(this);return null==e?t:this.add(7*(e-t),"d")}function De(e){var t=Me(this,1,4).week;return null==e?t:this.add(7*(e-t),"d")}function xe(e,t){return"string"!=typeof e?e:isNaN(e)?(e=t.weekdaysParse(e),"number"==typeof e?e:null):parseInt(e,10)}function He(e,t){return"string"==typeof e?t.weekdaysParse(e)%7||7:isNaN(e)?null:e}function Ae(e,t){return e?r(this._weekdays)?this._weekdays[e.day()]:this._weekdays[this._weekdays.isFormat.test(t)?"format":"standalone"][e.day()]:this._weekdays}function Pe(e){return e?this._weekdaysShort[e.day()]:this._weekdaysShort}function Ne(e){return e?this._weekdaysMin[e.day()]:this._weekdaysMin}function Le(e,t,o){var n,r,i,s=e.toLocaleLowerCase();if(!this._weekdaysParse)for(this._weekdaysParse=[],this._shortWeekdaysParse=[],this._minWeekdaysParse=[],n=0;n<7;++n)i=h([2e3,1]).day(n),this._minWeekdaysParse[n]=this.weekdaysMin(i,"").toLocaleLowerCase(),this._shortWeekdaysParse[n]=this.weekdaysShort(i,"").toLocaleLowerCase(),this._weekdaysParse[n]=this.weekdays(i,"").toLocaleLowerCase();return o?"dddd"===t?(r=fr.call(this._weekdaysParse,s),r!==-1?r:null):"ddd"===t?(r=fr.call(this._shortWeekdaysParse,s),r!==-1?r:null):(r=fr.call(this._minWeekdaysParse,s),r!==-1?r:null):"dddd"===t?(r=fr.call(this._weekdaysParse,s),r!==-1?r:(r=fr.call(this._shortWeekdaysParse,s),r!==-1?r:(r=fr.call(this._minWeekdaysParse,s),r!==-1?r:null))):"ddd"===t?(r=fr.call(this._shortWeekdaysParse,s),r!==-1?r:(r=fr.call(this._weekdaysParse,s),r!==-1?r:(r=fr.call(this._minWeekdaysParse,s),r!==-1?r:null))):(r=fr.call(this._minWeekdaysParse,s),r!==-1?r:(r=fr.call(this._weekdaysParse,s),r!==-1?r:(r=fr.call(this._shortWeekdaysParse,s),r!==-1?r:null)))}function Ie(e,t,o){var n,r,i;if(this._weekdaysParseExact)return Le.call(this,e,t,o);for(this._weekdaysParse||(this._weekdaysParse=[],this._minWeekdaysParse=[],this._shortWeekdaysParse=[],this._fullWeekdaysParse=[]),n=0;n<7;n++){if(r=h([2e3,1]).day(n),o&&!this._fullWeekdaysParse[n]&&(this._fullWeekdaysParse[n]=new RegExp("^"+this.weekdays(r,"").replace(".",".?")+"$","i"),this._shortWeekdaysParse[n]=new RegExp("^"+this.weekdaysShort(r,"").replace(".",".?")+"$","i"),this._minWeekdaysParse[n]=new RegExp("^"+this.weekdaysMin(r,"").replace(".",".?")+"$","i")),this._weekdaysParse[n]||(i="^"+this.weekdays(r,"")+"|^"+this.weekdaysShort(r,"")+"|^"+this.weekdaysMin(r,""),this._weekdaysParse[n]=new RegExp(i.replace(".",""),"i")),o&&"dddd"===t&&this._fullWeekdaysParse[n].test(e))return n;if(o&&"ddd"===t&&this._shortWeekdaysParse[n].test(e))return n;if(o&&"dd"===t&&this._minWeekdaysParse[n].test(e))return n;if(!o&&this._weekdaysParse[n].test(e))return n}}function We(e){if(!this.isValid())return null!=e?this:NaN;var t=this._isUTC?this._d.getUTCDay():this._d.getDay();return null!=e?(e=xe(e,this.localeData()),this.add(e-t,"d")):t}function je(e){if(!this.isValid())return null!=e?this:NaN;var t=(this.day()+7-this.localeData()._week.dow)%7;return null==e?t:this.add(e-t,"d")}function Ve(e){if(!this.isValid())return null!=e?this:NaN;if(null!=e){var t=He(e,this.localeData());return this.day(this.day()%7?t:t-7)}return this.day()||7}function Be(e){return this._weekdaysParseExact?(c(this,"_weekdaysRegex")||Ye.call(this),e?this._weekdaysStrictRegex:this._weekdaysRegex):(c(this,"_weekdaysRegex")||(this._weekdaysRegex=Mr),this._weekdaysStrictRegex&&e?this._weekdaysStrictRegex:this._weekdaysRegex)}function Fe(e){return this._weekdaysParseExact?(c(this,"_weekdaysRegex")||Ye.call(this),e?this._weekdaysShortStrictRegex:this._weekdaysShortRegex):(c(this,"_weekdaysShortRegex")||(this._weekdaysShortRegex=Sr),this._weekdaysShortStrictRegex&&e?this._weekdaysShortStrictRegex:this._weekdaysShortRegex)}function ze(e){return this._weekdaysParseExact?(c(this,"_weekdaysRegex")||Ye.call(this),e?this._weekdaysMinStrictRegex:this._weekdaysMinRegex):(c(this,"_weekdaysMinRegex")||(this._weekdaysMinRegex=Er),this._weekdaysMinStrictRegex&&e?this._weekdaysMinStrictRegex:this._weekdaysMinRegex)}function Ye(){function e(e,t){return t.length-e.length}var t,o,n,r,i,s=[],a=[],l=[],u=[];for(t=0;t<7;t++)o=h([2e3,1]).day(t),n=this.weekdaysMin(o,""),r=this.weekdaysShort(o,""),i=this.weekdays(o,""),s.push(n),a.push(r),l.push(i),u.push(n),u.push(r),u.push(i);for(s.sort(e),a.sort(e),l.sort(e),u.sort(e),t=0;t<7;t++)a[t]=oe(a[t]),l[t]=oe(l[t]),u[t]=oe(u[t]);this._weekdaysRegex=new RegExp("^("+u.join("|")+")","i"),this._weekdaysShortRegex=this._weekdaysRegex,this._weekdaysMinRegex=this._weekdaysRegex,this._weekdaysStrictRegex=new RegExp("^("+l.join("|")+")","i"),this._weekdaysShortStrictRegex=new RegExp("^("+a.join("|")+")","i"),this._weekdaysMinStrictRegex=new RegExp("^("+s.join("|")+")","i")}function Ue(){return this.hours()%12||12}function Ge(){return this.hours()||24}function $e(e,t){K(e,0,0,function(){return this.localeData().meridiem(this.hours(),this.minutes(),t)})}function Ke(e,t){return t._meridiemParse}function Xe(e){return"p"===(e+"").toLowerCase().charAt(0)}function qe(e,t,o){return e>11?o?"pm":"PM":o?"am":"AM"}function Ze(e){return e?e.toLowerCase().replace("_","-"):e}function Je(e){for(var t,o,n,r,i=0;i0;){if(n=Qe(r.slice(0,t).join("-")))return n;if(o&&o.length>=t&&R(r,o,!0)>=t-1)break;t--}i++}return null}function Qe(e){var n=null;if(!xr[e]&&"undefined"!=typeof o&&o&&o.exports)try{n=Or._abbr,t("./locale/"+e),et(n)}catch(e){}return xr[e]}function et(e,t){var o;return e&&(o=w(t)?nt(e):tt(e,t),o&&(Or=o)),Or._abbr}function tt(e,t){if(null!==t){var o=Dr;if(t.abbr=e,null!=xr[e])E("defineLocaleOverride","use moment.updateLocale(localeName, config) to change an existing locale. moment.defineLocale(localeName, config) should only be used for creating a new locale See http://momentjs.com/guides/#/warnings/define-locale/ for more info."),o=xr[e]._config;else if(null!=t.parentLocale){if(null==xr[t.parentLocale])return Hr[t.parentLocale]||(Hr[t.parentLocale]=[]),Hr[t.parentLocale].push({name:e,config:t}),null;o=xr[t.parentLocale]._config}return xr[e]=new D(k(o,t)),Hr[e]&&Hr[e].forEach(function(e){tt(e.name,e.config)}),et(e),xr[e]}return delete xr[e],null}function ot(e,t){if(null!=t){var o,n=Dr;null!=xr[e]&&(n=xr[e]._config),t=k(n,t),o=new D(t),o.parentLocale=xr[e],xr[e]=o,et(e)}else null!=xr[e]&&(null!=xr[e].parentLocale?xr[e]=xr[e].parentLocale:null!=xr[e]&&delete xr[e]);return xr[e]}function nt(e){var t;if(e&&e._locale&&e._locale._abbr&&(e=e._locale._abbr),!e)return Or;if(!r(e)){if(t=Qe(e))return t;e=[e]}return Je(e)}function rt(){return En(xr)}function it(e){var t,o=e._a;return o&&p(e).overflow===-2&&(t=o[ir]<0||o[ir]>11?ir:o[sr]<1||o[sr]>se(o[rr],o[ir])?sr:o[ar]<0||o[ar]>24||24===o[ar]&&(0!==o[lr]||0!==o[ur]||0!==o[cr])?ar:o[lr]<0||o[lr]>59?lr:o[ur]<0||o[ur]>59?ur:o[cr]<0||o[cr]>999?cr:-1,p(e)._overflowDayOfYear&&(tsr)&&(t=sr),p(e)._overflowWeeks&&t===-1&&(t=dr),p(e)._overflowWeekday&&t===-1&&(t=hr),p(e).overflow=t),e}function st(e){var t,o,n,r,i,s,a=e._i,l=Ar.exec(a)||Pr.exec(a);if(l){for(p(e).iso=!0,t=0,o=Lr.length;twe(r)&&(p(e)._overflowDayOfYear=!0),o=Ce(r,0,e._dayOfYear),e._a[ir]=o.getUTCMonth(),e._a[sr]=o.getUTCDate()),t=0;t<3&&null==e._a[t];++t)e._a[t]=i[t]=n[t];for(;t<7;t++)e._a[t]=i[t]=null==e._a[t]?2===t?1:0:e._a[t];24===e._a[ar]&&0===e._a[lr]&&0===e._a[ur]&&0===e._a[cr]&&(e._nextDay=!0,e._a[ar]=0),e._d=(e._useUTC?Ce:be).apply(null,i),null!=e._tzm&&e._d.setUTCMinutes(e._d.getUTCMinutes()-e._tzm),e._nextDay&&(e._a[ar]=24)}}function dt(e){var t,o,n,r,i,s,a,l;if(t=e._w,null!=t.GG||null!=t.W||null!=t.E)i=1,s=4,o=lt(t.GG,e._a[rr],Me(bt(),1,4).year),n=lt(t.W,1),r=lt(t.E,1),(r<1||r>7)&&(l=!0);else{i=e._locale._week.dow,s=e._locale._week.doy;var u=Me(bt(),i,s);o=lt(t.gg,e._a[rr],u.year),n=lt(t.w,u.week),null!=t.d?(r=t.d,(r<0||r>6)&&(l=!0)):null!=t.e?(r=t.e+i,(t.e<0||t.e>6)&&(l=!0)):r=i}n<1||n>Se(o,i,s)?p(e)._overflowWeeks=!0:null!=l?p(e)._overflowWeekday=!0:(a=Re(o,n,r,i,s),e._a[rr]=a.year,e._dayOfYear=a.dayOfYear)}function ht(t){if(t._f===e.ISO_8601)return void st(t);t._a=[],p(t).empty=!0;var o,n,r,i,s,a=""+t._i,l=a.length,u=0;for(r=J(t._f,t._locale).match(Nn)||[],o=0;o0&&p(t).unusedInput.push(s),a=a.slice(a.indexOf(n)+n.length),u+=n.length),Wn[i]?(n?p(t).empty=!1:p(t).unusedTokens.push(i),ie(i,n,t)):t._strict&&!n&&p(t).unusedTokens.push(i);p(t).charsLeftOver=l-u,a.length>0&&p(t).unusedInput.push(a),t._a[ar]<=12&&p(t).bigHour===!0&&t._a[ar]>0&&(p(t).bigHour=void 0),p(t).parsedDateParts=t._a.slice(0),p(t).meridiem=t._meridiem,t._a[ar]=ft(t._locale,t._a[ar],t._meridiem),ct(t),it(t)}function ft(e,t,o){var n;return null==o?t:null!=e.meridiemHour?e.meridiemHour(t,o):null!=e.isPM?(n=e.isPM(o),n&&t<12&&(t+=12),n||12!==t||(t=0),t):t}function pt(e){var t,o,n,r,i;if(0===e._f.length)return p(e).invalidFormat=!0,void(e._d=new Date(NaN));for(r=0;rthis.clone().month(0).utcOffset()||this.utcOffset()>this.clone().month(5).utcOffset()}function Wt(){if(!w(this._isDSTShifted))return this._isDSTShifted;var e={};if(v(e,this),e=wt(e),e._a){var t=e._isUTC?h(e._a):bt(e._a);this._isDSTShifted=this.isValid()&&R(e._a,t.toArray())>0}else this._isDSTShifted=!1;return this._isDSTShifted}function jt(){return!!this.isValid()&&!this._isUTC}function Vt(){return!!this.isValid()&&this._isUTC}function Bt(){return!!this.isValid()&&(this._isUTC&&0===this._offset)}function Ft(e,t){var o,n,r,i=e,s=null;return St(e)?i={ms:e._milliseconds,d:e._days,M:e._months}:a(e)?(i={},t?i[t]=e:i.milliseconds=e):(s=zr.exec(e))?(o="-"===s[1]?-1:1,i={y:0,d:_(s[sr])*o,h:_(s[ar])*o,m:_(s[lr])*o,s:_(s[ur])*o,ms:_(Et(1e3*s[cr]))*o}):(s=Yr.exec(e))?(o="-"===s[1]?-1:1,i={y:zt(s[2],o),M:zt(s[3],o),w:zt(s[4],o),d:zt(s[5],o),h:zt(s[6],o),m:zt(s[7],o),s:zt(s[8],o)}):null==i?i={}:"object"==typeof i&&("from"in i||"to"in i)&&(r=Ut(bt(i.from),bt(i.to)),i={},i.ms=r.milliseconds,i.M=r.months),n=new Mt(i),St(e)&&c(e,"_locale")&&(n._locale=e._locale),n}function zt(e,t){var o=e&&parseFloat(e.replace(",","."));return(isNaN(o)?0:o)*t}function Yt(e,t){var o={milliseconds:0,months:0};return o.months=t.month()-e.month()+12*(t.year()-e.year()),e.clone().add(o.months,"M").isAfter(t)&&--o.months,o.milliseconds=+t-+e.clone().add(o.months,"M"),o}function Ut(e,t){var o;return e.isValid()&&t.isValid()?(t=kt(t,e),e.isBefore(t)?o=Yt(e,t):(o=Yt(t,e),o.milliseconds=-o.milliseconds,o.months=-o.months),o):{milliseconds:0,months:0}}function Gt(e,t){return function(o,n){var r,i;return null===n||isNaN(+n)||(E(t,"moment()."+t+"(period, number) is deprecated. Please use moment()."+t+"(number, period). See http://momentjs.com/guides/#/warnings/add-inverted-param/ for more info."),i=o,o=n,n=i),o="string"==typeof o?+o:o,r=Ft(o,n),$t(this,r,e),this}}function $t(t,o,n,r){var i=o._milliseconds,s=Et(o._days),a=Et(o._months);t.isValid()&&(r=null==r||r,i&&t._d.setTime(t._d.valueOf()+i*n),s&&Y(t,"Date",z(t,"Date")+s*n),a&&de(t,z(t,"Month")+a*n),r&&e.updateOffset(t,s||a))}function Kt(e,t){var o=e.diff(t,"days",!0);return o<-6?"sameElse":o<-1?"lastWeek":o<0?"lastDay":o<1?"sameDay":o<2?"nextDay":o<7?"nextWeek":"sameElse"}function Xt(t,o){var n=t||bt(),r=kt(n,this).startOf("day"),i=e.calendarFormat(this,r)||"sameElse",s=o&&(O(o[i])?o[i].call(this,n):o[i]);return this.format(s||this.localeData().calendar(i,this,bt(n)))}function qt(){return new y(this)}function Zt(e,t){var o=b(e)?e:bt(e);return!(!this.isValid()||!o.isValid())&&(t=W(w(t)?"millisecond":t),"millisecond"===t?this.valueOf()>o.valueOf():o.valueOf()i&&(t=i),Po.call(this,e,t,o,n,r))}function Po(e,t,o,n,r){var i=Re(e,t,o,n,r),s=Ce(i.year,0,i.dayOfYear);return this.year(s.getUTCFullYear()),this.month(s.getUTCMonth()),this.date(s.getUTCDate()),this}function No(e){return null==e?Math.ceil((this.month()+1)/3):this.month(3*(e-1)+this.month()%3)}function Lo(e){var t=Math.round((this.clone().startOf("day")-this.clone().startOf("year"))/864e5)+1;return null==e?t:this.add(e-t,"d")}function Io(e,t){t[cr]=_(1e3*("0."+e))}function Wo(){return this._isUTC?"UTC":""}function jo(){return this._isUTC?"Coordinated Universal Time":""}function Vo(e){return bt(1e3*e)}function Bo(){return bt.apply(null,arguments).parseZone()}function Fo(e){return e}function zo(e,t,o,n){var r=nt(),i=h().set(n,t);return r[o](i,e)}function Yo(e,t,o){if(a(e)&&(t=e,e=void 0),e=e||"",null!=t)return zo(e,t,o,"month");var n,r=[];for(n=0;n<12;n++)r[n]=zo(e,n,o,"month");return r}function Uo(e,t,o,n){"boolean"==typeof e?(a(t)&&(o=t,t=void 0),t=t||""):(t=e,o=t,e=!1,a(t)&&(o=t,t=void 0),t=t||"");var r=nt(),i=e?r._week.dow:0;if(null!=o)return zo(t,(o+i)%7,n,"day");var s,l=[];for(s=0;s<7;s++)l[s]=zo(t,(s+i)%7,n,"day");return l}function Go(e,t){return Yo(e,t,"months")}function $o(e,t){return Yo(e,t,"monthsShort")}function Ko(e,t,o){return Uo(e,t,o,"weekdays")}function Xo(e,t,o){return Uo(e,t,o,"weekdaysShort")}function qo(e,t,o){return Uo(e,t,o,"weekdaysMin")}function Zo(){var e=this._data;return this._milliseconds=ti(this._milliseconds),this._days=ti(this._days),this._months=ti(this._months),e.milliseconds=ti(e.milliseconds),e.seconds=ti(e.seconds),e.minutes=ti(e.minutes),e.hours=ti(e.hours),e.months=ti(e.months),e.years=ti(e.years),this}function Jo(e,t,o,n){var r=Ft(t,o);return e._milliseconds+=n*r._milliseconds,e._days+=n*r._days,e._months+=n*r._months,e._bubble()}function Qo(e,t){return Jo(this,e,t,1)}function en(e,t){return Jo(this,e,t,-1)}function tn(e){return e<0?Math.floor(e):Math.ceil(e)}function on(){var e,t,o,n,r,i=this._milliseconds,s=this._days,a=this._months,l=this._data;return i>=0&&s>=0&&a>=0||i<=0&&s<=0&&a<=0||(i+=864e5*tn(rn(a)+s),s=0,a=0),l.milliseconds=i%1e3,e=C(i/1e3),l.seconds=e%60,t=C(e/60),l.minutes=t%60,o=C(t/60),l.hours=o%24,s+=C(o/24),r=C(nn(s)),a+=r,s-=tn(rn(r)),n=C(a/12),a%=12,l.days=s,l.months=a,l.years=n,this}function nn(e){return 4800*e/146097}function rn(e){return 146097*e/4800}function sn(e){var t,o,n=this._milliseconds;if(e=W(e),"month"===e||"year"===e)return t=this._days+n/864e5,o=this._months+nn(t),"month"===e?o:o/12;switch(t=this._days+Math.round(rn(this._months)),e){case"week":return t/7+n/6048e5;case"day":return t+n/864e5;case"hour":return 24*t+n/36e5;case"minute":return 1440*t+n/6e4;case"second":return 86400*t+n/1e3;case"millisecond":return Math.floor(864e5*t)+n;default:throw new Error("Unknown unit "+e)}}function an(){return this._milliseconds+864e5*this._days+this._months%12*2592e6+31536e6*_(this._months/12)}function ln(e){return function(){return this.as(e)}}function un(e){return e=W(e),this[e+"s"]()}function cn(e){return function(){return this._data[e]}}function dn(){return C(this.days()/7)}function hn(e,t,o,n,r){return r.relativeTime(t||1,!!o,e,n)}function fn(e,t,o){var n=Ft(e).abs(),r=wi(n.as("s")),i=wi(n.as("m")),s=wi(n.as("h")),a=wi(n.as("d")),l=wi(n.as("M")),u=wi(n.as("y")),c=r0,c[4]=o,hn.apply(null,c)}function pn(e){return void 0===e?wi:"function"==typeof e&&(wi=e,!0)}function gn(e,t){return void 0!==vi[e]&&(void 0===t?vi[e]:(vi[e]=t,!0))}function mn(e){var t=this.localeData(),o=fn(this,!e,t);return e&&(o=t.pastFuture(+this,o)),t.postformat(o)}function wn(){var e,t,o,n=yi(this._milliseconds)/1e3,r=yi(this._days),i=yi(this._months);e=C(n/60),t=C(e/60),n%=60,e%=60,o=C(i/12),i%=12;var s=o,a=i,l=r,u=t,c=e,d=n,h=this.asSeconds();return h?(h<0?"-":"")+"P"+(s?s+"Y":"")+(a?a+"M":"")+(l?l+"D":"")+(u||c||d?"T":"")+(u?u+"H":"")+(c?c+"M":"")+(d?d+"S":""):"P0D"}var vn,yn;yn=Array.prototype.some?Array.prototype.some:function(e){for(var t=Object(this),o=t.length>>>0,n=0;n68?1900:2e3)};var yr=F("FullYear",!0);K("w",["ww",2],"wo","week"),K("W",["WW",2],"Wo","isoWeek"),I("week","w"),I("isoWeek","W"),V("week",5),V("isoWeek",5),Q("w",Yn),Q("ww",Yn,Vn),Q("W",Yn),Q("WW",Yn,Vn),re(["w","ww","W","WW"],function(e,t,o,n){t[n.substr(0,1)]=_(e)});var br={dow:0,doy:6};K("d",0,"do","day"),K("dd",0,0,function(e){return this.localeData().weekdaysMin(this,e)}),K("ddd",0,0,function(e){return this.localeData().weekdaysShort(this,e)}),K("dddd",0,0,function(e){return this.localeData().weekdays(this,e)}),K("e",0,0,"weekday"),K("E",0,0,"isoWeekday"),I("day","d"),I("weekday","e"),I("isoWeekday","E"),V("day",11),V("weekday",11),V("isoWeekday",11),Q("d",Yn),Q("e",Yn),Q("E",Yn),Q("dd",function(e,t){return t.weekdaysMinRegex(e)}),Q("ddd",function(e,t){return t.weekdaysShortRegex(e)}),Q("dddd",function(e,t){return t.weekdaysRegex(e)}),re(["dd","ddd","dddd"],function(e,t,o,n){var r=o._locale.weekdaysParse(e,n,o._strict);null!=r?t.d=r:p(o).invalidWeekday=e}),re(["d","e","E"],function(e,t,o,n){t[n]=_(e)});var Cr="Sunday_Monday_Tuesday_Wednesday_Thursday_Friday_Saturday".split("_"),_r="Sun_Mon_Tue_Wed_Thu_Fri_Sat".split("_"),Rr="Su_Mo_Tu_We_Th_Fr_Sa".split("_"),Mr=tr,Sr=tr,Er=tr;K("H",["HH",2],0,"hour"),K("h",["hh",2],0,Ue),K("k",["kk",2],0,Ge),K("hmm",0,0,function(){return""+Ue.apply(this)+$(this.minutes(),2)}),K("hmmss",0,0,function(){return""+Ue.apply(this)+$(this.minutes(),2)+$(this.seconds(),2)}),K("Hmm",0,0,function(){return""+this.hours()+$(this.minutes(),2)}),K("Hmmss",0,0,function(){return""+this.hours()+$(this.minutes(),2)+$(this.seconds(),2)}),$e("a",!0),$e("A",!1),I("hour","h"),V("hour",13),Q("a",Ke),Q("A",Ke),Q("H",Yn),Q("h",Yn),Q("HH",Yn,Vn),Q("hh",Yn,Vn),Q("hmm",Un),Q("hmmss",Gn),Q("Hmm",Un),Q("Hmmss",Gn),ne(["H","HH"],ar),ne(["a","A"],function(e,t,o){o._isPm=o._locale.isPM(e),o._meridiem=e}),ne(["h","hh"],function(e,t,o){t[ar]=_(e),p(o).bigHour=!0}),ne("hmm",function(e,t,o){var n=e.length-2;t[ar]=_(e.substr(0,n)),t[lr]=_(e.substr(n)),p(o).bigHour=!0}),ne("hmmss",function(e,t,o){var n=e.length-4,r=e.length-2;t[ar]=_(e.substr(0,n)),t[lr]=_(e.substr(n,2)),t[ur]=_(e.substr(r)),p(o).bigHour=!0}),ne("Hmm",function(e,t,o){var n=e.length-2;t[ar]=_(e.substr(0,n)),t[lr]=_(e.substr(n))}),ne("Hmmss",function(e,t,o){var n=e.length-4,r=e.length-2;t[ar]=_(e.substr(0,n)),t[lr]=_(e.substr(n,2)),t[ur]=_(e.substr(r))});var Or,Tr=/[ap]\.?m?\.?/i,kr=F("Hours",!0),Dr={calendar:On,longDateFormat:Tn,invalidDate:kn,ordinal:Dn,ordinalParse:xn,relativeTime:Hn,months:gr,monthsShort:mr,week:br,weekdays:Cr,weekdaysMin:Rr,weekdaysShort:_r,meridiemParse:Tr},xr={},Hr={},Ar=/^\s*((?:[+-]\d{6}|\d{4})-(?:\d\d-\d\d|W\d\d-\d|W\d\d|\d\d\d|\d\d))(?:(T| )(\d\d(?::\d\d(?::\d\d(?:[.,]\d+)?)?)?)([\+\-]\d\d(?::?\d\d)?|\s*Z)?)?$/,Pr=/^\s*((?:[+-]\d{6}|\d{4})(?:\d\d\d\d|W\d\d\d|W\d\d|\d\d\d|\d\d))(?:(T| )(\d\d(?:\d\d(?:\d\d(?:[.,]\d+)?)?)?)([\+\-]\d\d(?::?\d\d)?|\s*Z)?)?$/,Nr=/Z|[+-]\d\d(?::?\d\d)?/,Lr=[["YYYYYY-MM-DD",/[+-]\d{6}-\d\d-\d\d/],["YYYY-MM-DD",/\d{4}-\d\d-\d\d/],["GGGG-[W]WW-E",/\d{4}-W\d\d-\d/],["GGGG-[W]WW",/\d{4}-W\d\d/,!1],["YYYY-DDD",/\d{4}-\d{3}/],["YYYY-MM",/\d{4}-\d\d/,!1],["YYYYYYMMDD",/[+-]\d{10}/],["YYYYMMDD",/\d{8}/],["GGGG[W]WWE",/\d{4}W\d{3}/],["GGGG[W]WW",/\d{4}W\d{2}/,!1],["YYYYDDD",/\d{7}/]],Ir=[["HH:mm:ss.SSSS",/\d\d:\d\d:\d\d\.\d+/],["HH:mm:ss,SSSS",/\d\d:\d\d:\d\d,\d+/],["HH:mm:ss",/\d\d:\d\d:\d\d/],["HH:mm",/\d\d:\d\d/],["HHmmss.SSSS",/\d\d\d\d\d\d\.\d+/],["HHmmss,SSSS",/\d\d\d\d\d\d,\d+/],["HHmmss",/\d\d\d\d\d\d/],["HHmm",/\d\d\d\d/],["HH",/\d\d/]],Wr=/^\/?Date\((\-?\d+)/i;e.createFromInputFallback=S("value provided is not in a recognized ISO format. moment construction falls back to js Date(), which is not reliable across all browsers and versions. Non ISO date formats are discouraged and will be removed in an upcoming major release. Please refer to http://momentjs.com/guides/#/warnings/js-date/ for more info.",function(e){e._d=new Date(e._i+(e._useUTC?" UTC":""))}),e.ISO_8601=function(){};var jr=S("moment().min is deprecated, use moment.max instead. http://momentjs.com/guides/#/warnings/min-max/",function(){var e=bt.apply(null,arguments);return this.isValid()&&e.isValid()?ethis?this:e:m()}),Br=function(){return Date.now?Date.now():+new Date};Ot("Z",":"),Ot("ZZ",""),Q("Z",Qn),Q("ZZ",Qn),ne(["Z","ZZ"],function(e,t,o){o._useUTC=!0,o._tzm=Tt(Qn,e)});var Fr=/([\+\-]|\d\d)/gi;e.updateOffset=function(){};var zr=/^(\-)?(?:(\d*)[. ])?(\d+)\:(\d+)(?:\:(\d+)(\.\d*)?)?$/,Yr=/^(-)?P(?:(-?[0-9,.]*)Y)?(?:(-?[0-9,.]*)M)?(?:(-?[0-9,.]*)W)?(?:(-?[0-9,.]*)D)?(?:T(?:(-?[0-9,.]*)H)?(?:(-?[0-9,.]*)M)?(?:(-?[0-9,.]*)S)?)?$/;Ft.fn=Mt.prototype;var Ur=Gt(1,"add"),Gr=Gt(-1,"subtract");e.defaultFormat="YYYY-MM-DDTHH:mm:ssZ",e.defaultFormatUtc="YYYY-MM-DDTHH:mm:ss[Z]";var $r=S("moment().lang() is deprecated. Instead, use moment().localeData() to get the language configuration. Use moment().locale() to change languages.",function(e){return void 0===e?this.localeData():this.locale(e)});K(0,["gg",2],0,function(){return this.weekYear()%100}),K(0,["GG",2],0,function(){return this.isoWeekYear()%100}),To("gggg","weekYear"),To("ggggg","weekYear"),To("GGGG","isoWeekYear"),To("GGGGG","isoWeekYear"),I("weekYear","gg"),I("isoWeekYear","GG"),V("weekYear",1),V("isoWeekYear",1),Q("G",Zn),Q("g",Zn),Q("GG",Yn,Vn),Q("gg",Yn,Vn),Q("GGGG",Kn,Fn),Q("gggg",Kn,Fn),Q("GGGGG",Xn,zn),Q("ggggg",Xn,zn),re(["gggg","ggggg","GGGG","GGGGG"],function(e,t,o,n){t[n.substr(0,2)]=_(e)}),re(["gg","GG"],function(t,o,n,r){o[r]=e.parseTwoDigitYear(t)}),K("Q",0,"Qo","quarter"),I("quarter","Q"),V("quarter",7),Q("Q",jn),ne("Q",function(e,t){t[ir]=3*(_(e)-1)}),K("D",["DD",2],"Do","date"),I("date","D"),V("date",9),Q("D",Yn),Q("DD",Yn,Vn),Q("Do",function(e,t){return e?t._ordinalParse:t._ordinalParseLenient}),ne(["D","DD"],sr),ne("Do",function(e,t){t[sr]=_(e.match(Yn)[0],10)});var Kr=F("Date",!0);K("DDD",["DDDD",3],"DDDo","dayOfYear"),I("dayOfYear","DDD"),V("dayOfYear",4),Q("DDD",$n),Q("DDDD",Bn),ne(["DDD","DDDD"],function(e,t,o){o._dayOfYear=_(e)}),K("m",["mm",2],0,"minute"),I("minute","m"),V("minute",14),Q("m",Yn),Q("mm",Yn,Vn),ne(["m","mm"],lr);var Xr=F("Minutes",!1);K("s",["ss",2],0,"second"),I("second","s"),V("second",15),Q("s",Yn),Q("ss",Yn,Vn),ne(["s","ss"],ur);var qr=F("Seconds",!1);K("S",0,0,function(){return~~(this.millisecond()/100)}),K(0,["SS",2],0,function(){return~~(this.millisecond()/10)}),K(0,["SSS",3],0,"millisecond"),K(0,["SSSS",4],0,function(){return 10*this.millisecond()}),K(0,["SSSSS",5],0,function(){return 100*this.millisecond()}),K(0,["SSSSSS",6],0,function(){return 1e3*this.millisecond()}),K(0,["SSSSSSS",7],0,function(){return 1e4*this.millisecond()}),K(0,["SSSSSSSS",8],0,function(){return 1e5*this.millisecond()}),K(0,["SSSSSSSSS",9],0,function(){return 1e6*this.millisecond()}),I("millisecond","ms"),V("millisecond",16),Q("S",$n,jn),Q("SS",$n,Vn),Q("SSS",$n,Bn);var Zr;for(Zr="SSSS";Zr.length<=9;Zr+="S")Q(Zr,qn);for(Zr="S";Zr.length<=9;Zr+="S")ne(Zr,Io);var Jr=F("Milliseconds",!1);K("z",0,0,"zoneAbbr"),K("zz",0,0,"zoneName");var Qr=y.prototype;Qr.add=Ur,Qr.calendar=Xt,Qr.clone=qt,Qr.diff=no,Qr.endOf=wo,Qr.format=lo,Qr.from=uo,Qr.fromNow=co,Qr.to=ho,Qr.toNow=fo,Qr.get=U,Qr.invalidAt=Eo,Qr.isAfter=Zt,Qr.isBefore=Jt,Qr.isBetween=Qt,Qr.isSame=eo,Qr.isSameOrAfter=to,Qr.isSameOrBefore=oo,Qr.isValid=Mo,Qr.lang=$r,Qr.locale=po,Qr.localeData=go,Qr.max=Vr,Qr.min=jr,Qr.parsingFlags=So,Qr.set=G,Qr.startOf=mo,Qr.subtract=Gr,Qr.toArray=Co,Qr.toObject=_o,Qr.toDate=bo,Qr.toISOString=so,Qr.inspect=ao,Qr.toJSON=Ro,Qr.toString=io,Qr.unix=yo,Qr.valueOf=vo,Qr.creationData=Oo,Qr.year=yr,Qr.isLeapYear=ye,Qr.weekYear=ko,Qr.isoWeekYear=Do,Qr.quarter=Qr.quarters=No,Qr.month=he,Qr.daysInMonth=fe,Qr.week=Qr.weeks=ke,Qr.isoWeek=Qr.isoWeeks=De,Qr.weeksInYear=Ho,Qr.isoWeeksInYear=xo,Qr.date=Kr,Qr.day=Qr.days=We,Qr.weekday=je,Qr.isoWeekday=Ve,Qr.dayOfYear=Lo,Qr.hour=Qr.hours=kr,Qr.minute=Qr.minutes=Xr,Qr.second=Qr.seconds=qr,Qr.millisecond=Qr.milliseconds=Jr,Qr.utcOffset=xt,Qr.utc=At,Qr.local=Pt,Qr.parseZone=Nt,Qr.hasAlignedHourOffset=Lt,Qr.isDST=It,Qr.isLocal=jt,Qr.isUtcOffset=Vt,Qr.isUtc=Bt,Qr.isUTC=Bt,Qr.zoneAbbr=Wo,Qr.zoneName=jo,Qr.dates=S("dates accessor is deprecated. Use date instead.",Kr),Qr.months=S("months accessor is deprecated. Use month instead",he),Qr.years=S("years accessor is deprecated. Use year instead",yr),Qr.zone=S("moment().zone is deprecated, use moment().utcOffset instead. http://momentjs.com/guides/#/warnings/zone/",Ht),Qr.isDSTShifted=S("isDSTShifted is deprecated. See http://momentjs.com/guides/#/warnings/dst-shifted/ for more information",Wt);var ei=D.prototype;ei.calendar=x,ei.longDateFormat=H,ei.invalidDate=A,ei.ordinal=P,ei.preparse=Fo,ei.postformat=Fo,ei.relativeTime=N,ei.pastFuture=L,ei.set=T,ei.months=ae,ei.monthsShort=le,ei.monthsParse=ce,ei.monthsRegex=ge,ei.monthsShortRegex=pe,ei.week=Ee,ei.firstDayOfYear=Te,ei.firstDayOfWeek=Oe,ei.weekdays=Ae,ei.weekdaysMin=Ne,ei.weekdaysShort=Pe,ei.weekdaysParse=Ie,ei.weekdaysRegex=Be,ei.weekdaysShortRegex=Fe,ei.weekdaysMinRegex=ze,ei.isPM=Xe,ei.meridiem=qe,et("en",{ordinalParse:/\d{1,2}(th|st|nd|rd)/,ordinal:function(e){var t=e%10,o=1===_(e%100/10)?"th":1===t?"st":2===t?"nd":3===t?"rd":"th";return e+o}}),e.lang=S("moment.lang is deprecated. Use moment.locale instead.",et),e.langData=S("moment.langData is deprecated. Use moment.localeData instead.",nt);var ti=Math.abs,oi=ln("ms"),ni=ln("s"),ri=ln("m"),ii=ln("h"),si=ln("d"),ai=ln("w"),li=ln("M"),ui=ln("y"),ci=cn("milliseconds"),di=cn("seconds"),hi=cn("minutes"),fi=cn("hours"),pi=cn("days"),gi=cn("months"),mi=cn("years"),wi=Math.round,vi={s:45,m:45,h:22,d:26,M:11},yi=Math.abs,bi=Mt.prototype;return bi.abs=Zo,bi.add=Qo,bi.subtract=en,bi.as=sn,bi.asMilliseconds=oi,bi.asSeconds=ni,bi.asMinutes=ri,bi.asHours=ii,bi.asDays=si,bi.asWeeks=ai,bi.asMonths=li,bi.asYears=ui,bi.valueOf=an,bi._bubble=on,bi.get=un,bi.milliseconds=ci,bi.seconds=di,bi.minutes=hi,bi.hours=fi,bi.days=pi,bi.weeks=dn,bi.months=gi,bi.years=mi,bi.humanize=mn,bi.toISOString=wn,bi.toString=wn,bi.toJSON=wn,bi.locale=po,bi.localeData=go,bi.toIsoString=S("toIsoString() is deprecated. Please use toISOString() instead (notice the capitals)",wn),bi.lang=$r,K("X",0,0,"unix"),K("x",0,0,"valueOf"),Q("x",Zn),Q("X",er),ne("X",function(e,t,o){o._d=new Date(1e3*parseFloat(e,10))}),ne("x",function(e,t,o){o._d=new Date(_(e))}),e.version="2.17.1",n(bt),e.fn=Qr,e.min=_t,e.max=Rt,e.now=Br,e.utc=h,e.unix=Vo,e.months=Go,e.isDate=l,e.locale=et,e.invalid=m,e.duration=Ft,e.isMoment=b,e.weekdays=Ko,e.parseZone=Bo,e.localeData=nt,e.isDuration=St,e.monthsShort=$o,e.weekdaysMin=qo,e.defineLocale=tt,e.updateLocale=ot,e.locales=rt,e.weekdaysShort=Xo,e.normalizeUnits=W,e.relativeTimeRounding=pn,e.relativeTimeThreshold=gn,e.calendarFormat=Kt,e.prototype=Qr,e})},{}],numbro:[function(t,o,n){/*! - * numbro.js - * version : 1.9.3 - * author : Företagsplatsen AB - * license : MIT - * http://www.foretagsplatsen.se - */ -(function(){"use strict";function n(e){this._value=e}function r(e){var t,o="";for(t=0;t0?c=n+i+r(s-i.length):(a=+n<0?"-0":"0",t>0&&(a+="."),u=r(-1*s-1),l=(u+Math.abs(n)+i).substr(0,t),c=a+l),+s>0&&t>0&&(c+="."+r(t)),c}function s(e,t,o,n){var r,s,a=Math.pow(10,t);return e.toString().indexOf("e")>-1?(s=i(e,t),"-"===s.charAt(0)&&+s>=0&&(s=s.substr(1))):s=(o(e+"e+"+t)/a).toFixed(t),n&&(r=new RegExp("0{1,"+n+"}$"),s=s.replace(r,"")),s}function a(e,t,o){var n,r=t.replace(/\{[^\{\}]*\}/g,"");return n=r.indexOf("$")>-1?u(e,O[k].currency.symbol,t,o):r.indexOf("%")>-1?d(e,t,o):r.indexOf(":")>-1?h(e,t):g(e._value,t,o)}function l(e,t){var o,n,r,i,s,a=t,l=!1;if(t.indexOf(":")>-1)e._value=f(t);else if(t===D)e._value=0;else{for("."!==O[k].delimiters.decimal&&(t=t.replace(/\./g,"").replace(O[k].delimiters.decimal,".")),o=new RegExp("[^a-zA-Z]"+O[k].abbreviations.thousand+"(?:\\)|(\\"+O[k].currency.symbol+")?(?:\\))?)?$"),n=new RegExp("[^a-zA-Z]"+O[k].abbreviations.million+"(?:\\)|(\\"+O[k].currency.symbol+")?(?:\\))?)?$"),r=new RegExp("[^a-zA-Z]"+O[k].abbreviations.billion+"(?:\\)|(\\"+O[k].currency.symbol+")?(?:\\))?)?$"),i=new RegExp("[^a-zA-Z]"+O[k].abbreviations.trillion+"(?:\\)|(\\"+O[k].currency.symbol+")?(?:\\))?)?$"),s=1;s-1?l=Math.pow(1024,s):t.indexOf(M[s])>-1&&(l=Math.pow(1e3,s));var u=t.replace(/[^0-9\.]+/g,"");""===u?e._value=NaN:(e._value=(l?l:1)*(a.match(o)?Math.pow(10,3):1)*(a.match(n)?Math.pow(10,6):1)*(a.match(r)?Math.pow(10,9):1)*(a.match(i)?Math.pow(10,12):1)*(t.indexOf("%")>-1?.01:1)*((t.split("-").length+Math.min(t.split("(").length-1,t.split(")").length-1))%2?1:-1)*Number(u),e._value=l?Math.ceil(e._value):e._value)}return e._value}function u(e,t,o,n){var r,i,s=o,a=s.indexOf("$"),l=s.indexOf("("),u=s.indexOf("+"),c=s.indexOf("-"),d="",h="";if(s.indexOf("$")===-1?"infix"===O[k].currency.position?(h=t,O[k].currency.spaceSeparated&&(h=" "+h+" ")):O[k].currency.spaceSeparated&&(d=" "):s.indexOf(" $")>-1?(d=" ",s=s.replace(" $","")):s.indexOf("$ ")>-1?(d=" ",s=s.replace("$ ","")):s=s.replace("$",""),i=g(e._value,s,n,h),o.indexOf("$")===-1)switch(O[k].currency.position){case"postfix":i.indexOf(")")>-1?(i=i.split(""),i.splice(-1,0,d+t),i=i.join("")):i=i+d+t;break;case"infix":break;case"prefix":i.indexOf("(")>-1||i.indexOf("-")>-1?(i=i.split(""),r=Math.max(l,c)+1,i.splice(r,0,t+d),i=i.join("")):i=t+d+i;break;default:throw Error('Currency position should be among ["prefix", "infix", "postfix"]')}else a<=1?i.indexOf("(")>-1||i.indexOf("+")>-1||i.indexOf("-")>-1?(i=i.split(""),r=1,(a-1?(i=i.split(""),i.splice(-1,0,d+t),i=i.join("")):i=i+d+t;return i}function c(e,t,o,n){return u(e,t,o,n)}function d(e,t,o){var n,r="",i=100*e._value;return t.indexOf(" %")>-1?(r=" ",t=t.replace(" %","")):t=t.replace("%",""),n=g(i,t,o),n.indexOf(")")>-1?(n=n.split(""),n.splice(-1,0,r+"%"),n=n.join("")):n=n+r+"%",n}function h(e){var t=Math.floor(e._value/60/60),o=Math.floor((e._value-60*t*60)/60),n=Math.round(e._value-60*t*60-60*o);return t+":"+(o<10?"0"+o:o)+":"+(n<10?"0"+n:n)}function f(e){var t=e.split(":"),o=0;return 3===t.length?(o+=60*Number(t[0])*60,o+=60*Number(t[1]),o+=Number(t[2])):2===t.length&&(o+=60*Number(t[0]),o+=Number(t[1])),Number(o)}function p(e,t,o){var n,r,i,s=t[0],a=Math.abs(e);if(a>=o){for(n=1;n=r&&a-1?(M=!0,t=t.slice(1,-1)):t.indexOf("+")>-1&&(S=!0,t=t.replace(/\+/g,"")),t.indexOf("a")>-1&&(f=t.split(".")[0].match(/[0-9]+/g)||["0"],f=parseInt(f[0],10),H=t.indexOf("aK")>=0,A=t.indexOf("aM")>=0,P=t.indexOf("aB")>=0,N=t.indexOf("aT")>=0,L=H||A||P||N,t.indexOf(" a")>-1?(x=" ",t=t.replace(" a","")):t=t.replace("a",""),l=Math.floor(Math.log(j)/Math.LN10)+1,c=l%3,c=0===c?3:c,f&&0!==j&&(u=Math.floor(Math.log(j)/Math.LN10)+1-f,d=3*~~((Math.min(f,l)-c)/3),j/=Math.pow(10,d),t.indexOf(".")===-1&&f>3&&(t+="[.]",b=0===u?0:3*~~(u/3)-u,b=b<0?b+3:b,t+=r(b))),Math.floor(Math.log(Math.abs(e))/Math.LN10)+1!==f&&(j>=Math.pow(10,12)&&!L||N?(x+=O[k].abbreviations.trillion,e/=Math.pow(10,12)):j=Math.pow(10,9)&&!L||P?(x+=O[k].abbreviations.billion,e/=Math.pow(10,9)):j=Math.pow(10,6)&&!L||A?(x+=O[k].abbreviations.million,e/=Math.pow(10,6)):(j=Math.pow(10,3)&&!L||H)&&(x+=O[k].abbreviations.thousand,e/=Math.pow(10,3)))),R=0;R-1){t.indexOf(" "+i.marker)>-1&&(I=" "),t=t.replace(I+i.marker,""),a=p(e,i.suffixes,i.scale),e=a.value,I+=a.suffix;break}if(t.indexOf("o")>-1&&(t.indexOf(" o")>-1?(W=" ",t=t.replace(" o","")):t=t.replace("o",""),O[k].ordinal&&(W+=O[k].ordinal(e))),t.indexOf("[.]")>-1&&(T=!0,t=t.replace("[.]",".")),h=e.toString().split(".")[0],g=t.split(".")[1],v=t.indexOf(","),g){if(g.indexOf("*")!==-1?V=s(e,e.toString().split(".")[1].length,o):g.indexOf("[")>-1?(g=g.replace("]",""),g=g.split("["),V=s(e,g[0].length+g[1].length,o,g[1].length)):V=s(e,g.length,o),h=V.split(".")[0],V.split(".")[1].length){var $=n?x+n:O[k].delimiters.decimal;V=$+V.split(".")[1]}else V="";T&&0===Number(V.slice(1))&&(V="")}else h=s(e,0,o);return h.indexOf("-")>-1&&(h=h.slice(1),F=!0),h.length<_&&(h=r(_-h.length)+h),v>-1&&(h=h.toString().replace(/(\d)(?=(\d{3})+(?!\d))/g,"$1"+O[k].delimiters.thousands)),0===t.indexOf(".")&&(h=""),y=t.indexOf("("),C=t.indexOf("-"),z=y0||"grunt"===process.title||"gulp"===process.title)&&"undefined"!=typeof t}function y(e){var t=e.toString().split(".");return t.length<2?1:Math.pow(10,t[1].length)}function b(){var e=Array.prototype.slice.call(arguments);return e.reduce(function(e,t){var o=y(e),n=y(t);return o>n?o:n},-(1/0))}var C,_="1.9.3",R=["B","KiB","MiB","GiB","TiB","PiB","EiB","ZiB","YiB"],M=["B","KB","MB","GB","TB","PB","EB","ZB","YB"],S={general:{scale:1024,suffixes:M,marker:"bd"},binary:{scale:1024,suffixes:R,marker:"b"},decimal:{scale:1e3,suffixes:M,marker:"d"}},E=[S.general,S.binary,S.decimal],O={},T=O,k="en-US",D=null,x="0,0",H="0$",A="undefined"!=typeof o&&o.exports,P={delimiters:{thousands:",",decimal:"."},abbreviations:{thousand:"k",million:"m",billion:"b",trillion:"t"},ordinal:function(e){var t=e%10;return 1===~~(e%100/10)?"th":1===t?"st":2===t?"nd":3===t?"rd":"th"},currency:{symbol:"$",position:"prefix"},defaults:{currencyFormat:",0000 a"},formats:{fourDigits:"0000 a",fullWithTwoDecimals:"$ ,0.00",fullWithTwoDecimalsNoCurrency:",0.00"}};C=function(e){return C.isNumbro(e)?e=e.value():0===e||"undefined"==typeof e?e=0:Number(e)||(e=C.fn.unformat(e)),new n(Number(e))},C.version=_,C.isNumbro=function(e){return e instanceof n},C.setLanguage=function(e,t){console.warn("`setLanguage` is deprecated since version 1.6.0. Use `setCulture` instead");var o=e,n=e.split("-")[0],r=null;T[o]||(Object.keys(T).forEach(function(e){r||e.split("-")[0]!==n||(r=e)}),o=r||t||"en-US"),w(o)},C.setCulture=function(e,t){var o=e,n=e.split("-")[1],r=null;O[o]||(n&&Object.keys(O).forEach(function(e){r||e.split("-")[1]!==n||(r=e)}),o=r||t||"en-US"),w(o)},C.language=function(e,t){if(console.warn("`language` is deprecated since version 1.6.0. Use `culture` instead"),!e)return k;if(e&&!t){if(!T[e])throw new Error("Unknown language : "+e);w(e)}return!t&&T[e]||m(e,t),C},C.culture=function(e,t){if(!e)return k;if(e&&!t){if(!O[e])throw new Error("Unknown culture : "+e);w(e)}return!t&&O[e]||m(e,t),C},C.languageData=function(e){if(console.warn("`languageData` is deprecated since version 1.6.0. Use `cultureData` instead"),!e)return T[k];if(!T[e])throw new Error("Unknown language : "+e);return T[e]},C.cultureData=function(e){if(!e)return O[k];if(!O[e])throw new Error("Unknown culture : "+e);return O[e]},C.culture("en-US",P),C.languages=function(){return console.warn("`languages` is deprecated since version 1.6.0. Use `cultures` instead"),T},C.cultures=function(){return O},C.zeroFormat=function(e){D="string"==typeof e?e:null},C.defaultFormat=function(e){x="string"==typeof e?e:"0.0"},C.defaultCurrencyFormat=function(e){H="string"==typeof e?e:"0$"},C.validate=function(e,t){var o,n,r,i,s,a,l,u;if("string"!=typeof e&&(e+="",console.warn&&console.warn("Numbro.js: Value is not string. It has been co-erced to: ",e)),e=e.trim(),e=e.replace(/^[+-]?/,""),e.match(/^\d+$/))return!0;if(""===e)return!1;try{l=C.cultureData(t)}catch(e){l=C.cultureData(C.culture())}return r=l.currency.symbol,s=l.abbreviations,o=l.delimiters.decimal,n="."===l.delimiters.thousands?"\\.":l.delimiters.thousands,u=e.match(/^[^\d\.\,]+/),(null===u||(e=e.substr(1),u[0]===r))&&(u=e.match(/[^\d]+$/),(null===u||(e=e.slice(0,-1),u[0]===s.thousand||u[0]===s.million||u[0]===s.billion||u[0]===s.trillion))&&(a=new RegExp(n+"{2}"),!e.match(/[^\d.,]/g)&&(i=e.split(o),!(i.length>2)&&(i.length<2?!!i[0].match(/^\d+.*\d$/)&&!i[0].match(a):""===i[0]?!i[0].match(a)&&!!i[1].match(/^\d+$/):1===i[0].length?!!i[0].match(/^\d+$/)&&!i[0].match(a)&&!!i[1].match(/^\d+$/):!!i[0].match(/^\d+.*\d$/)&&!i[0].match(a)&&!!i[1].match(/^\d+$/)))))},C.loadLanguagesInNode=function(){console.warn("`loadLanguagesInNode` is deprecated since version 1.6.0. Use `loadCulturesInNode` instead"),C.loadCulturesInNode()},C.loadCulturesInNode=function(){var e=t("./languages");for(var o in e)o&&C.culture(o,e[o])},"function"!=typeof Array.prototype.reduce&&(Array.prototype.reduce=function(e,t){if(null===this||"undefined"==typeof this)throw new TypeError("Array.prototype.reduce called on null or undefined");if("function"!=typeof e)throw new TypeError(e+" is not a function");var o,n,r=this.length>>>0,i=!1;for(1o;++o)this.hasOwnProperty(o)&&(i?n=e(n,this[o],o,this):(n=this[o],i=!0));if(!i)throw new TypeError("Reduce of empty array with no initial value");return n}),C.fn=n.prototype={clone:function(){return C(this)},format:function(e,t){return a(this,e?e:x,void 0!==t?t:Math.round)},formatCurrency:function(e,t){return u(this,O[k].currency.symbol,e?e:H,void 0!==t?t:Math.round)},formatForeignCurrency:function(e,t,o){return c(this,e,t?t:H,void 0!==o?o:Math.round)},unformat:function(e){if("number"==typeof e)return e;if("string"==typeof e){var t=l(this,e);return isNaN(t)?void 0:t}},binaryByteUnits:function(){return p(this._value,S.binary.suffixes,S.binary.scale).suffix},byteUnits:function(){return p(this._value,S.general.suffixes,S.general.scale).suffix},decimalByteUnits:function(){return p(this._value,S.decimal.suffixes,S.decimal.scale).suffix},value:function(){return this._value},valueOf:function(){return this._value},set:function(e){return this._value=Number(e),this},add:function(e){function t(e,t){return e+o*t}var o=b.call(null,this._value,e);return this._value=[this._value,e].reduce(t,0)/o,this},subtract:function(e){function t(e,t){return e-o*t}var o=b.call(null,this._value,e);return this._value=[e].reduce(t,this._value*o)/o,this},multiply:function(e){function t(e,t){var o=b(e,t),n=e*o;return n*=t*o,n/=o*o}return this._value=[this._value,e].reduce(t,1),this},divide:function(e){function t(e,t){var o=b(e,t);return e*o/(t*o)}return this._value=[this._value,e].reduce(t),this},difference:function(e){return Math.abs(C(this._value).subtract(e).value())}},v()&&C.loadCulturesInNode(),A?o.exports=C:("undefined"==typeof ender&&(this.numbro=C),"function"==typeof e&&e.amd&&e([],function(){return C}))}).call("undefined"==typeof window?this:window)},{languages:1}],pikaday:[function(t,o,n){/*! - * Pikaday - * - * Copyright © 2014 David Bushell | BSD & MIT license | https://github.com/dbushell/Pikaday - */ -!function(r,i){"use strict";var s;if("object"==typeof n){try{s=t("moment")}catch(e){}o.exports=i(s)}else"function"==typeof e&&e.amd?e(function(e){var t="moment";try{s=e(t)}catch(e){}return i(s)}):r.Pikaday=i(r.moment)}(this,function(e){"use strict";var t="function"==typeof e,o=!!window.addEventListener,n=window.document,r=window.setTimeout,i=function(e,t,n,r){o?e.addEventListener(t,n,!!r):e.attachEvent("on"+t,n)},s=function(e,t,n,r){o?e.removeEventListener(t,n,!!r):e.detachEvent("on"+t,n)},a=function(e,t,o){var r;n.createEvent?(r=n.createEvent("HTMLEvents"),r.initEvent(t,!0,!1),r=y(r,o),e.dispatchEvent(r)):n.createEventObject&&(r=n.createEventObject(),r=y(r,o),e.fireEvent("on"+t,r))},l=function(e){return e.trim?e.trim():e.replace(/^\s+|\s+$/g,"")},u=function(e,t){return(" "+e.className+" ").indexOf(" "+t+" ")!==-1},c=function(e,t){u(e,t)||(e.className=""===e.className?t:e.className+" "+t)},d=function(e,t){e.className=l((" "+e.className+" ").replace(" "+t+" "," "))},h=function(e){return/Array/.test(Object.prototype.toString.call(e))},f=function(e){return/Date/.test(Object.prototype.toString.call(e))&&!isNaN(e.getTime())},p=function(e){var t=e.getDay();return 0===t||6===t},g=function(e){return e%4===0&&e%100!==0||e%400===0},m=function(e,t){return[31,g(e)?29:28,31,30,31,30,31,31,30,31,30,31][t]},w=function(e){f(e)&&e.setHours(0,0,0,0)},v=function(e,t){return e.getTime()===t.getTime()},y=function(e,t,o){var n,r;for(n in t)r=void 0!==e[n],r&&"object"==typeof t[n]&&null!==t[n]&&void 0===t[n].nodeName?f(t[n])?o&&(e[n]=new Date(t[n].getTime())):h(t[n])?o&&(e[n]=t[n].slice(0)):e[n]=y({},t[n],o):!o&&r||(e[n]=t[n]);return e},b=function(e){return e.month<0&&(e.year-=Math.ceil(Math.abs(e.month)/12),e.month+=12),e.month>11&&(e.year+=Math.floor(Math.abs(e.month)/12),e.month-=12),e},C={field:null,bound:void 0,position:"bottom left",reposition:!0,format:"YYYY-MM-DD",defaultDate:null,setDefaultDate:!1,firstDay:0,formatStrict:!1,minDate:null,maxDate:null,yearRange:10,showWeekNumber:!1,minYear:0,maxYear:9999,minMonth:void 0,maxMonth:void 0,startRange:null,endRange:null,isRTL:!1,yearSuffix:"",showMonthAfterYear:!1,showDaysInNextAndPreviousMonths:!1,numberOfMonths:1,mainCalendar:"left",container:void 0,i18n:{previousMonth:"Previous Month",nextMonth:"Next Month",months:["January","February","March","April","May","June","July","August","September","October","November","December"],weekdays:["Sunday","Monday","Tuesday","Wednesday","Thursday","Friday","Saturday"],weekdaysShort:["Sun","Mon","Tue","Wed","Thu","Fri","Sat"]},theme:null,onSelect:null,onOpen:null,onClose:null,onDraw:null},_=function(e,t,o){for(t+=e.firstDay;t>=7;)t-=7;return o?e.i18n.weekdaysShort[t]:e.i18n.weekdays[t]},R=function(e){var t=[],o="false";if(e.isEmpty){if(!e.showDaysInNextAndPreviousMonths)return'';t.push("is-outside-current-month")}return e.isDisabled&&t.push("is-disabled"),e.isToday&&t.push("is-today"),e.isSelected&&(t.push("is-selected"),o="true"),e.isInRange&&t.push("is-inrange"),e.isStartRange&&t.push("is-startrange"),e.isEndRange&&t.push("is-endrange"),'"},M=function(e,t,o){var n=new Date(o,0,1),r=Math.ceil(((new Date(o,t,e)-n)/864e5+n.getDay()+1)/7);return''+r+""},S=function(e,t){return""+(t?e.reverse():e).join("")+""},E=function(e){return""+e.join("")+""},O=function(e){var t,o=[];for(e.showWeekNumber&&o.push(""),t=0;t<7;t++)o.push(''+_(e,t,!0)+"");return""+(e.isRTL?o.reverse():o).join("")+""},T=function(e,t,o,n,r,i){var s,a,l,u,c,d=e._o,f=o===d.minYear,p=o===d.maxYear,g='
',m=!0,w=!0;for(l=[],s=0;s<12;s++)l.push('");for(u='
'+d.i18n.months[n]+'
",h(d.yearRange)?(s=d.yearRange[0],a=d.yearRange[1]+1):(s=o-d.yearRange,a=1+o+d.yearRange),l=[];s=d.minYear&&l.push('");return c='
'+o+d.yearSuffix+'
",g+=d.showMonthAfterYear?c+u:u+c,f&&(0===n||d.minMonth>=n)&&(m=!1),p&&(11===n||d.maxMonth<=n)&&(w=!1),0===t&&(g+='"),t===e._o.numberOfMonths-1&&(g+='"),g+="
"},k=function(e,t,o){return''+O(e)+E(t)+"
"},D=function(s){var a=this,l=a.config(s);a._onMouseDown=function(e){if(a._v){e=e||window.event;var t=e.target||e.srcElement;if(t)if(u(t,"is-disabled")||(!u(t,"pika-button")||u(t,"is-empty")||u(t.parentNode,"is-disabled")?u(t,"pika-prev")?a.prevMonth():u(t,"pika-next")&&a.nextMonth():(a.setDate(new Date(t.getAttribute("data-pika-year"),t.getAttribute("data-pika-month"),t.getAttribute("data-pika-day"))),l.bound&&r(function(){a.hide(),l.field&&l.field.blur()},100))),u(t,"pika-select"))a._c=!0;else{if(!e.preventDefault)return e.returnValue=!1,!1;e.preventDefault()}}},a._onChange=function(e){e=e||window.event;var t=e.target||e.srcElement;t&&(u(t,"pika-select-month")?a.gotoMonth(t.value):u(t,"pika-select-year")&&a.gotoYear(t.value))},a._onKeyChange=function(e){if(e=e||window.event,a.isVisible())switch(e.keyCode){case 13:case 27:l.field.blur();break;case 37:e.preventDefault(),a.adjustDate("subtract",1);break;case 38:a.adjustDate("subtract",7);break;case 39:a.adjustDate("add",1);break;case 40:a.adjustDate("add",7)}},a._onInputChange=function(o){var n;o.firedBy!==a&&(t?(n=e(l.field.value,l.format,l.formatStrict),n=n&&n.isValid()?n.toDate():null):n=new Date(Date.parse(l.field.value)),f(n)&&a.setDate(n),a._v||a.show())},a._onInputFocus=function(){a.show()},a._onInputClick=function(){a.show()},a._onInputBlur=function(){var e=n.activeElement;do if(u(e,"pika-single"))return;while(e=e.parentNode);a._c||(a._b=r(function(){a.hide()},50)),a._c=!1},a._onClick=function(e){e=e||window.event;var t=e.target||e.srcElement,n=t;if(t){!o&&u(t,"pika-select")&&(t.onchange||(t.setAttribute("onchange","return;"),i(t,"change",a._onChange)));do if(u(n,"pika-single")||n===l.trigger)return;while(n=n.parentNode);a._v&&t!==l.trigger&&n!==l.trigger&&a.hide()}},a.el=n.createElement("div"),a.el.className="pika-single"+(l.isRTL?" is-rtl":"")+(l.theme?" "+l.theme:""),i(a.el,"mousedown",a._onMouseDown,!0),i(a.el,"touchend",a._onMouseDown,!0),i(a.el,"change",a._onChange),i(n,"keydown",a._onKeyChange),l.field&&(l.container?l.container.appendChild(a.el):l.bound?n.body.appendChild(a.el):l.field.parentNode.insertBefore(a.el,l.field.nextSibling),i(l.field,"change",a._onInputChange),l.defaultDate||(t&&l.field.value?l.defaultDate=e(l.field.value,l.format).toDate():l.defaultDate=new Date(Date.parse(l.field.value)),l.setDefaultDate=!0));var c=l.defaultDate;f(c)?l.setDefaultDate?a.setDate(c,!0):a.gotoDate(c):a.gotoDate(new Date),l.bound?(this.hide(),a.el.className+=" is-bound",i(l.trigger,"click",a._onInputClick),i(l.trigger,"focus",a._onInputFocus),i(l.trigger,"blur",a._onInputBlur)):this.show()};return D.prototype={config:function(e){this._o||(this._o=y({},C,!0));var t=y(this._o,e,!0);t.isRTL=!!t.isRTL,t.field=t.field&&t.field.nodeName?t.field:null,t.theme="string"==typeof t.theme&&t.theme?t.theme:null,t.bound=!!(void 0!==t.bound?t.field&&t.bound:t.field),t.trigger=t.trigger&&t.trigger.nodeName?t.trigger:t.field,t.disableWeekends=!!t.disableWeekends,t.disableDayFn="function"==typeof t.disableDayFn?t.disableDayFn:null;var o=parseInt(t.numberOfMonths,10)||1;if(t.numberOfMonths=o>4?4:o,f(t.minDate)||(t.minDate=!1),f(t.maxDate)||(t.maxDate=!1),t.minDate&&t.maxDate&&t.maxDate100&&(t.yearRange=100);return t},toString:function(o){return f(this._d)?t?e(this._d).format(o||this._o.format):this._d.toDateString():""},getMoment:function(){return t?e(this._d):null},setMoment:function(o,n){t&&e.isMoment(o)&&this.setDate(o.toDate(),n)},getDate:function(){return f(this._d)?new Date(this._d.getTime()):new Date},setDate:function(e,t){if(!e)return this._d=null,this._o.field&&(this._o.field.value="",a(this._o.field,"change",{firedBy:this})),this.draw();if("string"==typeof e&&(e=new Date(Date.parse(e))),f(e)){var o=this._o.minDate,n=this._o.maxDate;f(o)&&en&&(e=n),this._d=new Date(e.getTime()),w(this._d),this.gotoDate(this._d),this._o.field&&(this._o.field.value=this.toString(),a(this._o.field,"change",{firedBy:this})),t||"function"!=typeof this._o.onSelect||this._o.onSelect.call(this,this.getDate())}},gotoDate:function(e){var t=!0;if(f(e)){if(this.calendars){var o=new Date(this.calendars[0].year,this.calendars[0].month,1),n=new Date(this.calendars[this.calendars.length-1].year,this.calendars[this.calendars.length-1].month,1),r=e.getTime();n.setMonth(n.getMonth()+1),n.setDate(n.getDate()-1),t=r=i&&(this._y=i,!isNaN(a)&&this._m>a&&(this._m=a)),t="pika-title-"+Math.random().toString(36).replace(/[^a-z]+/g,"").substr(0,2);for(var u=0;u'+T(this,u,this.calendars[u].year,this.calendars[u].month,this.calendars[0].year,t)+this.render(this.calendars[u].year,this.calendars[u].month,t)+"";this.el.innerHTML=l,o.bound&&"hidden"!==o.field.type&&r(function(){o.trigger.focus()},1),"function"==typeof this._o.onDraw&&this._o.onDraw(this),o.bound&&o.field.setAttribute("aria-label","Use the arrow keys to pick a date")}},adjustPosition:function(){var e,t,o,r,i,s,a,l,u,c;if(!this._o.container){if(this.el.style.position="absolute",e=this._o.trigger,t=e,o=this.el.offsetWidth,r=this.el.offsetHeight,i=window.innerWidth||n.documentElement.clientWidth,s=window.innerHeight||n.documentElement.clientHeight,a=window.pageYOffset||n.body.scrollTop||n.documentElement.scrollTop,"function"==typeof e.getBoundingClientRect)c=e.getBoundingClientRect(),l=c.left+window.pageXOffset,u=c.bottom+window.pageYOffset;else for(l=t.offsetLeft,u=t.offsetTop+t.offsetHeight;t=t.offsetParent;)l+=t.offsetLeft,u+=t.offsetTop;(this._o.reposition&&l+o>i||this._o.position.indexOf("right")>-1&&l-o+e.offsetWidth>0)&&(l=l-o+e.offsetWidth),(this._o.reposition&&u+r>s+a||this._o.position.indexOf("top")>-1&&u-r-e.offsetHeight>0)&&(u=u-r-e.offsetHeight),this.el.style.left=l+"px",this.el.style.top=u+"px"}},render:function(e,t,o){var n=this._o,r=new Date,i=m(e,t),s=new Date(e,t,1).getDay(),a=[],l=[];w(r),n.firstDay>0&&(s-=n.firstDay,s<0&&(s+=7));for(var u=0===t?11:t-1,c=11===t?0:t+1,d=0===t?e-1:e,h=11===t?e+1:e,g=m(d,u),y=i+s,b=y;b>7;)b-=7;y+=7-b;for(var C=0,_=0;C=i+s,x=1+(C-s),H=t,A=e,P=n.startRange&&v(n.startRange,E),N=n.endRange&&v(n.endRange,E),L=n.startRange&&n.endRange&&n.startRangen.maxDate||n.disableWeekends&&p(E)||n.disableDayFn&&n.disableDayFn(E);D&&(C=0&&($=c(function(){"boolean"!=typeof F.deactivated&&(F.deactivated=!0),F.deactivated===!0&&et.emit({type:"error",name:"flash-deactivated"})},e)),F.overdue=!1,Ae())))):(F.ready=!1,void et.emit({type:"error",name:"browser-unsupported"}))},de=function(){et.clearData(),et.blur(),et.emit("destroy"),Pe(),et.off()},he=function(e,t){var o;if("object"==typeof e&&e&&"undefined"==typeof t)o=e,et.clearData();else{if("string"!=typeof e||!e)return;o={},o[e]=t}for(var n in o)"string"==typeof n&&n&&R.call(o,n)&&"string"==typeof o[n]&&o[n]&&(U[n]=Ze(o[n]))},fe=function(e){"undefined"==typeof e?(x(U),G=null):"string"==typeof e&&R.call(U,e)&&delete U[e]},pe=function(e){return"undefined"==typeof e?T(U):"string"==typeof e&&R.call(U,e)?U[e]:void 0},ge=function(e){if(e&&1===e.nodeType){i&&(ze(i,ee.activeClass),i!==e&&ze(i,ee.hoverClass)),i=e,Fe(e,ee.hoverClass);var t=e.getAttribute("title")||ee.title;if("string"==typeof t&&t){var o=xe(F.bridge);o&&o.setAttribute("title",t)}var n=ee.forceHandCursor===!0||"pointer"===Ye(e,"cursor");Xe(n),Ke()}},me=function(){var e=xe(F.bridge);e&&(e.removeAttribute("title"),e.style.left="0px",e.style.top="-9999px",e.style.width="1px",e.style.height="1px"),i&&(ze(i,ee.hoverClass),ze(i,ee.activeClass),i=null)},we=function(){return i||null},ve=function(e){return"string"==typeof e&&e&&/^[A-Za-z][A-Za-z0-9_:\-\.]*$/.test(e)},ye=function(e){var t;if("string"==typeof e&&e?(t=e,e={}):"object"==typeof e&&e&&"string"==typeof e.type&&e.type&&(t=e.type),t){t=t.toLowerCase(),!e.target&&(/^(copy|aftercopy|_click)$/.test(t)||"error"===t&&"clipboard-error"===e.name)&&(e.target=s),O(e,{type:t,target:e.target||i||null,relatedTarget:e.relatedTarget||null,currentTarget:F&&F.bridge||null,timeStamp:e.timeStamp||C()||null});var o=X[e.type];return"error"===e.type&&e.name&&o&&(o=o[e.name]),o&&(e.message=o),"ready"===e.type&&O(e,{target:null,version:F.version}),"error"===e.type&&(J.test(e.name)&&O(e,{target:null,minimumVersion:z}),Q.test(e.name)&&O(e,{version:F.version}),"flash-insecure"===e.name&&O(e,{pageProtocol:a.location.protocol,swfProtocol:ue()})),"copy"===e.type&&(e.clipboardData={setData:et.setData,clearData:et.clearData}),"aftercopy"===e.type&&(e=Le(e,G)),e.target&&!e.relatedTarget&&(e.relatedTarget=be(e.target)),Ce(e)}},be=function(e){var t=e&&e.getAttribute&&e.getAttribute("data-clipboard-target");return t?l.getElementById(t):null},Ce=function(e){if(e&&/^_(?:click|mouse(?:over|out|down|up|move))$/.test(e.type)){var t=e.target,o="_mouseover"===e.type&&e.relatedTarget?e.relatedTarget:n,r="_mouseout"===e.type&&e.relatedTarget?e.relatedTarget:n,i=Ue(t),s=a.screenLeft||a.screenX||0,u=a.screenTop||a.screenY||0,c=l.body.scrollLeft+l.documentElement.scrollLeft,d=l.body.scrollTop+l.documentElement.scrollTop,h=i.left+("number"==typeof e._stageX?e._stageX:0),f=i.top+("number"==typeof e._stageY?e._stageY:0),p=h-c,g=f-d,m=s+p,w=u+g,v="number"==typeof e.movementX?e.movementX:0,y="number"==typeof e.movementY?e.movementY:0;delete e._stageX,delete e._stageY,O(e,{srcElement:t,fromElement:o,toElement:r,screenX:m,screenY:w,pageX:h,pageY:f,clientX:p,clientY:g,x:p,y:g,movementX:v,movementY:y,offsetX:0,offsetY:0,layerX:0,layerY:0})}return e},_e=function(e){var t=e&&"string"==typeof e.type&&e.type||"";return!/^(?:(?:before)?copy|destroy)$/.test(t)},Re=function(e,t,o,n){n?c(function(){e.apply(t,o)},0):e.apply(t,o)},Me=function(e){if("object"==typeof e&&e&&e.type){var t=_e(e),o=Y["*"]||[],n=Y[e.type]||[],r=o.concat(n);if(r&&r.length){var i,s,l,u,c,d=this;for(i=0,s=r.length;i0){var t=T(e);O(t,{type:"error",name:"clipboard-error"}),delete t.success,c(function(){et.emit(t)},0)}},Te=function(e){if(e&&"string"==typeof e.type&&e){var t,o=e.target||null,n=o&&o.ownerDocument||l,r={view:n.defaultView||a,canBubble:!0,cancelable:!0,detail:"click"===e.type?1:0,button:"number"==typeof e.which?e.which-1:"number"==typeof e.button?e.button:n.createEvent?0:1},i=O(r,e);o&&n.createEvent&&o.dispatchEvent&&(i=[i.type,i.canBubble,i.cancelable,i.view,i.detail,i.screenX,i.screenY,i.clientX,i.clientY,i.ctrlKey,i.altKey,i.shiftKey,i.metaKey,i.button,i.relatedTarget],t=n.createEvent("MouseEvents"),t.initMouseEvent&&(t.initMouseEvent.apply(t,i),t._source="js",o.dispatchEvent(t)))}},ke=function(){var e=ee.flashLoadTimeout;if("number"==typeof e&&e>=0){var t=Math.min(1e3,e/10),o=ee.swfObjectId+"_fallbackContent";K=h(function(){var e=l.getElementById(o);Ge(e)&&($e(),F.deactivated=null,et.emit({type:"error",name:"swf-not-found"}))},t)}},De=function(){var e=l.createElement("div");return e.id=ee.containerId,e.className=ee.containerClass,e.style.position="absolute",e.style.left="0px",e.style.top="-9999px",e.style.width="1px",e.style.height="1px",e.style.zIndex=""+qe(ee.zIndex),e},xe=function(e){for(var t=e&&e.parentNode;t&&"OBJECT"===t.nodeName&&t.parentNode;)t=t.parentNode;return t||null},He=function(e){return"string"==typeof e&&e?e.replace(/["&'<>]/g,function(e){switch(e){case'"':return""";case"&":return"&";case"'":return"'";case"<":return"<";case">":return">";default:return e}}):e},Ae=function(){var e,t=F.bridge,o=xe(t);if(!t){var n=Ve(a.location.host,ee),r="never"===n?"none":"all",i=We(O({jsVersion:et.version},ee)),s=ee.swfPath+Ie(ee.swfPath,ee);B&&(s=He(s)),o=De();var u=l.createElement("div");o.appendChild(u),l.body.appendChild(o);var c=l.createElement("div"),d="activex"===F.pluginType;c.innerHTML='"+(d?'':"")+'
 
',t=c.firstChild,c=null,S(t).ZeroClipboard=et,o.replaceChild(t,u),ke()}return t||(t=l[ee.swfObjectId],t&&(e=t.length)&&(t=t[e-1]),!t&&o&&(t=o.firstChild)),F.bridge=t||null,t},Pe=function(){var e=F.bridge;if(e){var t=xe(e);t&&("activex"===F.pluginType&&"readyState"in e?(e.style.display="none",function o(){if(4===e.readyState){for(var n in e)"function"==typeof e[n]&&(e[n]=null);e.parentNode&&e.parentNode.removeChild(e),t.parentNode&&t.parentNode.removeChild(t)}else c(o,10)}()):(e.parentNode&&e.parentNode.removeChild(e),t.parentNode&&t.parentNode.removeChild(t))),$e(),F.ready=null,F.bridge=null,F.deactivated=null,F.insecure=null,r=n}},Ne=function(e){var t={},o={};if("object"==typeof e&&e){for(var n in e)if(n&&R.call(e,n)&&"string"==typeof e[n]&&e[n])switch(n.toLowerCase()){case"text/plain":case"text":case"air:text":case"flash:text":t.text=e[n],o.text=n;break;case"text/html":case"html":case"air:html":case"flash:html":t.html=e[n],o.html=n;break;case"application/rtf":case"text/rtf":case"rtf":case"richtext":case"air:rtf":case"flash:rtf":t.rtf=e[n],o.rtf=n}return{data:t,formatMap:o}}},Le=function(e,t){if("object"!=typeof e||!e||"object"!=typeof t||!t)return e;var o={};for(var n in e)if(R.call(e,n))if("errors"===n){o[n]=e[n]?e[n].slice():[];for(var r=0,i=o[n].length;r0){if(1===i&&"*"===r[0])return"always";if(r.indexOf(t)!==-1)return 1===i&&t===n?"sameDomain":"always"}return"never"}}(),Be=function(){try{return l.activeElement}catch(e){return null}},Fe=function(e,t){var o,n,r,i=[];if("string"==typeof t&&t&&(i=t.split(/\s+/)),e&&1===e.nodeType&&i.length>0){for(r=(" "+(e.className||"")+" ").replace(/[\t\r\n\f]/g," "),o=0,n=i.length;o0&&e.className){for(r=(" "+e.className+" ").replace(/[\t\r\n\f]/g," "),o=0,n=i.length;o0,n=y(t.width)>0,r=y(t.top)>=0,i=y(t.left)>=0,s=o&&n&&r&&i,a=s?null:Ue(e),l="none"!==t.display&&"collapse"!==t.visibility&&(s||!!a&&(o||a.height>0)&&(n||a.width>0)&&(r||a.top>=0)&&(i||a.left>=0));return l},$e=function(){d($),$=0,f(K),K=0},Ke=function(){var e;if(i&&(e=xe(F.bridge))){var t=Ue(i);O(e.style,{width:t.width+"px",height:t.height+"px",top:t.top+"px",left:t.left+"px",zIndex:""+qe(ee.zIndex)})}},Xe=function(e){F.ready===!0&&(F.bridge&&"function"==typeof F.bridge.setHandCursor?F.bridge.setHandCursor(e):F.ready=!1)},qe=function(e){if(/^(?:auto|inherit)$/.test(e))return e;var t;return"number"!=typeof e||b(e)?"string"==typeof e&&(t=qe(v(e,10))):t=e,"number"==typeof t?t:"auto"},Ze=function(e){var t=/(\r\n|\r|\n)/g;return"string"==typeof e&&ee.fixLineEndings===!0&&(j()?/((^|[^\r])\n|\r([^\n]|$))/.test(e)&&(e=e.replace(t,"\r\n")):/\r/.test(e)&&(e=e.replace(t,"\n"))),e},Je=function(e){var o,n,r,i=F.sandboxed,s=null;if(e=e===!0,V===!1)s=!1;else{try{n=t.frameElement||null}catch(e){r={name:e.name,message:e.message}}if(n&&1===n.nodeType&&"IFRAME"===n.nodeName)try{s=n.hasAttribute("sandbox")}catch(e){s=null}else{try{o=document.domain||null}catch(e){o=null}(null===o||r&&"SecurityError"===r.name&&/(^|[\s\(\[@])sandbox(es|ed|ing|[\s\.,!\)\]@]|$)/.test(r.message.toLowerCase()))&&(s=!0)}}return F.sandboxed=s,i===s||e||Qe(m),s},Qe=function(e){function t(e){var t=e.match(/[\d]+/g);return t.length=3,t.join(".")}function o(e){return!!e&&(e=e.toLowerCase())&&(/^(pepflashplayer\.dll|libpepflashplayer\.so|pepperflashplayer\.plugin)$/.test(e)||"chrome.plugin"===e.slice(-13))}function n(e){e&&(a=!0,e.version&&(d=t(e.version)),!d&&e.description&&(d=t(e.description)),e.filename&&(c=o(e.filename)))}var r,i,s,a=!1,l=!1,c=!1,d="";if(u.plugins&&u.plugins.length)r=u.plugins["Shockwave Flash"],n(r),u.plugins["Shockwave Flash 2.0"]&&(a=!0,d="2.0.0.11");else if(u.mimeTypes&&u.mimeTypes.length)s=u.mimeTypes["application/x-shockwave-flash"],r=s&&s.enabledPlugin,n(r);else if("undefined"!=typeof e){l=!0;try{i=new e("ShockwaveFlash.ShockwaveFlash.7"),a=!0,d=t(i.GetVariable("$version"))}catch(o){try{i=new e("ShockwaveFlash.ShockwaveFlash.6"),a=!0,d="6.0.21"}catch(o){try{i=new e("ShockwaveFlash.ShockwaveFlash"),a=!0,d=t(i.GetVariable("$version"))}catch(e){l=!1}}}}F.disabled=a!==!0,F.outdated=d&&y(d)0,r=!e.target||n&&o.indexOf(e.target)!==-1,i=e.relatedTarget&&n&&o.indexOf(e.relatedTarget)!==-1,s=e.client&&e.client===this;return!(!t||!(r||i||s))},mt=function(e){var t=ot[this.id];if("object"==typeof e&&e&&e.type&&t){var o=_e(e),n=t&&t.handlers["*"]||[],r=t&&t.handlers[e.type]||[],i=n.concat(r);if(i&&i.length){var s,l,u,c,d,h=this;for(s=0,l=i.length;s`_. + Data Components are constituent pieces of the data source, which are best described + separately. Components may have their own set of metadata (describing the associated + fields/values associated with the source) and activities (describing actions of the + source). ATT&CK Data Sources and Data Components can be found `here + `__. Data Elements -------------- -Data elements are names, definitions, and attributes that are being used or captured in an event - -.. image:: _static/msdn_4688_ex.png - :width: 500 + Data Elements are names, definitions, and attributes that are being used or captured + in an event. -Sensors -------- -A sensor is an agent or service capable of detecting or measuring information across many different sources on a host in real-time. Sensors provide raw data with high precision and accuracy. + .. image:: _static/msdn_4688_ex.png + :width: 500 -Telemetry/Events ----------------- -Telemetry/events are generated by sensors in the form of log data, automatically generated and transmitted or streamed in near real-time, regardless of the format (e.g., json, csv, etc.). +Data Source + Data Sources represents information collected by a sensor or logging system that may + identify properties or values relevant to identifying the adversarial action being + ATT&CK Data Sources and Data Components can be found `here + `__. performed, sequence of actions, or the + results of those actions. -.. image:: _static/4688_ex.png - :width: 500 +MITRE ATT&CK + MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and + techniques based on real-world observations. ATT&CK focuses on how external + adversaries compromise and operate within computer networks. + +Sensor + A sensor is an agent or service capable of detecting or measuring information across + many different sources on a host or network in real-time. Sensors provide raw data + with high precision and accuracy. + +[Sub-]Technique + Techniques represent the "how" of cyber intrusions, i.e. the means by which + adversaries achieve tactical objective. Sub-techniques break down techniques into + more fine-grained descriptions of adversary behaviors. + +Telemetry + Telemetry consists of discrete events that are generated by sensors, e.g. log data. + Telemetry may be delivered in various formats (e.g., json, csv, etc.) and is often + streamed in near real-time. + + .. image:: _static/4688_ex.png + :width: 500 diff --git a/docs/example_technique_mappings/cloudtrail.rst b/docs/example_technique_mappings/cloudtrail.rst index 6b4a172..01b5417 100644 --- a/docs/example_technique_mappings/cloudtrail.rst +++ b/docs/example_technique_mappings/cloudtrail.rst @@ -1,125 +1,129 @@ CloudTrail Example Scenarios ============================ -Both CloudTrail examples involve User Account data components. The first review the use of -User Account Modification to provide visibility into Account Manipulation (T1098), while the -second considers User Account Metadata for detection of Password Policy Discovery (T1201) -behavior. +Both CloudTrail examples involve User Account data components. The first reviews the use +of User Account Modification to provide visibility into `Account Manipulation (T1098) +`__, while the second considers User Account +Metadata for detection of `Password Policy Discovery (T1201) +`__ behavior. Account Manipulation (T1098) ---------------------------- -The following are the criteria considered for Account Manipulation (T1098). These were -directly taken by reviewing the definition of the technique. +The following are the criteria considered for Account Manipulation (T1098). These were +directly taken by reviewing the definition of the technique. .. image:: ../_static/cldtrlex1.png - :width: 700 -1. Looking at the event logs themselves, is this enough proof or evidence to determine - “changes to account objects were made under this technique”? +**Looking at the event data, is this enough evidence to conclude that an account was +manipulated per T1098?** Most CloudTrail events are straightforward, and the associated +API call performs a User Account Modification that meets the criteria for concluding +that an Account Manipulation has occurred. - Most CloudTrail events are straightforward, and the associated API call performs a - User Account Modification that meets the criteria for proving an Account Manipulation - may have occurred. +**TagUser:** - User must be valid on system or domain +*Yes.* Careful attention was given to CloudTrail Roles, and related information. For +example, the “TagUser/UntagUser” API entry was examined to determine that the act of +Tagging/Untagging met the conditions to change (give or takeaway) access. One concept +that came up was to explore relevant sub-techniques, in case those could provide +additional insight in deciding if an event met the defined conditions: - - Any Action preserves an adversary access - - Modifying credentials - - Modifying permissions to groups - - Activity designed to subvert security policies + * `Additional Cloud Credentials (T1098.001) + `__ + * `Additional Cloud Roles (T1098.003) + `__ - * TagUser +*References:* - Event information: `AWS Documentation - AddTags `_ + * `AWS Documentation - AddTags + `__ - Yes. Careful attention was given to CloudTrail Roles, and related information. For - example, the “TagUser/UntagUser” API entry was examined to determine that the act of - Tagging/Untagging met the conditions to change (give or takeaway) access. +**UpdateUser:** - One concept that came up was to also explore relevant sub-techniques, in case those could - provide additional insight in deciding if an event met the defined conditions: +*Yes.* Another interesting event is UpdateUser. As an API call, it does not perform a +technical action that results in literal modification of concern (i.e., no access or +permissions for an IAM user is changed). It does not preserve adversary action in a +purely technical sense. HOWEVER: It does qualify because it could be used to “hide in +plain sight” The event is worth noting as potential evidence of (an unexpected) name +change. - - `Additional Cloud Credentials (T1098.001) `_ - - `Additional Cloud Roles (T1098.003) `_ +*References:* - * UpdateUser +* `AWS Documentation - UpdateUser + `__ - Event information: `AWS Documentation - UpdateUser `_ +**UploadSigningCertificate:** - Yes. Another interesting event is UpdateUser. As an API call, it does not perform a - technical action that results in literal modification of concern (i.e., no access or - permissions for an IAM user is changed). It does not preserve adversary action in a - purely technical sense. HOWEVER: It does qualify because it could be used to “hide in - plain sight” The event is worth noting as potential evidence of (an unexpected) name - change. +*Yes.* This provides the name of the IAM user the signing certificate is for and the +contents of the signing certificate. The elements provide information that can be used +to look for changes to account objects. - * UploadSigningCertificate +*References:* - Event information: `AWS Documentation- UploadSigningCertificate `_ - - Yes. This provides the name of the IAM user the signing certificate is for and the - contents of the signing certificate. The elements provide information that can be used - to look for changes to account objects. - - Additional information: `AWS Documentation - SetSecurityTokenServicePreferences `_ +* `AWS Documentation- UploadSigningCertificate + `__ +* `AWS Documentation - SetSecurityTokenServicePreferences + `__ Password Policy Discovery (T1201) ----------------------------------- +--------------------------------- -The following are the criteria considered for Password Policy Discovery (T1201). These -were directly taken by reviewing the definition of the technique. +The following are the criteria considered for Password Policy Discovery (T1201). These +were directly taken by reviewing the definition of the technique. .. image:: ../_static/cldtrlex2.png - :width: 700 - -1. Looking at the event logs themselves, is this enough proof or evidence to determine - “are attempts being made to access detailed information about the password policy - under this technique”? - This technique may be used by adversaries attempting to access/obtain detailed password - policy information. This policy information may aid the creation of password lists for - dictionary or brute force attacks. +**Looking at the event data, is this enough evidence to conclude that attempts were +being made to access detailed information about the password policy per technique +T1201?** This technique may be used by adversaries attempting to access/obtain detailed +password policy information. This policy information may aid the creation of password +lists for dictionary or brute force attacks. - * CreatePolicyVersion + **CreatePolicyVersion:** - Event information: `AWS Documentation - CreatePolicyVersion `_ +*No.* This contains details about IAM policy versions, but does not provide information +about attempts to access policy documents. - No. This contains details about IAM policy versions, but does not provide information about - attempts to access policy documents. +*References:* - * GetAccountPasswordPolicy +* `AWS Documentation - CreatePolicyVersion + `__ - Event information: `AWS Documentation - GetAccountPasswordPolicy `_ +**GetAccountPasswordPolicy:** - Yes. The description of T1201 references that “password policies can be discovered in cloud - environments using available APIs such as GetAccountPasswordPolicy in AWS.” +*Yes.* The description of T1201 references that “password policies can be discovered in +cloud environments using available APIs such as GetAccountPasswordPolicy in AWS.” - Select Examples of User Account Metadata events: +Select examples of User Account Metadata events: * AttachRolePolicy * AttachUserPolicy * CreatePolicy * CreatePolicyVersion - * DeleteAccountPasswordPolicy * DeletePolicyVersoin * DeleteRolePolicy * DeleteUserPolicy * DetachUserPolicy * DetachRolePolicy - * ChangePassword * GenerateCredentialReport * GetAccountPasswordPolicy - * ListAttachedRolePolicies * ListEntitiesForPolicy * ListPoliciesGrantingServiceAccess - * GetLoginProfile +*References:* + +* `AWS Documentation - GetAccountPasswordPolicy + `__ + +**GetLoginProfile:** + +*No.* This contains information about IAM usernames and password creation dates, not +actual passwords or password policy constructs. - Event information: `AWS Documentation - GetLoginProfile `_ +*References:* - No. This contains information about IAM usernames and password creation dates, not - actual passwords or password policy constructs. \ No newline at end of file +* `AWS Documentation - GetLoginProfile + `__ diff --git a/docs/example_technique_mappings/index.rst b/docs/example_technique_mappings/index.rst index c1d2778..561d594 100644 --- a/docs/example_technique_mappings/index.rst +++ b/docs/example_technique_mappings/index.rst @@ -1,23 +1,20 @@ -.. _Example Pages: - -====================================== Example Scenarios -====================================== - -Overview --------- +================= -Examples are provided to depict how these mappings can be used to get from Sensor Events to ATT&CK Data Sources to -ATT&CK Techniques. It should be stated up front that there is no easy, one-to-one mapping from data source to technique. -In addition, not all events are created equal in regard to visibility of specific techniques, and two events with the -same field names can in fact represent different data. Some amount of analyst judgement is required and, whenever -judgement is involved, there can be differences in opinion. The mapping methodology and these examples are provided to -demonstrate the judgement and rationale to apply when identifying specific event visibility into techniques. Of course, -additonal customized considerations must also be given when looking to provide insight into a specific environment. +Examples are provided to depict how these mappings can be used to get from Sensor Events +to ATT&CK Data Sources to ATT&CK Techniques. It should be stated up front that there is +no easy, one-to-one mapping from data source to technique. In addition, not all events +are created equal in regard to visibility of specific techniques, and two events with +the same field names can in fact represent different data. Some amount of analyst +judgement is required and, whenever judgement is involved, there can be differences in +opinion. The mapping methodology and these examples are provided to demonstrate the +judgement and rationale to apply when identifying specific event visibility into +techniques. Of course, additonal customized considerations must also be given when +looking to provide insight into a specific environment. .. toctree:: windows linux cloudtrail - network \ No newline at end of file + network diff --git a/docs/example_technique_mappings/linux.rst b/docs/example_technique_mappings/linux.rst index ce5b007..7d2bbf2 100644 --- a/docs/example_technique_mappings/linux.rst +++ b/docs/example_technique_mappings/linux.rst @@ -1,43 +1,46 @@ Linux Example Scenario ====================== -For example, the mapped Auditd events of ADD_USER and ANOM_ADD_ACCOUNT are considered -for potential detection of Create Local Account (T1136.001). +The Linux example explores `Local Account (T1136.001) +`__ and usage of the mappings done under +this project to provide visibility using the Auditd events: ``ADD_USER`` and +``ANOM_ADD_ACCOUNT``. + Create Local Account (T1136.001) -------------------------------------------------- +-------------------------------- -This example explores Auditd events mapped to the User Account Creation data component and -their potential visibility into detecting activity associated with Create Local Account -(T1136.001). +This example explores Auditd events mapped to the User Account Creation data component and +their potential visibility into detecting activity associated with Create Local Account +(T1136.001). .. image:: ../_static/linuxex1.png - :width: 700 - -1. Looking at the event logs, is this enough proof or evidence to determine that "a local - account was created under this technique”? - - It could be inferred by the name of the technique and the names of the Auditd events of - ADD_USER and ANOM_ADD_ACCOUNT that these events may be associated with the technique. - Further context is needed, though to see if these events can be directly associated with - the technique. - - Auditd event information: `Linux man page - auditd(8) `_ - - Use /var/log/audit/audit.log to search on event names. - - Systemd journal is a Linux system service that collects and stores logging data. Systemd - journal reflects user creation activity and attendant commands but does not appear to display - the event names in RHEL-derived distributions. Also, systemd journal is not 100% accurate. - For example, user creation/deletion events are not copied from auditd to the journal with - perfect fidelity, depending on distribution. - - * ADD_USER - - Yes. This event is triggered when a user-space user account is created, which in this case - could be directly associated with User Account Creation of a local account. - - * ANOM_ADD_ACCOUNT - - No. This event is only triggered when the addition of user-space account ends abnormally. It - does not simply provide information specifically for new account creation. + +**Looking at the event data, is this enough evidence to conclude that a user account was +created per T1136.001?** It could be inferred by the name of the technique and the names +of the Auditd events of ADD_USER and ANOM_ADD_ACCOUNT that these events may be +associated with the technique. Further context is needed, though to see if these events +can be directly associated with the technique. Use ``/var/log/audit/audit.log`` to +search on event names. + +**ADD_USER:** + +*Yes.* This event is triggered when a user account is created, which in this case could +be directly associated with User Account Creation of a local account. + +**ANOM_ADD_ACCOUNT:** + +*No.* This event is only triggered when the addition of account ends abnormally. It does +not simply provide information specifically for new account creation. + +*References:* + +* `Linux man page - auditd(8) `_ + +.. warning:: + + Systemd Journal is a Linux system service that collects and stores logging data. Systemd + Journal reflects user creation activity and attendant commands but does not appear to + display the event names in RHEL-derived distributions. Also, Systemd Journal is not 100% + accurate. For example, user creation/deletion events are not copied from auditd to the + journal with perfect fidelity, depending on distribution. diff --git a/docs/example_technique_mappings/network.rst b/docs/example_technique_mappings/network.rst index e40771e..5f99b7c 100644 --- a/docs/example_technique_mappings/network.rst +++ b/docs/example_technique_mappings/network.rst @@ -1,47 +1,55 @@ Network Example Scenario ======================== -This example explores usage of events detected using network traffic content to provide -potential visibility into detecting activity associated with Data from Configuration -Repository: SNMP (T1602.001). +This example explores usage of events detected using network traffic to provide +potential visibility into detecting activity associated with `SNMP (MIB Dump) +(T1602.001) `__. Data from Configuration Repository: SNMP (T1602.001) ---------------------------------------------------- -The example explores the use of network traffic information to find evidence of the collection -and/or mining of information in a network managed Data from Configuration Repository: SNMP -(T1602.001). Network Traffic Content is a data component of this technique, and the Zeek events -of Snmp_report, Ssl_plaintext_data, http_entity_data have been mapped to this data component -under this project. +The example explores the use of network traffic information to find evidence of the +collection and/or mining of information in a network managed Data from Configuration +Repository: SNMP (T1602.001). Network Traffic Content is a data component of this +technique, and the Zeek events of ``Snmp_report``, ``Ssl_plaintext_data``, +``http_entity_data`` have been mapped to this data component under this project. .. image:: ../_static/networkex1.png - :width: 700 -1. Looking at the events themselves, is this enough proof or evidence to determine "data is - being collected or mined using Simple Network Management Protocol (SNMP)"? - - To find evidence of an adversary gathering data using SNMP, network traffic content and - patterns can be monitored and analyzed. - - * snmp_report +**Looking at the event data, is this enough evidence to conclude that data is being +collected or mined using Simple Network Management Protocol (SNMP) per technique +T1602.001?** To find evidence of an adversary gathering data using SNMP, network traffic +can be monitored and analyzed. - Event information: `Book of Zeek - snmp_report `_ +**snmp_report:** - Yes. Monitor and analyze unusual SNMP reply packet content and inspect information associated - with the host that sent it (e.g. snmp traffic originating from unauthorized or untrusted hosts, - signature detection for strings mapped to device configurations, anomolies in snmp requests). +*Yes.* Monitor and analyze unusual SNMP reply packet content and inspect information +associated with the host that sent it (e.g. snmp traffic originating from unauthorized +or untrusted hosts, signature detection for strings mapped to device configurations, +anomolies in snmp requests). - * ssl_plaintext_data +*References:* - Event information: `Book of Zeek - ssl_plaintext_data `_ +* `Book of Zeek - snmp_report + `__ - Yes. Inspect SSL/TLS messages sent before full session encryption starts for specific data - being collected. +**ssl_plaintext_data:** - * http_entity_data +*Yes.* Inspect SSL/TLS messages sent before full session encryption starts for specific +data being collected. - Event information: `Book of Zeek - http_entity_data `_ +*References:* - Not likely. This is useful for Hypertext Transfer Protocol (HTTP) traffic content, which is - also a TCP/IP protocol. SNMP communication through applets is possible using HTTP protocol, but - is less efficient. \ No newline at end of file +* `Book of Zeek - ssl_plaintext_data + `__ + +**http_entity_data:** + +*Not likely.* This is useful for Hypertext Transfer Protocol (HTTP) traffic content, +which is also a TCP/IP protocol. SNMP communication through applets is possible using +HTTP protocol, but is less efficient. + +*References:* + +* `Book of Zeek - http_entity_data + `_ diff --git a/docs/example_technique_mappings/windows.rst b/docs/example_technique_mappings/windows.rst index 2e793f2..d486712 100644 --- a/docs/example_technique_mappings/windows.rst +++ b/docs/example_technique_mappings/windows.rst @@ -1,76 +1,96 @@ Windows Example Scenarios ========================= -Both Windows-based examples explore Create or Modify System Process (T1543) and usage -of the mappings done under this project to provide visibility into that technique. +Both Windows-based examples explore `Create or Modify System Process (T1543) +`__ and usage of the mappings done under this +project to provide visibility into that technique. -Create or Modify System Process (T1543) Example 1 -------------------------------------------------- +Example 1: Create or Modify System Process (T1543) +-------------------------------------------------- -As identified in the SMAP mappings, process creation information can be collected by -Sysmon 1, WinEvtx 4688, WinEvtx 4696. This first example walks through why WinEvtx 4696 +As identified in the SMAP mappings, process creation information can be collected by +Sysmon 1, WinEvtx 4688, WinEvtx 4696. This first example walks through why WinEvtx 4696 may not be a feasible detection for Create or Modify System Process (T1543). .. image:: ../_static/winex1.png - :width: 700 -1. Looking at the event logs themselves, is this enough proof or evidence to determine - “the process was created or modified under this technique”? - - It is evident by the name of the technique and the descriptions of Sysmon EID 1 and WinEvtx - 4688 how these events are directly associated with the technique. - - * Sysmon EID 1 - - Event information: `Ultimate Windows Security - Sysmon Event ID 1 `_ - - Yes. Sysmon EID 1 simply triggers when a new process is created, which (in this context) may - be created during installation of new software or as part of automated, repeated execution of - software such as services. This event's attributes provides very detailed information about the - process and the process execution, which is enough to indicate that this technique (Create or - Modify System Process) could have occurred. - -* WinEvtxEID 4688 - - Event information: `Ultimate Windows Security - Windows Security Log Event ID 4688 `_, `Microsoft Learn - 4688(S) `_ - - Yes. When a system process or a user opens an executable, Windows creates a process in which - that executable runs. Hence, this event is generated every time a program is started or executed. - All necessary details about the executed program, who the program ran as, and the process that - started the process are provided by the event. This provides evidence to indicate that this - technique (Create or Modify System Process) could have occurred. - -* WinEvtx EID 4696 - - Event information: `Ultimate Windows Security - Windows Security Log Event ID 4696 `_, `Ultimate Windows Security - Detailed Tracking Events `_, `Microsoft Learn - 4696(S) `_, `Microsoft Learn - Access Tokens `_ - - Maybe. A primary token is an access token that is typically created only by the Windows kernel - and is assigned to a process to represent the default security information for that process. - Every process or thread executed on behalf of a user has a copy of the token which is used to - identify the user's identity and privileges. This primary token is assigned to a process when - the process is created, which is why this event falls under process creation. This event, however, - will only be generated when a process (usually a service or a scheduled task) starts under the - authority of a different user than the user who created the process. In other words, this event - triggers every time a process runs using the non-current access token. To verify that the access - token is non-current we need to compare the Security ID, Account Name, Account Domain, and Logon ID - attributes of the new token information with the subject information attributes provided by this event. - - Background: An access token contains the security information for a logon session. The system creates - an access token when a user logs on, and every process executed on behalf of the user has a copy of the - token. The token identifies the user, the user's groups, and the user's privileges. The system uses the - token to control access to securable objects and to control the ability of the user to perform various - system-related operations on the local computer. There are two kinds of access token, primary and - impersonation. - - Caveat: This event does not generate when the process starts with the authority of the same user that - created the process. Therefore, if the new process has the same target user as the user of the parent process, - this event will not trigger. WinEvtx EID 4688 includes the primary token assigned to the new process. Also, - this event is deprecated starting from Windows 7 and Windows 2008 R2, with Windows Server 2008 and Windows - Vista as minimum OS versions. - -2. Review specific attributes of the event logs: - - Sysmon EID 1: +**Looking at the event data, is this enough evidence to conclude that the process was +created or modified per T1543?** Let us examine each of the events in order to answer +this question. + +**Sysmon EID 1:** + +*Yes.* Sysmon EID 1 simply triggers when a new process is created, which (in this +context) may be created during installation of new software or as part of automated, +repeated execution of software such as services. This event's attributes provides +very detailed information about the process and the process execution, which is +enough to indicate that this technique (Create or Modify System Process) could have +occurred. + +*References:* + +* `Ultimate IT Security: Sysmon Event ID 1 + `__ + +**WinEvtx EID 4688:** + +*Yes.* When a system process or a user opens an executable, Windows creates a process in which +that executable runs. Hence, this event is generated every time a program is started or executed. +All necessary details about the executed program, who the program ran as, and the process that +started the process are provided by the event. This provides evidence to indicate that this +technique (Create or Modify System Process) could have occurred. + +*References:* + +* `Ultimate IT Security: Windows Security Log Event ID 4688 + `__ +* `Microsoft Learn: 4688(S) A new process has been created + `__ + +**WinEvtx EID 4696:** + +*Maybe.* A primary token is an access token that is typically created only by the +Windows kernel and is assigned to a process to represent the default security +information for that process. Every process or thread executed on behalf of a user has a +copy of the token which is used to identify the user's identity and privileges. This +primary token is assigned to a process when the process is created, which is why this +event falls under process creation. This event, however, will only be generated when a +process (usually a service or a scheduled task) starts under the authority of a +different user than the user who created the process. In other words, this event +triggers every time a process runs using the non-current access token. To verify that +the access token is non-current we need to compare the Security ID, Account Name, +Account Domain, and Logon ID attributes of the new token information with the subject +information attributes provided by this event. + +*Background:* An access token contains the security information for a logon session. The +system creates an access token when a user logs on, and every process executed on behalf +of the user has a copy of the token. The token identifies the user, the user's groups, +and the user's privileges. The system uses the token to control access to securable +objects and to control the ability of the user to perform various system-related +operations on the local computer. There are two kinds of access token, primary and +impersonation. + +*Caveat:* This event does not generate when the process starts with the authority of the +same user that created the process. Therefore, if the new process has the same target +user as the user of the parent process, this event will not trigger. WinEvtx EID 4688 +includes the primary token assigned to the new process. Also, this event is deprecated +starting from Windows 7 and Windows 2008 R2, with Windows Server 2008 and Windows Vista +as minimum OS versions. + +*References:* + +* `Ultimate IT Security: Windows Security Log Event ID 4696 + `__ +* `Ultimate IT Security: Detailed Tracking Events + `__ +* `Microsoft Learn: 4696(S) A primary token was assigned to process + `__ +* `Microsoft Learn: Access Tokens + `__ + +**Next, we review specific attributes of the event logs.** + +Sysmon EID 1: * ProcessGuid * ProcessId @@ -82,7 +102,7 @@ may not be a feasible detection for Create or Modify System Process (T1543). * ParentProcessId * ParentImage - WinEvtx EID 4688: +WinEvtx EID 4688: * New Process ID * New Process Name @@ -91,7 +111,7 @@ may not be a feasible detection for Create or Modify System Process (T1543). * Creator Process Name * Process Command Line - WinEvtx EID 4696: +WinEvtx EID 4696: * Target Process ID * Target Process Name @@ -102,74 +122,91 @@ may not be a feasible detection for Create or Modify System Process (T1543). * Logon ID -Create or Modify System Process (T1543) Example 2 -------------------------------------------------- +Example 2: Create or Modify System Process (T1543) +-------------------------------------------------- -As identified in the SMAP mappings, Windows Registry key creation can be collected by -Sysmon 12 and WinEvtx 4657. This example walks through using these events to potentially +As identified in the SMAP mappings, Windows Registry key creation can be collected by +Sysmon 12 and WinEvtx 4657. This example walks through using these events to potentially provide detection for Create or Modify System Process (T1543). .. image:: ../_static/winex2.png - :width: 700 -1. Looking at what the event logs themselves, is this enough proof or evidence to say - “the process was created under this technique”? +**Looking at the event data, is this enough evidence to conclude that the process was +created or modified per T1543?** Registry key creation/modification/deletion and key +value creation/modification/deletion events all have the event attributes necessary to +indicate that this technique (Create or Modify System Process) could have occurred. + +**Sysmon EID 12:** + +*Yes.* Sysmon EID 12 is triggered by CreateKey, DeleteKey, CreateValue, and DeleteValue +events. Newly created windows registry keys (i.e., CreateKey event) may create or modify +system-level processes to store and execute malicious payloads at startup or at +repeatable intervals as part of persistence or privileged escalation. + +*References:* - Registry key creation/modification/deletion and key value creation/modification/deletion - events all have the event attributes necessary to indicate that this technique (Create or - Modify System Process) could have occurred. +* `Ultimate IT Security: Sysmon Event ID 12 + `__ +* `Microsoft Learn: Sysmon Event-12 Q&A + `__ -* Sysmon EID 12 +**WinEvtx EID 4657:** - Event information: `Ultimate Windows Security - Sysmon Event ID 12 `_ `Microsoft Learn - Sysmon Event-12 `_ +*Yes.* This event is triggered when registry key values are created, modified, and deleted. +Accessing/opening and closing the registry key is determined by Windows EID 4656 and EID 4658, +respectively. This event will be generated when a new registry key is created with an initial +key value or key value type set. - Yes. Sysmon EID 12 is triggered by CreateKey, DeleteKey, CreateValue, and DeleteValue events. - Newly created windows registry keys (i.e., CreateKey event) may create or modify system-level - processes to store and execute malicious payloads at startup or at repeatable intervals as - part of persistence or privileged escalation. +*Caveat:* This event does not generate when a registry key is modified. Also, a newly created +registry key without a key value or key value type set will not trigger this event. -* WinEvtx EID 4657 +*References:* - Event information: `Microsoft Learn - 4657(S) `_, `Ultimate Windows Security - Windows Security Log Event ID 4657 `_ +* `Microsoft Learn: 4657(S) A registry value was modified + `__ +* `Ultimate IT Security: Windows Security Log Event ID 4657 + `__ - Yes. This event is triggered when registry key values are created, modified, and deleted. - Accessing/opening and closing the registry key is determined by Windows EID 4656 and EID 4658, - respectively. This event will be generated when a new registry key is created with an initial - key value or key value type set. - Caveat: This event does not generate when a registry key is modified. Also, a newly created - registry key without a key value or key value type set will not trigger this event. +**Sysmon EID 6:** -* Sysmon EID 6 +*Yes.* Attaching a driver to the user or kernel-mode of a system, which triggers this event, +creates a new service driver installation and load. An adversary may use this service to +install and execute a malicious driver that can be leveraged as a rootkit, or load a signed +but vulnerable driver onto a compromised machine (known as "Bring Your Own Vulnerable Driver" +(BYOVD)). This event provides information about the driver being loaded, its hashes, and the +signature information for integrity purposes (signature validity, driver's publisher, and +signature status). - Event information: `Ultimate Windows Security - Sysmon Event ID 6 `_, `Microsoft Learn - Sysmon v15.11 `_, `Red Canary - T1543.003 `_, `TrustedSec - Driver Loading `_ +*References:* - Yes. Attaching a driver to the user or kernel-mode of a system, which triggers this event, - creates a new service driver installation and load. An adversary may use this service to - install and execute a malicious driver that can be leveraged as a rootkit, or load a signed - but vulnerable driver onto a compromised machine (known as "Bring Your Own Vulnerable Driver" - (BYOVD)). This event provides information about the driver being loaded, its hashes, and the - signature information for integrity purposes (signature validity, driver's publisher, and - signature status). +* `Ultimate IT Security: Sysmon Event ID 6 + `__ +* `Microsoft Learn: Sysmon v15.11 + `__ +* `Atomic Red Team: T1543.003 + `__ +* `Sysmon Community Guide: Driver Loading + `__ -2. Review specific attributes of the event logs: +**Next, we review specific attributes of the event logs.** - Sysmon EID 12: +Sysmon EID 12: * TargetObject * EventType (CreateKey, DeleteKey, CreateValue, DeleteValue) - WinEvtx EID 4657: +WinEvtx EID 4657: * Object Name * Object Value Name * Operation Type (New registry value created, Existing registry value modified, Registry value deleted, etc.) * Change information ("Old Value Type", "Old Value", "New Value Type", "New Value") - Sysmon EID 6: +Sysmon EID 6: * ImageLoaded (filepath of the driver loaded) * Hashes (of the driver loaded) * Signed (true/false) * Signature (Signer name of the driver) - * SignatureStatus (i.e., valid) \ No newline at end of file + * SignatureStatus (i.e., valid) diff --git a/docs/extra/.gitignore b/docs/extra/.gitignore new file mode 100644 index 0000000..355164c --- /dev/null +++ b/docs/extra/.gitignore @@ -0,0 +1 @@ +*/ diff --git a/docs/extra/.gitkeep b/docs/extra/.gitkeep deleted file mode 100644 index e69de29..0000000 diff --git a/docs/future_work.rst b/docs/future_work.rst deleted file mode 100644 index 4fe582c..0000000 --- a/docs/future_work.rst +++ /dev/null @@ -1,11 +0,0 @@ -Future Work -=========== - -Sensor Mappings to ATT&CK project can be used as the foundational basis for other areas of research, -such as: - -- Event ID mappings to ATT&CK Techniques -- Event ID mappings to Vendor Sensors -- Additional Sensors within the Windows, Linux, MacOS, Network, and Cloud platform - -If you have any thoughts to future areas of research, please submit a `GitHub Issue `_ \ No newline at end of file diff --git a/docs/index.rst b/docs/index.rst index 7a12a9f..713a891 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -1,19 +1,22 @@ Sensor Mappings to ATT&CK ========================= -Sensor Mappings to ATT&CK (SMAP) is a collection of resources to assist security operations teams -and security leaders understand which tools, capabilities, and events can help provide visibility -into real-world adversary behaviors potentially occurring in their environments. SMAP builds on -`MITRE ATT&CK® `_ Data Sources by connecting the conceptual data source -representions of information that can be collected to concrete logs, sensors, and other security -capabilities that provide that type of data. - -This project is created and maintained by `MITRE Engenuity Center for Threat-Informed Defense -(Center) `_ and is funded by our `research participants `_, in futherance of our mission to -advance the start of the art and the state of the practice in threat-informed defense globally. -This work complements the Center's `Security Stack Mappings `_ project by -allowing defenders to use both resources to understand their overall defensive coverage and make -threat-informed decisions. +The Sensor Mappings to ATT&CK Project (SMAP) is a collection of resources to assist +security operations teams and security leaders with understanding which tools, +capabilities, and events can help provide visibility into real-world adversary behaviors +potentially occurring in their environments. SMAP builds on `MITRE ATT&CK® +`_ Data Sources by connecting the conceptual data source +representions of information that can be collected to concrete logs, sensors, and other +security capabilities that provide that type of data. + +This project is created and maintained by `MITRE Engenuity Center for Threat-Informed +Defense (Center) `_ and is funded by our `research +participants `_, in futherance of our mission to advance the start of the +art and the state of the practice in threat-informed defense globally. This work +complements the Center's `Security Stack Mappings +`_ +project by allowing defenders to use both resources to understand their overall +defensive coverage and make threat-informed decisions. .. toctree:: :maxdepth: 2 @@ -25,7 +28,6 @@ threat-informed decisions. levels/index use_cases example_technique_mappings/index - future_work changelog Notice diff --git a/docs/levels/index.rst b/docs/levels/index.rst index 7f3a246..1531339 100644 --- a/docs/levels/index.rst +++ b/docs/levels/index.rst @@ -1,22 +1,23 @@ -.. _Mapping Pages: - -==================== Sensor Mapping -==================== - -**Mappings Resources** +============== -* `Mappings Spreadsheet `_: Spreadsheet of all in-scope sensor and event mappings to ATT&CK data objects. -* `ATT&CK Navigator Layers `_: Navigator layers of sensors and events mapped to data objects associated with specific (sub-)techniques. +The scope of this project includes mappings to ATT&CK Data Sources from Host Sensors, +which gather data from endpoints in the environment (e.g., Windows, Linux), and Network +Sensors, which gather data gather from network communications, typically outbound +connections. -**Sensor Scope** +View Mappings +------------- -The scope of this project includes mappings to ATT&CK Data Sources from Host Sensors, which -gather data from endpoints in the environment (e.g., Windows, Linux), and Network Sensors, -which gather data gather from network communications, typically outbound connections. +.. raw:: html +

+ + Download Mappings – Excel +

-The specific sensors mapped are: +You can download a spreadsheet containing the mappings for all sensors or dive into the +details for a specific sensor: .. toctree:: @@ -28,4 +29,19 @@ The specific sensors mapped are: mapping_zeek .. image:: ../_static/sensors.png - :width: 700 \ No newline at end of file + +Visualize Coverage +------------------ + +.. raw:: html + +

+ + Open Sensor Coverage in ATT&CK Navigator +

+ +The Navigator layer connects sensors → data sources → techniques. Each sensor is color +coded to the techniques that it is mapped to. Techniques with multiple sensors are +shaded in green: lighter green means fewer sensors and darker green means more sensors. + +.. image:: ../_static/sensor_comparisons.png diff --git a/docs/levels/mapping_auditd.rst b/docs/levels/mapping_auditd.rst index 65749ca..296ccb2 100644 --- a/docs/levels/mapping_auditd.rst +++ b/docs/levels/mapping_auditd.rst @@ -1,9 +1,21 @@ Auditd ====== -`Auditd mappings STIX JSON `_: STIX bundle file output of Auditd sensor mappings. +Browse the Auditd mappings on this page, download the mappings (in CSV/STIX format), or +visualize the sensor coverage in ATT&CK Navigator. -`Auditd ATT&CK Navigator Layer `_: Navigator layer of Auditd events mapped to data objects associated with specific (sub-)techniques. +.. raw:: html + +

+ + Download CSV + + + Download STIX + + + Open in ATT&CK Navigator +

.. MAPPINGS_TABLE Generated at: 2023-10-03T10:40:58.770502Z @@ -16,618 +28,618 @@ Auditd - ATT&CK DATA SOURCE - ATT&CK DATA COMPONENT - * - ADD_GROUP - - Triggered when a user-space group is added - - Group - - Group Creation + * - ADD_GROUP + - Triggered when a user-space group is added + - Group + - Group Creation - * - ADD_USER - - Triggered when a user-space user account is created + * - ADD_USER + - Triggered when a user-space user account is created - User Account - - User Account Creation + - User Account Creation - * - ANOM_ABEND - - Triggered when a processes ends abnormally (with core dump, if enabled) - - Process - - Process Termination + * - ANOM_ABEND + - Triggered when a processes ends abnormally (with core dump, if enabled) + - Process + - Process Termination - * - ANOM_ADD_ACCOUNT - - Triggered when a user-space account addition ends abnormally - - User Account - - User Account Creation + * - ANOM_ADD_ACCOUNT + - Triggered when a user-space account addition ends abnormally + - User Account + - User Account Creation - * - ANOM_DEL_ACCOUNT - - Triggered when a user-space account deletion ends abnormally - - User Account - - User Account Deletion + * - ANOM_DEL_ACCOUNT + - Triggered when a user-space account deletion ends abnormally + - User Account + - User Account Deletion - * - ANOM_LINK - - Triggered when suspicious use of file links is detected - - File - - File Access + * - ANOM_LINK + - Triggered when suspicious use of file links is detected + - File + - File Access - * - ANOM_LOGIN_FAILURES - - Triggered when the limit of failed login attempts is reached - - User Account - - User Account Authentication + * - ANOM_LOGIN_FAILURES + - Triggered when the limit of failed login attempts is reached + - User Account + - User Account Authentication - * - ANOM_LOGIN_LOCATION - - Triggered when a login atempt is made from forbidden location - - User Account + * - ANOM_LOGIN_LOCATION + - Triggered when a login atempt is made from forbidden location + - User Account - User Account Authentication - * - ANOM_LOGIN_SESSIONS - - Triggered when a login attempt reaches max amount of sessions - - User Account + * - ANOM_LOGIN_SESSIONS + - Triggered when a login attempt reaches max amount of sessions + - User Account - User Account Authentication - * - ANOM_LOGIN_TIME - - Triggered when a login attempt is made at a time when prevented - - User Account + * - ANOM_LOGIN_TIME + - Triggered when a login attempt is made at a time when prevented + - User Account - User Account Authentication - * - ANOM_PROMISCUOUS - - Triggered when a device enables or disables promiscuous mode - - Service + * - ANOM_PROMISCUOUS + - Triggered when a device enables or disables promiscuous mode + - Service - Service Modification - * - AVC - - Triggered to record an SELinux permission check - - Service + * - AVC + - Triggered to record an SELinux permission check + - Service - Service Access - * - CONFIG_CHANGE - - audit_enabled record field contains 1 or 2 - - Service + * - CONFIG_CHANGE + - audit_enabled record field contains 1 or 2 + - Service - Service Modification - * - CONFIG_CHANGE - - audit_enabled record field contains 0 - - Service + * - CONFIG_CHANGE + - audit_enabled record field contains 0 + - Service - Service Modification - * - CONFIG_CHANGE - - op record field contains add rule - - Service + * - CONFIG_CHANGE + - op record field contains add rule + - Service - Service Modification - * - CONFIG_CHANGE - - op record field contains remove rule - - Service + * - CONFIG_CHANGE + - op record field contains remove rule + - Service - Service Modification - * - CONFIG_CHANGE - - audit_failure record field contains value 0 - - Service + * - CONFIG_CHANGE + - audit_failure record field contains value 0 + - Service - Service Modification - * - CONFIG_CHANGE - - audit_failure record field contains value 1 - - Service + * - CONFIG_CHANGE + - audit_failure record field contains value 1 + - Service - Service Modification - * - CONFIG_CHANGE - - audit_failure record field contains value 2 + * - CONFIG_CHANGE + - audit_failure record field contains value 2 - Service - Service Modification - * - CONFIG_CHANGE - - any other CONFIG_CHANGE cases not specified above - - Service + * - CONFIG_CHANGE + - any other CONFIG_CHANGE cases not specified above + - Service - Service Modification - * - CRED_ACQ - - Triggered when a user acquires user-space credentials - - User Account + * - CRED_ACQ + - Triggered when a user acquires user-space credentials + - User Account - User Account Metadata - * - CRED_DISP - - Triggered when a user disposes of user-space credentials - - User Account + * - CRED_DISP + - Triggered when a user disposes of user-space credentials + - User Account - User Account Metadata - * - CRED_REFR - - Triggered when a user refreshes their user-space credentials - - User Account + * - CRED_REFR + - Triggered when a user refreshes their user-space credentials + - User Account - User Account Access - * - CRYPTO_KEY_USER - - Triggered to record crypto key identifier used for crypto purposes - - Logon Session + * - CRYPTO_KEY_USER + - Triggered to record crypto key identifier used for crypto purposes + - Logon Session - Logon Session Metadata - * - CRYPTO_SESSION - - Triggered to record parameters set during a TLS session establishment - - Logon Session + * - CRYPTO_SESSION + - Triggered to record parameters set during a TLS session establishment + - Logon Session - Logon Session Creation - * - DAEMON_ABORT - - Triggered when a daemon is stopped due to an error - - Service + * - DAEMON_ABORT + - Triggered when a daemon is stopped due to an error + - Service - Service Metadata - * - DAEMON_CONFIG - - Triggered when a daemon configuration change is detected - - Service + * - DAEMON_CONFIG + - Triggered when a daemon configuration change is detected + - Service - Service Modification - * - DAEMON_END - - Triggered when a daemon is successfully stopped - - Service + * - DAEMON_END + - Triggered when a daemon is successfully stopped + - Service - Service Metadata - * - DAEMON_RESUME - - Triggered when the auditd daemon resumes logging - - Service + * - DAEMON_RESUME + - Triggered when the auditd daemon resumes logging + - Service - Service Metadata - * - DAEMON_ROTATE - - Triggered when the auditd daemon rotates the Audit log files - - Service + * - DAEMON_ROTATE + - Triggered when the auditd daemon rotates the Audit log files + - Service - Service Metadata - * - DAEMON_START - - Triggered when the auditd daemon is started - - Service + * - DAEMON_START + - Triggered when the auditd daemon is started + - Service - Service Creation - * - DEL_GROUP - - Triggered when a user-space group is deleted - - Group + * - DEL_GROUP + - Triggered when a user-space group is deleted + - Group - Group Deletion - * - DEL_USER - - Triggered when a user-space user is deleted - - User Account + * - DEL_USER + - Triggered when a user-space user is deleted + - User Account - User Account Deletion - * - FS_RELABEL - - Triggered when a file system relabel operation is detected - - Drive + * - FS_RELABEL + - Triggered when a file system relabel operation is detected + - Drive - Drive Modification - * - LABEL_LEVEL_CHANGE - - Triggered when an object's level label is modified - - File + * - LABEL_LEVEL_CHANGE + - Triggered when an object's level label is modified + - File - File Modification - * - LABEL_OVERRIDE - - Triggered when administrator overrides object's level label - - File + * - LABEL_OVERRIDE + - Triggered when administrator overrides object's level label + - File - File Modification - * - LOGIN - - Triggered to record relevant login information when user logs into system - - Logon Session + * - LOGIN + - Triggered to record relevant login information when user logs into system + - Logon Session - Logon Session Metadata - * - MAC_CIPSOV4_ADD - - Triggered when Commercial Internet Protocol Security Option user adds a new Domain of Interpretation (DOI) via NetLabel - - Service + * - MAC_CIPSOV4_ADD + - Triggered when Commercial Internet Protocol Security Option user adds a new Domain of Interpretation (DOI) via NetLabel + - Service - Service Modification - * - MAC_CIPSOV4_DEL + * - MAC_CIPSOV4_DEL - Triggered when a CIPSO user deletes an existing DOI. Adding DOIs is a part of the packet labeling capabilities of the kernel provided by NetLabel - - Service + - Service - Service Modification - * - MAC_CONFIG_CHANGE - - Triggered when an SELinux Boolean value is changed - - Service + * - MAC_CONFIG_CHANGE + - Triggered when an SELinux Boolean value is changed + - Service - Service Modification - * - MAC_MAP_ADD - - Triggered when a new Linux Security Module (LSM) domain mapping is added. LSM domain mapping is a part of the packet labeling capabilities of the kernel provided by NetLabel. - - Service + * - MAC_MAP_ADD + - Triggered when a new Linux Security Module (LSM) domain mapping is added. LSM domain mapping is a part of the packet labeling capabilities of the kernel provided by NetLabel. + - Service - Service Modification - * - MAC_MAP_DEL - - Triggered when existing LSM domain mapping is deleted - - Service + * - MAC_MAP_DEL + - Triggered when existing LSM domain mapping is deleted + - Service - Service Modification - * - MAC_POLICY_LOAD - - Triggered when a SELinux Policy file is loaded - - Service + * - MAC_POLICY_LOAD + - Triggered when a SELinux Policy file is loaded + - Service - Service Creation - * - MAC_STATUS - - Triggered when the SELinux mode is changed (enforcing, permissive, etc) - - Service + * - MAC_STATUS + - Triggered when the SELinux mode is changed (enforcing, permissive, etc) + - Service - Service Modification - * - MAC_UNLBL_ALLOW - - Triggered when unlabeled traffic is allowed when using packet labeling - - Network Traffic + * - MAC_UNLBL_ALLOW + - Triggered when unlabeled traffic is allowed when using packet labeling + - Network Traffic - Network Traffic Content - * - NETFILTER_CFG - - Triggered when Netfilter chain modifications are detected - - Firewall + * - NETFILTER_CFG + - Triggered when Netfilter chain modifications are detected + - Firewall - Firewall Rule Modification - * - RESP_ACCT_LOCK - - Triggered when a user account is locked - - User Account + * - RESP_ACCT_LOCK + - Triggered when a user account is locked + - User Account - User Account Authentication - * - RESP_ACCT_UNLOCK_TIMED - - Triggered when user account is unlocked after configured time - - User Account + * - RESP_ACCT_UNLOCK_TIMED + - Triggered when user account is unlocked after configured time + - User Account - User Account Authentication - * - ROLE_ASSIGN - - Triggered when an administrator user assigns user to SELinux role - - Service + * - ROLE_ASSIGN + - Triggered when an administrator user assigns user to SELinux role + - Service - Service Modification - * - ROLE_REMOVE - - Triggered when an administrator removes a user from an SELinux role - - Service + * - ROLE_REMOVE + - Triggered when an administrator removes a user from an SELinux role + - Service - Service Modification - * - SELINUX_ERR - - Triggered when an internal SELinux error is detected - - Service + * - SELINUX_ERR + - Triggered when an internal SELinux error is detected + - Service - Service Metadata - * - SYSTEM_RUNLEVEL - - Triggered when the system run level is changed - - Sensor Health + * - SYSTEM_RUNLEVEL + - Triggered when the system run level is changed + - Sensor Health - Host Status - * - SYSTEM_SHUTDOWN - - Triggered when the system is shut down - - Sensor Health + * - SYSTEM_SHUTDOWN + - Triggered when the system is shut down + - Sensor Health - Host Status - * - TTY - - Triggered when TTY input was sent to an administrative process - - Process + * - TTY + - Triggered when TTY input was sent to an administrative process + - Process - Process Access - * - USER_ACCT - - Triggered when a user-space user authorization attempt is detected - - User Account + * - USER_ACCT + - Triggered when a user-space user authorization attempt is detected + - User Account - User Account Authentication - * - USER_AUTH - - Triggered when a user-space user authentication attempt is detected - - User Account + * - USER_AUTH + - Triggered when a user-space user authentication attempt is detected + - User Account - User Account Authentication - * - USER_AVC - - Triggered when a user-space AVC message is generated - - File + * - USER_AVC + - Triggered when a user-space AVC message is generated + - File - File Access - * - USER_CHAUTHTOK - - op record field contains value change password - - User Account - - User Account Modification - - * - USER_CHAUTHTOK - - op record field contains value changing password - - User Account - - User Account Modification - - * - USER_CHAUTHTOK - - op record field contains value change expired password - - User Account - - User Account Modification - - * - USER_CHAUTHTOK - - op record field contains value change age - - User Account - - User Account Modification - - * - USER_CHAUTHTOK - - op record field contains value change max age - - User Account - - User Account Modification - - * - USER_CHAUTHTOK - - op record field contains value change min age - - User Account - - User Account Modification - - * - USER_CHAUTHTOK - - op record field contains value change passwd warning - - User Account - - User Account Modification - - * - USER_CHAUTHTOK - - op record field contains value change inactive days - - User Account - - User Account Modification - - * - USER_CHAUTHTOK - - op record field contains value change passwd expiration - - User Account - - User Account Modification - - * - USER_CHAUTHTOK - - op record field contains value change last change date - - User Account - - User Account Modification - - * - USER_CHAUTHTOK - - op record field contains value change all aging information - - User Account - - User Account Modification - - * - USER_CHAUTHTOK - - op record field contains value password attribute change - - User Account - - User Account Modification - - * - USER_CHAUTHTOK - - op record field contains value password aging data updated - - User Account - - User Account Modification - - * - USER_CHAUTHTOK - - op record field contains value display aging info - - User Account - - User Account Modification - - * - USER_CHAUTHTOK - - op record field contains value password status display - - User Account - - User Account Modification - - * - USER_CHAUTHTOK - - op record field contains value password status displayed for user - - User Account - - User Account Modification - - * - USER_CHAUTHTOK - - op record field contains value adding to group - - User Account - - User Account Modification - - * - USER_CHAUTHTOK - - op record field contains value adding group member - - User Account - - User Account Modification - - * - USER_CHAUTHTOK - - op record field contains value adding user to group - - User Account - - User Account Modification - - * - USER_CHAUTHTOK - - op record field contains value adding user to shadow group - - User Account - - User Account Modification - - * - USER_CHAUTHTOK - - op record field contains value changing primary group - - User Account - - User Account Modification - - * - USER_CHAUTHTOK - - op record field contains value changing group member - - User Account - - User Account Modification - - * - USER_CHAUTHTOK - - op record field contains value changing admin name in shadow group - - User Account - - User Account Modification - - * - USER_CHAUTHTOK - - op record field contains value changing member in shadow group - - User Account - - User Account Modification - - * - USER_CHAUTHTOK - - op record field contains value deleting group password - - User Account - - User Account Modification - - * - USER_CHAUTHTOK - - op record field contains value deleting member - - User Account - - User Account Modification - - * - USER_CHAUTHTOK - - op record field contains value deleting user from group - - User Account - - User Account Modification - - * - USER_CHAUTHTOK - - op record field contains value deleting user from shadow group - - User Account - - User Account Modification - - * - USER_CHAUTHTOK - - op record field contains value removing group member - - User Account - - User Account Modification - - * - USER_CHAUTHTOK - - op record field contains value removing user from shadow group - - User Account - - User Account Modification - - * - USER_CHAUTHTOK - - op record field contains value user lookup - - User Account + * - USER_CHAUTHTOK + - op record field contains value change password + - User Account + - User Account Modification + + * - USER_CHAUTHTOK + - op record field contains value changing password + - User Account + - User Account Modification + + * - USER_CHAUTHTOK + - op record field contains value change expired password + - User Account + - User Account Modification + + * - USER_CHAUTHTOK + - op record field contains value change age + - User Account + - User Account Modification + + * - USER_CHAUTHTOK + - op record field contains value change max age + - User Account + - User Account Modification + + * - USER_CHAUTHTOK + - op record field contains value change min age + - User Account + - User Account Modification + + * - USER_CHAUTHTOK + - op record field contains value change passwd warning + - User Account + - User Account Modification + + * - USER_CHAUTHTOK + - op record field contains value change inactive days + - User Account + - User Account Modification + + * - USER_CHAUTHTOK + - op record field contains value change passwd expiration + - User Account + - User Account Modification + + * - USER_CHAUTHTOK + - op record field contains value change last change date + - User Account + - User Account Modification + + * - USER_CHAUTHTOK + - op record field contains value change all aging information + - User Account + - User Account Modification + + * - USER_CHAUTHTOK + - op record field contains value password attribute change + - User Account + - User Account Modification + + * - USER_CHAUTHTOK + - op record field contains value password aging data updated + - User Account + - User Account Modification + + * - USER_CHAUTHTOK + - op record field contains value display aging info + - User Account + - User Account Modification + + * - USER_CHAUTHTOK + - op record field contains value password status display + - User Account + - User Account Modification + + * - USER_CHAUTHTOK + - op record field contains value password status displayed for user + - User Account + - User Account Modification + + * - USER_CHAUTHTOK + - op record field contains value adding to group + - User Account + - User Account Modification + + * - USER_CHAUTHTOK + - op record field contains value adding group member + - User Account + - User Account Modification + + * - USER_CHAUTHTOK + - op record field contains value adding user to group + - User Account + - User Account Modification + + * - USER_CHAUTHTOK + - op record field contains value adding user to shadow group + - User Account + - User Account Modification + + * - USER_CHAUTHTOK + - op record field contains value changing primary group + - User Account + - User Account Modification + + * - USER_CHAUTHTOK + - op record field contains value changing group member + - User Account + - User Account Modification + + * - USER_CHAUTHTOK + - op record field contains value changing admin name in shadow group + - User Account + - User Account Modification + + * - USER_CHAUTHTOK + - op record field contains value changing member in shadow group + - User Account + - User Account Modification + + * - USER_CHAUTHTOK + - op record field contains value deleting group password + - User Account + - User Account Modification + + * - USER_CHAUTHTOK + - op record field contains value deleting member + - User Account + - User Account Modification + + * - USER_CHAUTHTOK + - op record field contains value deleting user from group + - User Account + - User Account Modification + + * - USER_CHAUTHTOK + - op record field contains value deleting user from shadow group + - User Account + - User Account Modification + + * - USER_CHAUTHTOK + - op record field contains value removing group member + - User Account + - User Account Modification + + * - USER_CHAUTHTOK + - op record field contains value removing user from shadow group + - User Account + - User Account Modification + + * - USER_CHAUTHTOK + - op record field contains value user lookup + - User Account - User Account Accessed - - * - USER_CHAUTHTOK - - op record field contains value adding group - - User Account - - User Account Modification - - * - USER_CHAUTHTOK - - op record field contains value deleting group - - User Account - - User Account Modification - - * - USER_CHAUTHTOK - - op record field contains value adding user - - User Account - - User Account Modification - - * - USER_CHAUTHTOK - - op record field contains value adding home directory - - User Account - - User Account Modification - - * - USER_CHAUTHTOK - - op record field contains value deleting user entries - - User Account + + * - USER_CHAUTHTOK + - op record field contains value adding group + - User Account + - User Account Modification + + * - USER_CHAUTHTOK + - op record field contains value deleting group + - User Account + - User Account Modification + + * - USER_CHAUTHTOK + - op record field contains value adding user + - User Account + - User Account Modification + + * - USER_CHAUTHTOK + - op record field contains value adding home directory + - User Account + - User Account Modification + + * - USER_CHAUTHTOK + - op record field contains value deleting user entries + - User Account - User Account Deletion - - * - USER_CHAUTHTOK - - op record field contains value deleting user not found - - User Account + + * - USER_CHAUTHTOK + - op record field contains value deleting user not found + - User Account - User Account Deletion - - * - USER_CHAUTHTOK - - op record field contains value deleting user - - User Account + + * - USER_CHAUTHTOK + - op record field contains value deleting user + - User Account - User Account Deletion - - * - USER_CHAUTHTOK - - op record field contains value deleting user logged in - - User Account + + * - USER_CHAUTHTOK + - op record field contains value deleting user logged in + - User Account - User Account Deletion - - * - USER_CHAUTHTOK - - op record field contains value deleting mail file - - File + + * - USER_CHAUTHTOK + - op record field contains value deleting mail file + - File - File Deletion - - * - USER_CHAUTHTOK - - op record field contains value deleting home directory - - User Account + + * - USER_CHAUTHTOK + - op record field contains value deleting home directory + - User Account - User Account Deletion - - * - USER_CHAUTHTOK - - op record field contains value lock password - - User Account - - User Account Modification - - * - USER_CHAUTHTOK - - op record field contains value delete password - - User Account - - User Account Modification - - * - USER_CHAUTHTOK - - op record field contains value updating password - - User Account - - User Account Modification - - * - USER_CHAUTHTOK - - op record field contains value unlock password - - User Account + + * - USER_CHAUTHTOK + - op record field contains value lock password + - User Account + - User Account Modification + + * - USER_CHAUTHTOK + - op record field contains value delete password + - User Account + - User Account Modification + + * - USER_CHAUTHTOK + - op record field contains value updating password + - User Account + - User Account Modification + + * - USER_CHAUTHTOK + - op record field contains value unlock password + - User Account - User Account Metadata - - * - USER_CHAUTHTOK - - op record field contains value changing name - - User Account - - User Account Modification - - * - USER_CHAUTHTOK - - op record field contains value changing uid - - User Account - - User Account Modification - - * - USER_CHAUTHTOK - - op record field contains value changing home directory - - User Account - - User Account Modification - - * - USER_CHAUTHTOK - - op record field contains value moving home directory - - User Account + + * - USER_CHAUTHTOK + - op record field contains value changing name + - User Account + - User Account Modification + + * - USER_CHAUTHTOK + - op record field contains value changing uid + - User Account + - User Account Modification + + * - USER_CHAUTHTOK + - op record field contains value changing home directory + - User Account + - User Account Modification + + * - USER_CHAUTHTOK + - op record field contains value moving home directory + - User Account - User Account Access - - * - USER_CHAUTHTOK - - op record field contains value changing mail file name - - User Account - - User Account Modification - - * - USER_CHAUTHTOK - - op record field contains value changing mail file owner - - User Account - - User Account Modification - - * - USER_CHAUTHTOK - - Triggered when a user account password or PIN is modified - - User Account - - User Account Modification - - * - USER_CMD - - Triggered when a user-space shell command is executed - - Process + + * - USER_CHAUTHTOK + - op record field contains value changing mail file name + - User Account + - User Account Modification + + * - USER_CHAUTHTOK + - op record field contains value changing mail file owner + - User Account + - User Account Modification + + * - USER_CHAUTHTOK + - Triggered when a user account password or PIN is modified + - User Account + - User Account Modification + + * - USER_CMD + - Triggered when a user-space shell command is executed + - Process - Process Creation - - * - USER_END - - Triggered when a user-space session is terminated - - Logon Session + + * - USER_END + - Triggered when a user-space session is terminated + - Logon Session - Logon Session Metadata - - * - USER_ERR - - Triggered when a user account state error is detected - - User Account + + * - USER_ERR + - Triggered when a user account state error is detected + - User Account - User Account Metadata - - * - USER_LABELED_EXPORT - - Triggered when an object is exported with an SELinux label - - File + + * - USER_LABELED_EXPORT + - Triggered when an object is exported with an SELinux label + - File - File Metadata - - * - USER_LOGIN - - Triggered when a user logs in - - Logon Session + + * - USER_LOGIN + - Triggered when a user logs in + - Logon Session - Logon Session Creation - - * - USER_LOGOUT - - Triggered when a user logs out - - Logon Session + + * - USER_LOGOUT + - Triggered when a user logs out + - Logon Session - Logon Session Metadata - - * - USER_ROLE_CHANGE - - op record field is not present - - User Account - - User Account Modification - - * - USER_ROLE_CHANGE - - op record field contains add SELinux user record - - User Account + + * - USER_ROLE_CHANGE + - op record field is not present + - User Account + - User Account Modification + + * - USER_ROLE_CHANGE + - op record field contains add SELinux user record + - User Account - User Account Creation - - * - USER_ROLE_CHANGE - - op record field contains delete SELinux user record - - User Account + + * - USER_ROLE_CHANGE + - op record field contains delete SELinux user record + - User Account - User Account Deletion - - * - USER_ROLE_CHANGE - - any other USER_ROLE_CHANGE cases not specified above - - User Account - - User Account Modification - - * - USER_START - - Triggered when a user-space session is started - - Logon Session + + * - USER_ROLE_CHANGE + - any other USER_ROLE_CHANGE cases not specified above + - User Account + - User Account Modification + + * - USER_START + - Triggered when a user-space session is started + - Logon Session - Logon Session Creation - - * - USER_TTY - - Triggered when an explanatory msg about TTY input to admin proc is sent - - Service + + * - USER_TTY + - Triggered when an explanatory msg about TTY input to admin proc is sent + - Service - Service Metadata - - * - USER_UNLABELED_EXPORT - - Triggered when an object is exported without an SELinux label - - File + + * - USER_UNLABELED_EXPORT + - Triggered when an object is exported without an SELinux label + - File - File Metadata - - * - USYS_CONFIG - - Triggered when a user-space system configuration change is detected - - Command + + * - USYS_CONFIG + - Triggered when a user-space system configuration change is detected + - Command - Command Execution -.. /MAPPINGS_TABLE \ No newline at end of file +.. /MAPPINGS_TABLE diff --git a/docs/levels/mapping_cloudtrail.rst b/docs/levels/mapping_cloudtrail.rst index ecc52e2..57cd738 100644 --- a/docs/levels/mapping_cloudtrail.rst +++ b/docs/levels/mapping_cloudtrail.rst @@ -1,9 +1,21 @@ CloudTrail ========== -`CloudTrail mappings STIX JSON `_: STIX bundle file output of CloudTrail sensor mappings. +Browse the CloudTrail mappings on this page, download the mappings (in CSV/STIX format), or +visualize the sensor coverage in ATT&CK Navigator. -`CloudTrail ATT&CK Navigator Layer `_: Navigator layer of CloudTrail events mapped to data objects associated with specific (sub-)techniques. +.. raw:: html + +

+ + Download CSV + + + Download STIX + + + Open in ATT&CK Navigator +

.. MAPPINGS_TABLE Generated at: 2023-10-03T10:40:58.770502Z @@ -16,869 +28,869 @@ CloudTrail - ATT&CK DATA SOURCE - ATT&CK DATA COMPONENT - * - AddClientIDToOpenIDConnectProvider - - Adds a new client ID (also known as audience) to the list of client IDs already registered for the specified IAM OpenID Connect (OIDC) provider resource. - - Active Directory + * - AddClientIDToOpenIDConnectProvider + - Adds a new client ID (also known as audience) to the list of client IDs already registered for the specified IAM OpenID Connect (OIDC) provider resource. + - Active Directory - Active Directory Object Modification - - * - AddRoleToInstanceProfile - - Adds the specified IAM role to the specified instance profile. An instance profile can contain only one role, and this quota cannot be increased. You can remove the existing role and then add a different role to an instance profile. - - Instance + + * - AddRoleToInstanceProfile + - Adds the specified IAM role to the specified instance profile. An instance profile can contain only one role, and this quota cannot be increased. You can remove the existing role and then add a different role to an instance profile. + - Instance - Instance Metadata - - * - AddUserToGroup - - A user has been added to a group. - - Group + + * - AddUserToGroup + - A user has been added to a group. + - Group - Group Modification - - * - AttachGroupPolicy - - A managed policy has been added to an IAM group. - - Group + + * - AttachGroupPolicy + - A managed policy has been added to an IAM group. + - Group - Group Modification - - * - AttachRolePolicy - - A managed policy has been added to an IAM role. - - User Account - - User Account Metadata - - * - AttachUserPolicy - - A managed policy has been added to an IAM user. - - User Account - - User Account Metadata - - * - ChangePassword - - A password for an IAM user has been changed. Changes the password of the IAM user who is calling this operation. This operation can be performed using the AWS CLI, the AWS API, or the My Security Credentials page in the AWS Management Console. The AWS account root user password is not affected by this operation. - - User Account - - User Account Metadata - - * - ConsoleLogin - - A user has signed into AWS Management Console. That user could be an account owner, a federated user or an IAM user. - - Logon Session + + * - AttachRolePolicy + - A managed policy has been added to an IAM role. + - User Account + - User Account Metadata + + * - AttachUserPolicy + - A managed policy has been added to an IAM user. + - User Account + - User Account Metadata + + * - ChangePassword + - A password for an IAM user has been changed. Changes the password of the IAM user who is calling this operation. This operation can be performed using the AWS CLI, the AWS API, or the My Security Credentials page in the AWS Management Console. The AWS account root user password is not affected by this operation. + - User Account + - User Account Metadata + + * - ConsoleLogin + - A user has signed into AWS Management Console. That user could be an account owner, a federated user or an IAM user. + - Logon Session - Logon Session Creation - - * - CreateAccessKey - - A new AWS secret access key and access key ID has been created. - - User Account - - User Account Metadata - - * - CreateAccountAlias - - Creates an alias for your AWS account. - - User Account - - User Account Metadata - - * - CreateGroup - - A new group has been created. - - Group + + * - CreateAccessKey + - A new AWS secret access key and access key ID has been created. + - User Account + - User Account Metadata + + * - CreateAccountAlias + - Creates an alias for your AWS account. + - User Account + - User Account Metadata + + * - CreateGroup + - A new group has been created. + - Group - Group Creation - - * - CreateImage - - Creates an Amazon EBS-backed AMI from an Amazon EBS-backed instance that is either running or stopped. - - Image + + * - CreateImage + - Creates an Amazon EBS-backed AMI from an Amazon EBS-backed instance that is either running or stopped. + - Image - Image Creation - - * - CreateInstanceProfile - - Creates a new instance profile. - - Instance + + * - CreateInstanceProfile + - Creates a new instance profile. + - Instance - Instance Metadata - - * - CreateLoginProfile - - A new password has been created for a user to access AWS services through the management console. - - User Account - - User Account Metadata - - * - CreateOpenIDConnectProvider + + * - CreateLoginProfile + - A new password has been created for a user to access AWS services through the management console. + - User Account + - User Account Metadata + + * - CreateOpenIDConnectProvider - Creates an IAM entity to describe an identity provider (IdP) that supports OpenID Connect (OIDC). The OIDC provider that you create with this operation can be used as a principal in a role's trust policy. Such a policy establishes a trust relationship between AWS and the OIDC provider. - - Active Directory + - Active Directory - Active Directory Object Creation - - * - CreatePolicy - - A new managed policy has been created for an AWS account. - - User Account - - User Account Metadata - - * - CreatePolicyVersion - - Creates a new version of the specified managed policy. To update a managed policy, you create a new policy version. A managed policy can have up to five versions. If the policy has five versions, you must delete an existing version using DeletePolicyVersion before you create a new version. - - User Account - - User Account Metadata - - * - CreateRole - - A new role for an AWS account has been created. - - User Account - - User Account Metadata - - * - CreateSAMLProvider - - Creates an IAM resource that describes an identity provider (IdP) that supports SAML 2.0. The SAML provider resource that you create with this operation can be used as a principal in an IAM role's trust policy. Such a policy can enable federated users who sign in using the SAML IdP to assume the role. You can create an IAM role that supports Web-based single sign-on (SSO) to the AWS Management Console or one that supports API access to AWS. When you create the SAML provider resource, you upload a SAML metadata document that you get from your IdP. - - Active Directory + + * - CreatePolicy + - A new managed policy has been created for an AWS account. + - User Account + - User Account Metadata + + * - CreatePolicyVersion + - Creates a new version of the specified managed policy. To update a managed policy, you create a new policy version. A managed policy can have up to five versions. If the policy has five versions, you must delete an existing version using DeletePolicyVersion before you create a new version. + - User Account + - User Account Metadata + + * - CreateRole + - A new role for an AWS account has been created. + - User Account + - User Account Metadata + + * - CreateSAMLProvider + - Creates an IAM resource that describes an identity provider (IdP) that supports SAML 2.0. The SAML provider resource that you create with this operation can be used as a principal in an IAM role's trust policy. Such a policy can enable federated users who sign in using the SAML IdP to assume the role. You can create an IAM role that supports Web-based single sign-on (SSO) to the AWS Management Console or one that supports API access to AWS. When you create the SAML provider resource, you upload a SAML metadata document that you get from your IdP. + - Active Directory - Active Directory Object Metadata - - * - CreateServiceLinkedRole - - Creates an IAM role that is linked to a specific AWS service. The service controls the attached policies and when the role can be deleted. This helps ensure that the service is not broken by an unexpectedly changed or deleted role, which could put your AWS resources into an unknown state. - - User Account - - User Account Metadata - - * - CreateServiceSpecificCredential - - Generates a set of credentials consisting of a user name and password that can be used to access the service specified in the request. These credentials are generated by IAM, and can be used only for the specified service. You can have a maximum of two sets of service-specific credentials for each supported service per user. - - User Account - - User Account Metadata - - * - CreateSnapshot - - Creates a snapshot of an EBS volume and stores it in Amazon S3. - - Snapshot + + * - CreateServiceLinkedRole + - Creates an IAM role that is linked to a specific AWS service. The service controls the attached policies and when the role can be deleted. This helps ensure that the service is not broken by an unexpectedly changed or deleted role, which could put your AWS resources into an unknown state. + - User Account + - User Account Metadata + + * - CreateServiceSpecificCredential + - Generates a set of credentials consisting of a user name and password that can be used to access the service specified in the request. These credentials are generated by IAM, and can be used only for the specified service. You can have a maximum of two sets of service-specific credentials for each supported service per user. + - User Account + - User Account Metadata + + * - CreateSnapshot + - Creates a snapshot of an EBS volume and stores it in Amazon S3. + - Snapshot - Snapshot Creation - - * - CreateUser - - A new IAM user has been created for an AWS account. - - User Account + + * - CreateUser + - A new IAM user has been created for an AWS account. + - User Account - User Account Creation - - * - CreateVirtualMFADevice - - Creates a new virtual MFA device for the AWS account. After creating the virtual MFA, use EnableMFADevice to attach the MFA device to an IAM user. - - User Account + + * - CreateVirtualMFADevice + - Creates a new virtual MFA device for the AWS account. After creating the virtual MFA, use EnableMFADevice to attach the MFA device to an IAM user. + - User Account - User Account Authentication - - * - CreateVolume - - Creates an EBS volume that can be attached to an instance in the same Availability Zone. - - Volume + + * - CreateVolume + - Creates an EBS volume that can be attached to an instance in the same Availability Zone. + - Volume - Volume Creation - - * - DeactivateMFADevice - - Deactivates the specified MFA device and removes it from association with the user name for which it was originally enabled. - - User Account + + * - DeactivateMFADevice + - Deactivates the specified MFA device and removes it from association with the user name for which it was originally enabled. + - User Account - User Account Authentication - - * - DeleteAccessKey - - An access key pair for an IAM user has been deleted. - - User Account - - User Account Metadata - - * - DeleteAccountAlias - - An AWS account alias has been deleted. - - User Account - - User Account Metadata - - * - DeleteAccountPasswordPolicy - - A password policy for an account has been deleted. - - User Account - - User Account Metadata - - * - DeleteGroup - - An IAM group has been deleted. The group won't have contained any users or policies at time of deletion. - - Group + + * - DeleteAccessKey + - An access key pair for an IAM user has been deleted. + - User Account + - User Account Metadata + + * - DeleteAccountAlias + - An AWS account alias has been deleted. + - User Account + - User Account Metadata + + * - DeleteAccountPasswordPolicy + - A password policy for an account has been deleted. + - User Account + - User Account Metadata + + * - DeleteGroup + - An IAM group has been deleted. The group won't have contained any users or policies at time of deletion. + - Group - Group Deletion - - * - DeleteGroupPolicy - - An inline policy for an IAM group has been deleted. - - Group + + * - DeleteGroupPolicy + - An inline policy for an IAM group has been deleted. + - Group - Group Metadata - - * - DeleteInstanceProfile - - Deletes the specified instance profile. The instance profile must not have an associated role. - - Instance + + * - DeleteInstanceProfile + - Deletes the specified instance profile. The instance profile must not have an associated role. + - Instance - Instance Metadata - - * - DeleteLoginProfile - - A password for an IAM user has been deleted thus removing that user's ability to access services through the console. - - User Account - - User Account Metadata - - * - DeleteOpenIDConnectProvider - - Deletes an OpenID Connect identity provider (IdP) resource object in IAM. Deleting an IAM OIDC provider resource does not update any roles that reference the provider as a principal in their trust policies. Any attempt to assume a role that references a deleted provider fails. - - Active Directory + + * - DeleteLoginProfile + - A password for an IAM user has been deleted thus removing that user's ability to access services through the console. + - User Account + - User Account Metadata + + * - DeleteOpenIDConnectProvider + - Deletes an OpenID Connect identity provider (IdP) resource object in IAM. Deleting an IAM OIDC provider resource does not update any roles that reference the provider as a principal in their trust policies. Any attempt to assume a role that references a deleted provider fails. + - Active Directory - Active Directory Object Deletion - - * - DeletePolicyVersion - - A version of a policy has been deleted. - - User Account - - User Account Metadata - - * - DeleteRole - - A role has been deleted. The role will not have had any policies attached if it was able to be deleted. - - User Account - - User Account Metadata - - * - DeleteRolePermissionsBoundary - - Deletes the permissions boundary for the specified IAM role. You cannot set the boundary for a service-linked role. - - User Account - - User Account Metadata - - * - DeleteRolePolicy - - An inline policy for an IAM role has been deleted. - - User Account - - User Account Metadata - - * - DeleteSAMLProvider - - Deletes a SAML provider resource in IAM. Deleting the provider resource from IAM does not update any roles that reference the SAML provider resource's ARN as a principal in their trust policies. Any attempt to assume a role that references a non-existent provider resource ARN fails. - - Active Directory + + * - DeletePolicyVersion + - A version of a policy has been deleted. + - User Account + - User Account Metadata + + * - DeleteRole + - A role has been deleted. The role will not have had any policies attached if it was able to be deleted. + - User Account + - User Account Metadata + + * - DeleteRolePermissionsBoundary + - Deletes the permissions boundary for the specified IAM role. You cannot set the boundary for a service-linked role. + - User Account + - User Account Metadata + + * - DeleteRolePolicy + - An inline policy for an IAM role has been deleted. + - User Account + - User Account Metadata + + * - DeleteSAMLProvider + - Deletes a SAML provider resource in IAM. Deleting the provider resource from IAM does not update any roles that reference the SAML provider resource's ARN as a principal in their trust policies. Any attempt to assume a role that references a non-existent provider resource ARN fails. + - Active Directory - Active Directory Object Deletion - - * - DeleteServerCertificate - - A server certificate has been deleted. - - Certificate + + * - DeleteServerCertificate + - A server certificate has been deleted. + - Certificate - Certificate Deletion - - * - DeleteServiceLinkedRole - - Submits a service-linked role deletion request and returns a DeletionTaskId, which you can use to check the status of the deletion. Before you call this operation, confirm that the role has no active sessions and that any resources used by the role in the linked service are deleted. - - Cloud Service Account + + * - DeleteServiceLinkedRole + - Submits a service-linked role deletion request and returns a DeletionTaskId, which you can use to check the status of the deletion. Before you call this operation, confirm that the role has no active sessions and that any resources used by the role in the linked service are deleted. + - Cloud Service Account - Cloud Service Account Metadata - - * - DeleteServiceSpecificCredential - - Deletes the specified service-specific credential. - - User Account - - User Account Metadata - - * - DeleteSigningCertificate - - A signing certificate has been deleted. - - User Account - - User Account Metadata - - * - DeleteSnapshot - - Deletes the specified snapshot. - - Snapshot + + * - DeleteServiceSpecificCredential + - Deletes the specified service-specific credential. + - User Account + - User Account Metadata + + * - DeleteSigningCertificate + - A signing certificate has been deleted. + - User Account + - User Account Metadata + + * - DeleteSnapshot + - Deletes the specified snapshot. + - Snapshot - Snapshot Deletion - - * - DeleteSSHPublicKey + + * - DeleteSSHPublicKey - An SSH public key has been deleted. The SSH public key deleted by this operation is used only for authenticating the associated IAM user to an CodeCommit repository. - - User Account + - User Account - User Account Metadata - - * - DeleteUser - - A user has been deleted. - - User Account + + * - DeleteUser + - A user has been deleted. + - User Account - User Account Deletion - - * - DeleteUserPermissionsBoundary - - Deletes the permissions boundary for the specified IAM user. - - User Account - - User Account Metadata - - * - DeleteUserPolicy - - An inline policy for an IAM user has been deleted. - - User Account - - User Account Metadata - - * - DeleteVirtualMFADevice - - Deletes a virtual MFA device. - - User Account + + * - DeleteUserPermissionsBoundary + - Deletes the permissions boundary for the specified IAM user. + - User Account + - User Account Metadata + + * - DeleteUserPolicy + - An inline policy for an IAM user has been deleted. + - User Account + - User Account Metadata + + * - DeleteVirtualMFADevice + - Deletes a virtual MFA device. + - User Account - User Account Authentication - - * - DetachGroupPolicy - - A managed policy has been removed from a role. Removes the specified managed policy from the specified IAM group. - - Group + + * - DetachGroupPolicy + - A managed policy has been removed from a role. Removes the specified managed policy from the specified IAM group. + - Group - Group Metadata - - * - DetachRolePolicy - - A managed policy has been removed from a role. - - User Account - - User Account Metadata - - * - DetachUserPolicy - - A managed policy has been removed from a user. - - User Account - - User Account Metadata - - * - DetachVolume - - Detaches an EBS volume from an instance. - - Volume + + * - DetachRolePolicy + - A managed policy has been removed from a role. + - User Account + - User Account Metadata + + * - DetachUserPolicy + - A managed policy has been removed from a user. + - User Account + - User Account Metadata + + * - DetachVolume + - Detaches an EBS volume from an instance. + - Volume - Volume Modification - - * - EnableMFADevice - - Enables the specified MFA device and associates it with the specified IAM user. When enabled, the MFA device is required for every subsequent login by the IAM user associated with the device. - - User Account + + * - EnableMFADevice + - Enables the specified MFA device and associates it with the specified IAM user. When enabled, the MFA device is required for every subsequent login by the IAM user associated with the device. + - User Account - User Account Authentication - - * - GenerateCredentialReport - - Retrieves a credential report for the AWS account. - - User Account - - User Account Metadata - - * - GenerateOrganizationsAccessReport - - Generates a report for service last accessed data for AWS Organizations. You can generate a report for any entities (organization root, organizational unit, or account) or policies in your organization. To call this operation, you must be signed in using your Organizations management account credentials. You can use your long-term IAM user or root user credentials, or temporary credentials from assuming an IAM role. SCPs must be enabled for your organization root. You must have the required IAM and Organizations permissions. - - Cloud Service Account + + * - GenerateCredentialReport + - Retrieves a credential report for the AWS account. + - User Account + - User Account Metadata + + * - GenerateOrganizationsAccessReport + - Generates a report for service last accessed data for AWS Organizations. You can generate a report for any entities (organization root, organizational unit, or account) or policies in your organization. To call this operation, you must be signed in using your Organizations management account credentials. You can use your long-term IAM user or root user credentials, or temporary credentials from assuming an IAM role. SCPs must be enabled for your organization root. You must have the required IAM and Organizations permissions. + - Cloud Service Account - Cloud Service Account Metadata - - * - GenerateServiceLastAccessedDetails - - Generates a report that includes details about when an IAM resource (user, group, role, or policy) was last used in an attempt to access AWS services. Recent activity usually appears within four hours. - - Cloud Service + + * - GenerateServiceLastAccessedDetails + - Generates a report that includes details about when an IAM resource (user, group, role, or policy) was last used in an attempt to access AWS services. Recent activity usually appears within four hours. + - Cloud Service - Cloud Service Metadata - - * - GetAccountAuthorizationDetails - - Retrieves information about all IAM users, groups, roles, and policies in your AWS account, including their relationships to one another. Use this operation to obtain a snapshot of the configuration of IAM permissions (users, groups, roles, and policies) in your account. - - User Account - - User Account Metadata - - * - GetAccountPasswordPolicy - - Retrieves the password policy for the AWS account. This tells you the complexity requirements and mandatory rotation periods for the IAM user passwords in your account. - - User Account - - User Account Metadata - - * - GetAccountSummary - - Retrieves information about IAM entity usage and IAM quotas in the AWS account. - - User Account + + * - GetAccountAuthorizationDetails + - Retrieves information about all IAM users, groups, roles, and policies in your AWS account, including their relationships to one another. Use this operation to obtain a snapshot of the configuration of IAM permissions (users, groups, roles, and policies) in your account. + - User Account + - User Account Metadata + + * - GetAccountPasswordPolicy + - Retrieves the password policy for the AWS account. This tells you the complexity requirements and mandatory rotation periods for the IAM user passwords in your account. + - User Account + - User Account Metadata + + * - GetAccountSummary + - Retrieves information about IAM entity usage and IAM quotas in the AWS account. + - User Account - User Account Access - - * - GetContextKeysForCustomPolicy - - Gets a list of all of the context keys referenced in the input policies. The policies are supplied as a list of one or more strings. To get the context keys from policies associated with an IAM user, group, or role, use GetContextKeysForPrincipalPolicy. - - User Account - - User Account Metadata - - * - GetContextKeysForPrincipalPolicy - - Gets a list of all of the context keys referenced in all the IAM policies that are attached to the specified IAM entity. The entity can be an IAM user, group, or role. If you specify a user, then the request also includes all of the policies attached to groups that the user is a member of. + + * - GetContextKeysForCustomPolicy + - Gets a list of all of the context keys referenced in the input policies. The policies are supplied as a list of one or more strings. To get the context keys from policies associated with an IAM user, group, or role, use GetContextKeysForPrincipalPolicy. + - User Account + - User Account Metadata + + * - GetContextKeysForPrincipalPolicy + - Gets a list of all of the context keys referenced in all the IAM policies that are attached to the specified IAM entity. The entity can be an IAM user, group, or role. If you specify a user, then the request also includes all of the policies attached to groups that the user is a member of. - Group - Group Metadata - - * - GetContextKeysForPrincipalPolicy - - Gets a list of all of the context keys referenced in all the IAM policies that are attached to the specified IAM entity. The entity can be an IAM user, group, or role. If you specify a user, then the request also includes all of the policies attached to groups that the user is a member of. - - User Account - - User Account Metadata - - * - GetCredentialReport - - Retrieves a credential report for the AWS account. - - User Account - - User Account Metadata - - * - GetGroup - - Returns a list of IAM users that are in the specified IAM group. - - Group + + * - GetContextKeysForPrincipalPolicy + - Gets a list of all of the context keys referenced in all the IAM policies that are attached to the specified IAM entity. The entity can be an IAM user, group, or role. If you specify a user, then the request also includes all of the policies attached to groups that the user is a member of. + - User Account + - User Account Metadata + + * - GetCredentialReport + - Retrieves a credential report for the AWS account. + - User Account + - User Account Metadata + + * - GetGroup + - Returns a list of IAM users that are in the specified IAM group. + - Group - Group Access - - * - GetGroupPolicy - - Retrieves the specified inline policy document that is embedded in the specified IAM group. - - Group + + * - GetGroupPolicy + - Retrieves the specified inline policy document that is embedded in the specified IAM group. + - Group - Group Metadata - - * - GetInstanceProfile - - Retrieves information about the specified instance profile, including the instance profile's path, GUID, ARN, and role. - - Instance + + * - GetInstanceProfile + - Retrieves information about the specified instance profile, including the instance profile's path, GUID, ARN, and role. + - Instance - Instance Metadata - - * - GetLoginprofile - - Retrieves the user name and password-creation date for the specified IAM user. - - User Account - - User Account Metadata - - * - GetMFADevice - - Retrieves information about an MFA device for a specified user. - - User Account + + * - GetLoginprofile + - Retrieves the user name and password-creation date for the specified IAM user. + - User Account + - User Account Metadata + + * - GetMFADevice + - Retrieves information about an MFA device for a specified user. + - User Account - User Account Authentication - - * - GetOpenIDConnectProvider - - Returns information about the specified OpenID Connect (OIDC) provider resource object in IAM. - - Active Directory + + * - GetOpenIDConnectProvider + - Returns information about the specified OpenID Connect (OIDC) provider resource object in IAM. + - Active Directory - Active Directory Object Access - - * - GetOrganizationsAccessReport + + * - GetOrganizationsAccessReport - Retrieves the service last accessed data report for AWS Organizations that was previously generated using the GenerateOrganizationsAccessReport operation. This operation retrieves the status of your report job and the report contents. To call this operation, you must be signed in to the management account in your organization. SCPs must be enabled for your organization root. You must have permissions to perform this operation. For each service that principals in an account (root user, IAM users, or IAM roles) could access using SCPs, the operation returns details about the most recent access attempt. - - Cloud Service Account + - Cloud Service Account - Cloud Service Account Access - - * - GetPolicy + + * - GetPolicy - Retrieves information about the specified managed policy, including the policy's default version and the total number of IAM users, groups, and roles to which the policy is attached. - - User Account - - User Account Metadata - - * - GetPolicyVersion - - Retrieves information about the specified version of the specified managed policy, including the policy document. - - User Account - - User Account Metadata - + - User Account + - User Account Metadata + + * - GetPolicyVersion + - Retrieves information about the specified version of the specified managed policy, including the policy document. + - User Account + - User Account Metadata + * - GetRole - Retrieves information about the specified role, including the role's path, GUID, ARN, and the role's trust policy that grants permission to assume the role. - - User Account - - User Account Metadata - - * - GetRolePolicy - - Retrieves the specified inline policy document that is embedded with the specified IAM role. - - User Account - - User Account Metadata - - * - GetServerCertificate - - Retrieves information about the specified server certificate stored in IAM. - - Certificate + - User Account + - User Account Metadata + + * - GetRolePolicy + - Retrieves the specified inline policy document that is embedded with the specified IAM role. + - User Account + - User Account Metadata + + * - GetServerCertificate + - Retrieves information about the specified server certificate stored in IAM. + - Certificate - Certificate Access - - * - GetServiceLastAccessedDetails + + * - GetServiceLastAccessedDetails - Retrieves a service last accessed report that was created using the GenerateServiceLastAccessedDetails operation. The report includes a list of AWS services that the resource (user, group, role, or managed policy) can access. - - Cloud Service Account + - Cloud Service Account - Cloud Service Account Metadata - - * - GetServiceLastAccessedDetailsWithEntities + + * - GetServiceLastAccessedDetailsWithEntities - After you generate a group or policy report using the GenerateServiceLastAccessedDetails operation, you can use the JobId parameter in GetServiceLastAccessedDetailsWithEntities. This operation retrieves the status of your report job and a list of entities that could have used group or policy permissions to access the specified service. Group – For a group report, this operation returns a list of users in the group that could have used the group’s policies in an attempt to access the service. Policy – For a policy report, this operation returns a list of entities (users or roles) that could have used the policy in an attempt to access the service. You can also use this operation for user or role reports to retrieve details about those entities. - - Cloud Service Account + - Cloud Service Account - Cloud Service Account Metadata - - * - GetServiceLinkedRoleDeletionStatus - - Retrieves the status of your service-linked role deletion. - - Cloud Service Account + + * - GetServiceLinkedRoleDeletionStatus + - Retrieves the status of your service-linked role deletion. + - Cloud Service Account - Cloud Service Account Access - - * - GetSSHPublicKey + + * - GetSSHPublicKey - Retrieves the specified SSH public key, including metadata about the key. The SSH public key retrieved by this operation is used only for authenticating the associated IAM user to an CodeCommit repository. - - User Account + - User Account - User Account Access - - * - GetUser - - Retrieves information about the specified IAM user, including the user's creation date, path, unique ID, and ARN. - - User Account + + * - GetUser + - Retrieves information about the specified IAM user, including the user's creation date, path, unique ID, and ARN. + - User Account - User Account Access - - * - GetUserPolicy - - Retrieves the specified inline policy document that is embedded in the specified IAM user. - - User Account - - User Account Metadata - - * - ListAccessKeys - - Returns information about the access key IDs associated with the specified IAM user. If there is none, the operation returns an empty list. - - User Account + + * - GetUserPolicy + - Retrieves the specified inline policy document that is embedded in the specified IAM user. + - User Account + - User Account Metadata + + * - ListAccessKeys + - Returns information about the access key IDs associated with the specified IAM user. If there is none, the operation returns an empty list. + - User Account - User Account Enumeration - - * - ListAccountAliases - - Lists the account alias associated with the AWS account (Note: you can have only one). - - User Account + + * - ListAccountAliases + - Lists the account alias associated with the AWS account (Note: you can have only one). + - User Account - User Account Enumeration - - * - ListAttachedGroupPolicies - - Lists all managed policies that are attached to the specified IAM group. - - Group + + * - ListAttachedGroupPolicies + - Lists all managed policies that are attached to the specified IAM group. + - Group - Group Enumeration - - * - ListAttachedRolePolicies - - Lists all managed policies that are attached to the specified IAM role. - - User Account - - User Account Metadata - - * - ListAttachedUserPolicies - - Lists all managed policies that are attached to the specified IAM user. - - User Account + + * - ListAttachedRolePolicies + - Lists all managed policies that are attached to the specified IAM role. + - User Account + - User Account Metadata + + * - ListAttachedUserPolicies + - Lists all managed policies that are attached to the specified IAM user. + - User Account - User Account Enumeration - - * - ListEntitiesForPolicy - - Lists all IAM users, groups, and roles that the specified managed policy is attached to. - - User Account - - User Account Metadata - - * - ListEntitiesForPolicy - - Lists all IAM users, groups, and roles that the specified managed policy is attached to. - - Group + + * - ListEntitiesForPolicy + - Lists all IAM users, groups, and roles that the specified managed policy is attached to. + - User Account + - User Account Metadata + + * - ListEntitiesForPolicy + - Lists all IAM users, groups, and roles that the specified managed policy is attached to. + - Group - Group Metadata - - * - ListGroupPolicies - - Lists the names of the inline policies that are embedded in the specified IAM group. - - Group + + * - ListGroupPolicies + - Lists the names of the inline policies that are embedded in the specified IAM group. + - Group - Group Enumeration - - * - ListGroups - - Lists the IAM groups that have the specified path prefix. - - Group + + * - ListGroups + - Lists the IAM groups that have the specified path prefix. + - Group - Group Enumeration - - * - ListGroupsForUser - - Lists the IAM groups that the specified IAM user belongs to. - - Group + + * - ListGroupsForUser + - Lists the IAM groups that the specified IAM user belongs to. + - Group - Group Enumeration - - * - ListInstanceProfiles - - Lists the instance profiles that have the specified path prefix. If there are none, the operation returns an empty list. - - Instance + + * - ListInstanceProfiles + - Lists the instance profiles that have the specified path prefix. If there are none, the operation returns an empty list. + - Instance - Instance Metadata - - * - ListInstanceProfilesForRole - - Lists the instance profiles that have the specified associated IAM role. If there are none, the operation returns an empty list. - - Instance + + * - ListInstanceProfilesForRole + - Lists the instance profiles that have the specified associated IAM role. If there are none, the operation returns an empty list. + - Instance - Instance Metadata - - * - ListInstanceProfileTags - - Lists the tags that are attached to the specified IAM instance profile. The returned list of tags is sorted by tag key. - - Instance + + * - ListInstanceProfileTags + - Lists the tags that are attached to the specified IAM instance profile. The returned list of tags is sorted by tag key. + - Instance - Instance Metadata - - * - ListMFADevices - - Lists the MFA devices for an IAM user. If the request includes a IAM user name, then this operation lists all the MFA devices associated with the specified user. If you do not specify a user name, IAM determines the user name implicitly based on the AWS access key ID signing the request for this operation. - - User Account + + * - ListMFADevices + - Lists the MFA devices for an IAM user. If the request includes a IAM user name, then this operation lists all the MFA devices associated with the specified user. If you do not specify a user name, IAM determines the user name implicitly based on the AWS access key ID signing the request for this operation. + - User Account - User Account Authentication - - * - ListMFADeviceTags - - Lists the tags that are attached to the specified IAM virtual multi-factor authentication (MFA) device. The returned list of tags is sorted by tag key. - - User Account + + * - ListMFADeviceTags + - Lists the tags that are attached to the specified IAM virtual multi-factor authentication (MFA) device. The returned list of tags is sorted by tag key. + - User Account - User Account Authentication - - * - ListOpenIDConnectProviders - - Lists information about the IAM OpenID Connect (OIDC) provider resource objects defined in the AWS account. - - Active Directory + + * - ListOpenIDConnectProviders + - Lists information about the IAM OpenID Connect (OIDC) provider resource objects defined in the AWS account. + - Active Directory - Active Directory Object Enumeration - - * - ListOpenIDConnectProviderTags - - Lists the tags that are attached to the specified OpenID Connect (OIDC)-compatible identity provider. The returned list of tags is sorted by tag key. - - Active Directory + + * - ListOpenIDConnectProviderTags + - Lists the tags that are attached to the specified OpenID Connect (OIDC)-compatible identity provider. The returned list of tags is sorted by tag key. + - Active Directory - Active Directory Object Enumeration - - * - ListPolicies - - Lists all the managed policies that are available in your AWS account, including your own customer-defined managed policies and all AWS managed policies. - - User Account + + * - ListPolicies + - Lists all the managed policies that are available in your AWS account, including your own customer-defined managed policies and all AWS managed policies. + - User Account - User Account Enumeration - - * - ListPoliciesGrantingServiceAccess - - Retrieves a list of policies that the IAM identity (user, group, or role) can use to access each specified service. The list of policies returned by the operation depends on the ARN of the identity that you provide. - - User Account - - User Account Metadata - - * - ListPoliciesGrantingServiceAccess - - Retrieves a list of policies that the IAM identity (user, group, or role) can use to access each specified service. The list of policies returned by the operation depends on the ARN of the identity that you provide. - - Group + + * - ListPoliciesGrantingServiceAccess + - Retrieves a list of policies that the IAM identity (user, group, or role) can use to access each specified service. The list of policies returned by the operation depends on the ARN of the identity that you provide. + - User Account + - User Account Metadata + + * - ListPoliciesGrantingServiceAccess + - Retrieves a list of policies that the IAM identity (user, group, or role) can use to access each specified service. The list of policies returned by the operation depends on the ARN of the identity that you provide. + - Group - Group Metadata - - * - ListPolicyTags - - Lists the tags that are attached to the specified IAM customer managed policy. The returned list of tags is sorted by tag key. - - User Account - - User Account Metadata - - * - ListPolicyVersions - - Lists information about the versions of the specified managed policy, including the version that is currently set as the policy's default version. - - User Account - - User Account Metadata - - * - ListRolePolicies - - Lists the names of the inline policies that are embedded in the specified IAM role. - - User Account - - User Account Metadata - - * - ListRoles - - Lists the IAM roles that have the specified path prefix. If there are none, the operation returns an empty list. - - User Account - - User Account Metadata - - * - ListRoleTags - - Lists the tags that are attached to the specified role. The returned list of tags is sorted by tag key. - - User Account - - User Account Metadata - - * - ListSAMLProviders - - Lists the SAML provider resource objects defined in IAM in the account. - - Active Directory + + * - ListPolicyTags + - Lists the tags that are attached to the specified IAM customer managed policy. The returned list of tags is sorted by tag key. + - User Account + - User Account Metadata + + * - ListPolicyVersions + - Lists information about the versions of the specified managed policy, including the version that is currently set as the policy's default version. + - User Account + - User Account Metadata + + * - ListRolePolicies + - Lists the names of the inline policies that are embedded in the specified IAM role. + - User Account + - User Account Metadata + + * - ListRoles + - Lists the IAM roles that have the specified path prefix. If there are none, the operation returns an empty list. + - User Account + - User Account Metadata + + * - ListRoleTags + - Lists the tags that are attached to the specified role. The returned list of tags is sorted by tag key. + - User Account + - User Account Metadata + + * - ListSAMLProviders + - Lists the SAML provider resource objects defined in IAM in the account. + - Active Directory - Active Directory Object Enumeration - - * - ListSAMLProviderTags - - Lists the tags that are attached to the specified Security Assertion Markup Language (SAML) identity provider. The returned list of tags is sorted by tag key. - - Active Directory + + * - ListSAMLProviderTags + - Lists the tags that are attached to the specified Security Assertion Markup Language (SAML) identity provider. The returned list of tags is sorted by tag key. + - Active Directory - Active Directory Object Enumeration - - * - ListServerCertificates - - Lists the server certificates stored in IAM that have the specified path prefix. If none exist, the operation returns an empty list. - - Certificate + + * - ListServerCertificates + - Lists the server certificates stored in IAM that have the specified path prefix. If none exist, the operation returns an empty list. + - Certificate - Certificate Enumeration - - * - ListServiceSpecificCredentials - - Returns information about the service-specific credentials associated with the specified IAM user. If none exists, the operation returns an empty list. The service-specific credentials returned by this operation are used only for authenticating the IAM user to a specific service. - - User Account + + * - ListServiceSpecificCredentials + - Returns information about the service-specific credentials associated with the specified IAM user. If none exists, the operation returns an empty list. The service-specific credentials returned by this operation are used only for authenticating the IAM user to a specific service. + - User Account - User Account Enumeration - - * - ListSigningCertificates - - Returns information about the signing certificates associated with the specified IAM user. If none exists, the operation returns an empty list. - - User Account + + * - ListSigningCertificates + - Returns information about the signing certificates associated with the specified IAM user. If none exists, the operation returns an empty list. + - User Account - User Account Enumeration - - * - ListSSHPublicKeys - - Returns information about the SSH public keys associated with the specified IAM user. If none exists, the operation returns an empty list. - - User Account + + * - ListSSHPublicKeys + - Returns information about the SSH public keys associated with the specified IAM user. If none exists, the operation returns an empty list. + - User Account - User Account Enumeration - - * - ListUserPolicies - - Lists the names of the inline policies embedded in the specified IAM user. - - User Account + + * - ListUserPolicies + - Lists the names of the inline policies embedded in the specified IAM user. + - User Account - User Account Enumeration - - * - ListUsers - - Lists the IAM users that have the specified path prefix. If no path prefix is specified, the operation returns all users in the AWS account. - - User Account + + * - ListUsers + - Lists the IAM users that have the specified path prefix. If no path prefix is specified, the operation returns all users in the AWS account. + - User Account - User Account Enumeration - - * - ListUserTags - - Lists the tags that are attached to the specified IAM user. The returned list of tags is sorted by tag key. - - User Account + + * - ListUserTags + - Lists the tags that are attached to the specified IAM user. The returned list of tags is sorted by tag key. + - User Account - User Account Enumeration - - * - ListVirtualMFADevices - - Lists the virtual MFA devices defined in the AWS account by assignment status. If you do not specify an assignment status, the operation returns a list of all virtual MFA devices. - - User Account + + * - ListVirtualMFADevices + - Lists the virtual MFA devices defined in the AWS account by assignment status. If you do not specify an assignment status, the operation returns a list of all virtual MFA devices. + - User Account - User Account Authentication - - * - ModifyImageAttribute - - Modifies the specified attribute of the specified AMI. You can specify only one attribute at a time. - - Image + + * - ModifyImageAttribute + - Modifies the specified attribute of the specified AMI. You can specify only one attribute at a time. + - Image - Image Modification - - * - ModifySnapshotAttribute - - Adds or removes permission settings for the specified snapshot. You may add or remove specified AWS account IDs from a snapshot's list of create volume permissions, but you cannot do both in a single operation. - - Snapshot + + * - ModifySnapshotAttribute + - Adds or removes permission settings for the specified snapshot. You may add or remove specified AWS account IDs from a snapshot's list of create volume permissions, but you cannot do both in a single operation. + - Snapshot - Snapshot Modification - - * - ModifyVolume - - You can modify several parameters of an existing EBS volume, including volume size, volume type, and IOPS capacity. - - Volume + + * - ModifyVolume + - You can modify several parameters of an existing EBS volume, including volume size, volume type, and IOPS capacity. + - Volume - Volume Modification - - * - PutGroupPolicy - - A policy for an IAM group has been added or updated. - - Group + + * - PutGroupPolicy + - A policy for an IAM group has been added or updated. + - Group - Group Metadata - - * - PutGroupPolicy - - Adds or updates an inline policy document that is embedded in the specified IAM group. - - Group + + * - PutGroupPolicy + - Adds or updates an inline policy document that is embedded in the specified IAM group. + - Group - Group Metadata - - * - PutRolePermissionsBoundary - - Adds or updates the policy that is specified as the IAM role's permissions boundary. You can use an AWS managed policy or a customer managed policy to set the boundary for a role. Use the boundary to control the maximum permissions that the role can have. Setting a permissions boundary is an advanced feature that can affect the permissions for the role. - - User Account - - User Account Metadata - - * - PutRolePolicy - - A policy for an IAM role has been added or updated. - - User Account - - User Account Metadata - - * - PutRolePolicy - - Adds or updates an inline policy document that is embedded in the specified IAM role. - - User Account - - User Account Metadata - - * - PutUserPermissionsBoundary - - Adds or updates the policy that is specified as the IAM user's permissions boundary. You can use an AWS managed policy or a customer managed policy to set the boundary for a user. Use the boundary to control the maximum permissions that the user can have. Setting a permissions boundary is an advanced feature that can affect the permissions for the user. - - User Account - - User Account Metadata - - * - PutUserPolicy - - A policy for an IAM user has been added or updated. - - User Account - - User Account Metadata - - * - PutUserPolicy - - Adds or updates an inline policy document that is embedded in the specified IAM role. - - User Account - - User Account Metadata - - * - RemoveClientIDFromOpenIDConnectProvider - - Removes the specified client ID (also known as audience) from the list of client IDs registered for the specified IAM OpenID Connect (OIDC) provider resource object. - - Active Directory + + * - PutRolePermissionsBoundary + - Adds or updates the policy that is specified as the IAM role's permissions boundary. You can use an AWS managed policy or a customer managed policy to set the boundary for a role. Use the boundary to control the maximum permissions that the role can have. Setting a permissions boundary is an advanced feature that can affect the permissions for the role. + - User Account + - User Account Metadata + + * - PutRolePolicy + - A policy for an IAM role has been added or updated. + - User Account + - User Account Metadata + + * - PutRolePolicy + - Adds or updates an inline policy document that is embedded in the specified IAM role. + - User Account + - User Account Metadata + + * - PutUserPermissionsBoundary + - Adds or updates the policy that is specified as the IAM user's permissions boundary. You can use an AWS managed policy or a customer managed policy to set the boundary for a user. Use the boundary to control the maximum permissions that the user can have. Setting a permissions boundary is an advanced feature that can affect the permissions for the user. + - User Account + - User Account Metadata + + * - PutUserPolicy + - A policy for an IAM user has been added or updated. + - User Account + - User Account Metadata + + * - PutUserPolicy + - Adds or updates an inline policy document that is embedded in the specified IAM role. + - User Account + - User Account Metadata + + * - RemoveClientIDFromOpenIDConnectProvider + - Removes the specified client ID (also known as audience) from the list of client IDs registered for the specified IAM OpenID Connect (OIDC) provider resource object. + - Active Directory - Active Directory Object Modification - - * - RemoveRoleFromInstanceProfile - - An IAM role has been removed from an EC2 instance profile. - - Instance + + * - RemoveRoleFromInstanceProfile + - An IAM role has been removed from an EC2 instance profile. + - Instance - Instance Metadata - - * - RemoveUserFromGroup + + * - RemoveUserFromGroup - A user has been removed from an IAM group - - Group + - Group - Group Modification - - * - ResetServiceSpecificCredential - - Resets the password for a service-specific credential. The new password is AWS generated and cryptographically strong. It cannot be configured by the user. Resetting the password immediately invalidates the previous password associated with this user. - - Cloud Service Account + + * - ResetServiceSpecificCredential + - Resets the password for a service-specific credential. The new password is AWS generated and cryptographically strong. It cannot be configured by the user. Resetting the password immediately invalidates the previous password associated with this user. + - Cloud Service Account - Cloud Service Account Metadata - - * - ResyncMFADevice - - Synchronizes the specified MFA device with its IAM resource object on the AWS servers. - - User Account + + * - ResyncMFADevice + - Synchronizes the specified MFA device with its IAM resource object on the AWS servers. + - User Account - User Account Authentication - - * - RunInstances - - An Instance has been launched. From the associated metadata you’ll be able to determine who the owner is, what regions the resources are in, the InstanceType and more. - - Instance + + * - RunInstances + - An Instance has been launched. From the associated metadata you’ll be able to determine who the owner is, what regions the resources are in, the InstanceType and more. + - Instance - Instance Start - - * - SetDefaultPolicyVersion - - A version of a policy has been set as a default. This can apply to users, groups and roles. To find specifics, use the ListEntitiesForPolicy API. - - User Account - - User Account Metadata - - * - SetSecurityTokenPreferences - - Sets the specified version of the global endpoint token as the token version used for the AWS account. - - User Account + + * - SetDefaultPolicyVersion + - A version of a policy has been set as a default. This can apply to users, groups and roles. To find specifics, use the ListEntitiesForPolicy API. + - User Account + - User Account Metadata + + * - SetSecurityTokenPreferences + - Sets the specified version of the global endpoint token as the token version used for the AWS account. + - User Account - User Account Modification - - * - SimulateCustomPolicy - - Simulate how a set of IAM policies and optionally a resource-based policy works with a list of API operations and AWS resources to determine the policies' effective permissions. The policies are provided as strings. - - User Account - - User Account Metadata - - * - SimulatePrincipalPolicy - - Simulate how a set of IAM policies attached to an IAM entity works with a list of API operations and AWS resources to determine the policies' effective permissions. The entity can be an IAM user, group, or role. If you specify a user, then the simulation also includes all of the policies that are attached to groups that the user belongs to. You can simulate resources that don't exist in your account. - - User Account - - User Account Metadata - - * - StartInstances - - An instance has been started. Similar metadata to RunInstances will give you an insight into more detail. - - Instance + + * - SimulateCustomPolicy + - Simulate how a set of IAM policies and optionally a resource-based policy works with a list of API operations and AWS resources to determine the policies' effective permissions. The policies are provided as strings. + - User Account + - User Account Metadata + + * - SimulatePrincipalPolicy + - Simulate how a set of IAM policies attached to an IAM entity works with a list of API operations and AWS resources to determine the policies' effective permissions. The entity can be an IAM user, group, or role. If you specify a user, then the simulation also includes all of the policies that are attached to groups that the user belongs to. You can simulate resources that don't exist in your account. + - User Account + - User Account Metadata + + * - StartInstances + - An instance has been started. Similar metadata to RunInstances will give you an insight into more detail. + - Instance - Instance Start - - * - StopInstances + + * - StopInstances - Stops an Amazon EBS-backed instance. Similar to StartInstances and RunInstances. - - Instance + - Instance - Instance Stop - - * - StopLogging - - CloudTrail has stopped recording CloudTrail Events. This is a significant red flag and should almost always be avoided. - - Cloud Service + + * - StopLogging + - CloudTrail has stopped recording CloudTrail Events. This is a significant red flag and should almost always be avoided. + - Cloud Service - Cloud Service Disable - - * - TagInstanceProfile - - Adds one or more tags to an IAM instance profile. If a tag with the same key name already exists, then that tag is overwritten with the new value. - - Instance + + * - TagInstanceProfile + - Adds one or more tags to an IAM instance profile. If a tag with the same key name already exists, then that tag is overwritten with the new value. + - Instance - Instance Metadata - - * - TagMFADevice - - Adds one or more tags to an IAM virtual multi-factor authentication (MFA) device. If a tag with the same key name already exists, then that tag is overwritten with the new value. - - User Account + + * - TagMFADevice + - Adds one or more tags to an IAM virtual multi-factor authentication (MFA) device. If a tag with the same key name already exists, then that tag is overwritten with the new value. + - User Account - User Account Authentication - - * - TagOpenIDConnectProvider - - Adds one or more tags to an OpenID Connect (OIDC)-compatible identity provider. - - Active Directory + + * - TagOpenIDConnectProvider + - Adds one or more tags to an OpenID Connect (OIDC)-compatible identity provider. + - Active Directory - Active Directory Object Modification - - * - TagPolicy - - Adds one or more tags to an IAM customer managed policy. If a tag with the same key name already exists, then that tag is overwritten with the new value. - - User Account - - User Account Metadata - - * - TagRole - - Adds one or more tags to an IAM role. The role can be a regular role or a service-linked role. If a tag with the same key name already exists, then that tag is overwritten with the new value. - - User Account - - User Account Metadata - - * - TagSAMLProvider - - Adds one or more tags to a Security Assertion Markup Language (SAML) identity provider. - - Active Directory + + * - TagPolicy + - Adds one or more tags to an IAM customer managed policy. If a tag with the same key name already exists, then that tag is overwritten with the new value. + - User Account + - User Account Metadata + + * - TagRole + - Adds one or more tags to an IAM role. The role can be a regular role or a service-linked role. If a tag with the same key name already exists, then that tag is overwritten with the new value. + - User Account + - User Account Metadata + + * - TagSAMLProvider + - Adds one or more tags to a Security Assertion Markup Language (SAML) identity provider. + - Active Directory - Active Directory Object Modification - - * - TagServerCertificate - - Adds one or more tags to an IAM server certificate. If a tag with the same key name already exists, then that tag is overwritten with the new value. - - Certificate + + * - TagServerCertificate + - Adds one or more tags to an IAM server certificate. If a tag with the same key name already exists, then that tag is overwritten with the new value. + - Certificate - Certificate Modification - - * - TagUser - - Adds one or more tags to an IAM user. If a tag with the same key name already exists, then that tag is overwritten with the new value. - - User Account + + * - TagUser + - Adds one or more tags to an IAM user. If a tag with the same key name already exists, then that tag is overwritten with the new value. + - User Account - User Account Modification - - * - UntagInstanceProfile - - Removes the specified tags from the IAM instance profile. - - Instance + + * - UntagInstanceProfile + - Removes the specified tags from the IAM instance profile. + - Instance - Instance Metadata - - * - UntagMFADevice - - Removes the specified tags from the IAM virtual multi-factor authentication (MFA) device. - - User Account + + * - UntagMFADevice + - Removes the specified tags from the IAM virtual multi-factor authentication (MFA) device. + - User Account - User Account Authentication - - * - UntagOpenIDConnectProvider - - Removes the specified tags from the specified OpenID Connect (OIDC)-compatible identity provider in IAM. - - Active Directory + + * - UntagOpenIDConnectProvider + - Removes the specified tags from the specified OpenID Connect (OIDC)-compatible identity provider in IAM. + - Active Directory - Active Directory Object Modification - - * - Untag Policy - - Removes the specified tags from the customer managed policy. - - User Account - - User Account Metadata - - * - UntagRole - - Removes the specified tags from the role. - - User Account - - User Account Metadata - - * - UntagSAMLProvider - - Removes the specified tags from the specified Security Assertion Markup Language (SAML) identity provider in IAM. - - Active Directory + + * - Untag Policy + - Removes the specified tags from the customer managed policy. + - User Account + - User Account Metadata + + * - UntagRole + - Removes the specified tags from the role. + - User Account + - User Account Metadata + + * - UntagSAMLProvider + - Removes the specified tags from the specified Security Assertion Markup Language (SAML) identity provider in IAM. + - Active Directory - Active Directory Object Modification - - * - UntagServerCertificate - - Removes the specified tags from the IAM server certificate. - - Certificate + + * - UntagServerCertificate + - Removes the specified tags from the IAM server certificate. + - Certificate - Certificate Modification - - * - UntagUser - - Removes the specified tags from the user. - - User Account + + * - UntagUser + - Removes the specified tags from the user. + - User Account - User Account Modification - - * - UpdateAccessKey - - Changes the status of the specified access key from Active to Inactive, or vice versa. This operation can be used to disable a user's key as part of a key rotation workflow. - - User Account + + * - UpdateAccessKey + - Changes the status of the specified access key from Active to Inactive, or vice versa. This operation can be used to disable a user's key as part of a key rotation workflow. + - User Account - User Account Modification - - * - UpdateAccountPasswordPolicy - - Updates the password policy settings for the AWS account. - - User Account - - User Account Metadata - - * - UpdateAssumeRolePolicy - - Updates the policy that grants an IAM entity permission to assume a role. - - User Account - - User Account Metadata - - * - UpdateGroup - - Updates the name and/or the path of the specified IAM group. - - Group + + * - UpdateAccountPasswordPolicy + - Updates the password policy settings for the AWS account. + - User Account + - User Account Metadata + + * - UpdateAssumeRolePolicy + - Updates the policy that grants an IAM entity permission to assume a role. + - User Account + - User Account Metadata + + * - UpdateGroup + - Updates the name and/or the path of the specified IAM group. + - Group - Group Modification - - * - UpdateLoginProfile - - Changes the password for the specified IAM user. - - User Account - - User Account Metadata - - * - UpdateOpenIDConnectProviderThumbprint - - Replaces the existing list of server certificate thumbprints associated with an OpenID Connect (OIDC) provider resource object with a new list of thumbprints. - - Active Directory + + * - UpdateLoginProfile + - Changes the password for the specified IAM user. + - User Account + - User Account Metadata + + * - UpdateOpenIDConnectProviderThumbprint + - Replaces the existing list of server certificate thumbprints associated with an OpenID Connect (OIDC) provider resource object with a new list of thumbprints. + - Active Directory - Active Directory Object Modification - - * - UpdateRole - - Updates the description or maximum session duration setting of a role. - - User Account - - User Account Metadata - - * - UpdateSAMLProvider - - Updates the metadata document for an existing SAML provider resource object. - - Active Directory + + * - UpdateRole + - Updates the description or maximum session duration setting of a role. + - User Account + - User Account Metadata + + * - UpdateSAMLProvider + - Updates the metadata document for an existing SAML provider resource object. + - Active Directory - Active Directory Object Modification - - * - UpdateServerCertificate - - Updates the name and/or the path of the specified server certificate stored in IAM. - - Certificate + + * - UpdateServerCertificate + - Updates the name and/or the path of the specified server certificate stored in IAM. + - Certificate - Certificate Modification - - * - UpdateServiceSpecificCredential - - Sets the status of a service-specific credential to Active or Inactive. Service-specific credentials that are inactive cannot be used for authentication to the service. This operation can be used to disable a user's service-specific credential as part of a credential rotation work flow. - - User Account + + * - UpdateServiceSpecificCredential + - Sets the status of a service-specific credential to Active or Inactive. Service-specific credentials that are inactive cannot be used for authentication to the service. This operation can be used to disable a user's service-specific credential as part of a credential rotation work flow. + - User Account - User Account Modification - - * - UpdateSigningCertificate - - Changes the status of the specified user signing certificate from active to disabled, or vice versa. This operation can be used to disable an IAM user's signing certificate as part of a certificate rotation work flow. - - User Account + + * - UpdateSigningCertificate + - Changes the status of the specified user signing certificate from active to disabled, or vice versa. This operation can be used to disable an IAM user's signing certificate as part of a certificate rotation work flow. + - User Account - User Account Modification - - * - UpdateSSHPublicKey - - Sets the status of an IAM user's SSH public key to active or inactive. SSH public keys that are inactive cannot be used for authentication. This operation can be used to disable a user's SSH public key as part of a key rotation work flow. - - User Account + + * - UpdateSSHPublicKey + - Sets the status of an IAM user's SSH public key to active or inactive. SSH public keys that are inactive cannot be used for authentication. This operation can be used to disable a user's SSH public key as part of a key rotation work flow. + - User Account - User Account Modification - - * - UpdateUser - - Updates the name and/or the path of the specified IAM user. - - User Account + + * - UpdateUser + - Updates the name and/or the path of the specified IAM user. + - User Account - User Account Modification - - * - UploadServerCertificate - - Uploads a server certificate entity for the AWS account. The server certificate entity includes a public key certificate, a private key, and an optional certificate chain, which should all be PEM-encoded. - - User Account + + * - UploadServerCertificate + - Uploads a server certificate entity for the AWS account. The server certificate entity includes a public key certificate, a private key, and an optional certificate chain, which should all be PEM-encoded. + - User Account - User Account Modification - - * - UploadSigningCertificate - - Uploads an X.509 signing certificate and associates it with the specified IAM user. - - User Account + + * - UploadSigningCertificate + - Uploads an X.509 signing certificate and associates it with the specified IAM user. + - User Account - User Account Modification - - * - UploadSSHPublicKey - - Uploads an SSH public key and associates it with the specified IAM user. - - User Account + + * - UploadSSHPublicKey + - Uploads an SSH public key and associates it with the specified IAM user. + - User Account - User Account Modification -.. /MAPPINGS_TABLE \ No newline at end of file +.. /MAPPINGS_TABLE diff --git a/docs/levels/mapping_osquery.rst b/docs/levels/mapping_osquery.rst index a89029b..50105e9 100644 --- a/docs/levels/mapping_osquery.rst +++ b/docs/levels/mapping_osquery.rst @@ -1,9 +1,21 @@ OSQuery ======= -`OSQuery mappings STIX JSON `_: STIX bundle file output of OSQuery sensor mappings. +Browse the OSQuery mappings on this page, download the mappings (in CSV/STIX format), or +visualize the sensor coverage in ATT&CK Navigator. -`OSQuery ATT&CK Navigator Layer `_: Navigator layer of OSQuery events mapped to data objects associated with specific (sub-)techniques. +.. raw:: html + +

+ + Download CSV + + + Download STIX + + + Open in ATT&CK Navigator +

.. MAPPINGS_TABLE Generated at: 2023-10-03T10:40:58.770502Z @@ -16,1007 +28,1007 @@ OSQuery - ATT&CK DATA SOURCE - ATT&CK DATA COMPONENT - * - augeas - - Configuration files parsed by augeas - - File + * - augeas + - Configuration files parsed by augeas + - File - File Access - - * - smbios_tables - - BIOS (DMI) structure common details and content. - - Firmware + + * - smbios_tables + - BIOS (DMI) structure common details and content. + - Firmware - Firmware Metadata - - * - wmi_bios_info - - Lists important information from the system bios. - - Firmware + + * - wmi_bios_info + - Lists important information from the system bios. + - Firmware - Firmware Metadata - - * - oem_strings - - OEM defined strings retrieved from SMBIOS. - - Firmware + + * - oem_strings + - OEM defined strings retrieved from SMBIOS. + - Firmware - Firmware Metadata - - * - platform_info - - Information about EFI/UEFI/ROM and platform/boot. - - Firmware + + * - platform_info + - Information about EFI/UEFI/ROM and platform/boot. + - Firmware - Firmware Metadata - - * - chrome_extension_content_scripts - - Content scripts associated with Chrome extensions - - Application Log + + * - chrome_extension_content_scripts + - Content scripts associated with Chrome extensions + - Application Log - Application Log Content - - * - chrome_extensions - - Chrome browser extensions - - Application Log + + * - chrome_extensions + - Chrome browser extensions + - Application Log - Application Log Content - - * - firefox_addons - - Firefox browser extensions, webapps, and addons. - - Application Log + + * - firefox_addons + - Firefox browser extensions, webapps, and addons. + - Application Log - Application Log Content - - * - ie_extensions - - Internet Explorer browser extensions. - - Application Log + + * - ie_extensions + - Internet Explorer browser extensions. + - Application Log - Application Log Content - - * - opera_extensions - - Opera browser extensions. - - Application Log + + * - opera_extensions + - Opera browser extensions. + - Application Log - Application Log Content - - * - safari_extensions - - Safari browser extension details for all users. - - Application Log + + * - safari_extensions + - Safari browser extension details for all users. + - Application Log - Application Log Content - - * - browser_plugins - - All C/NPAPI browser plugin details for all users. - - Application Log + + * - browser_plugins + - All C/NPAPI browser plugin details for all users. + - Application Log - Application Log Content - - * - shell_history - - A line-delimited (command) table of per-user .*_history data. - - Command + + * - shell_history + - A line-delimited (command) table of per-user .*_history data. + - Command - Command Metadata - - * - hardware_events - - Hardware (PCI/USB/HID) events from UDEV or IOKit. - - Sensor Health - - Host Status - - * - mounts - - System mounted devices and filesystems (not process specific). - - Network Share + + * - hardware_events + - Hardware (PCI/USB/HID) events from UDEV or IOKit. + - Sensor Health + - Host Status + + * - mounts + - System mounted devices and filesystems (not process specific). + - Network Share - Network Share Access - - * - pci_devices - - PCI devices active on the host system. - - Firmware + + * - pci_devices + - PCI devices active on the host system. + - Firmware - Firmware Metadata - - * - hardware_events - - Hardware (PCI/USB/HID) events from UDEV or IOKit. - - Sensor Health - - Host Status - - * - hardware_events - - Hardware (PCI/USB/HID) events from UDEV or IOKit. - - Sensor Health - - Host Status - - * - disk_info - - Retrieve basic information about the physical disks of a system. - - Drive + + * - hardware_events + - Hardware (PCI/USB/HID) events from UDEV or IOKit. + - Sensor Health + - Host Status + + * - hardware_events + - Hardware (PCI/USB/HID) events from UDEV or IOKit. + - Sensor Health + - Host Status + + * - disk_info + - Retrieve basic information about the physical disks of a system. + - Drive - Drive Access - - * - disk_encryption - - Disk encryption status and information. - - Drive + + * - disk_encryption + - Disk encryption status and information. + - Drive - Drive Access - - * - logical_drives - - Details for logical drives on the system. A logical drive generally represents a single partition. - - Drive + + * - logical_drives + - Details for logical drives on the system. A logical drive generally represents a single partition. + - Drive - Drive Access - - * - disk_events - - Track DMG disk image events (appearance/disappearance) when opened - - Drive + + * - disk_events + - Track DMG disk image events (appearance/disappearance) when opened + - Drive - Drive Access - - * - device_partitions - - Use TSK to enumerate details about partitions on a disk device. - - Drive + + * - device_partitions + - Use TSK to enumerate details about partitions on a disk device. + - Drive - Drive Access - - * - drivers - - Details for in-use Windows device drivers. This does not display installed but unused drivers. - - Driver + + * - drivers + - Details for in-use Windows device drivers. This does not display installed but unused drivers. + - Driver - Driver Metadata - - * - authenticode - - File (executable, bundle, installer, disk) code signing status. - - File + + * - authenticode + - File (executable, bundle, installer, disk) code signing status. + - File - File Metadata - - * - file_events - - Track time/action changes to files specified in configuration data. - - File + + * - file_events + - Track time/action changes to files specified in configuration data. + - File - File Creation - - * - file_events - - Track time/action changes to files specified in configuration data. - - File + + * - file_events + - Track time/action changes to files specified in configuration data. + - File - File Modification - - * - file_events - - Track time/action changes to files specified in configuration data. - - File + + * - file_events + - Track time/action changes to files specified in configuration data. + - File - File Deletion - - * - ntfs_journal_events - - Track time/action changes to files specified in configuration data. - - File + + * - ntfs_journal_events + - Track time/action changes to files specified in configuration data. + - File - File Metadata - - * - elf_dynamic - - ELF dynamic section information. - - File + + * - elf_dynamic + - ELF dynamic section information. + - File - File Metadata - - * - elf_info - - ELF file information. - - File + + * - elf_info + - ELF file information. + - File - File Metadata - - * - elf_sections - - ELF section information. - - File + + * - elf_sections + - ELF section information. + - File - File Metadata - - * - elf_segments - - ELF segments information. - - File + + * - elf_segments + - ELF segments information. + - File - File Metadata - - * - elf_symbols - - ELF symbol list. - - File + + * - elf_symbols + - ELF symbol list. + - File - File Metadata - - * - extended_attributes - - Returns the extended attributes for files (similar to Windows ADS). - - File + + * - extended_attributes + - Returns the extended attributes for files (similar to Windows ADS). + - File - File Metadata - - * - hash - - Filesystem hash data. - - Driver + + * - hash + - Filesystem hash data. + - Driver - Drive Metadata - - * - file - - Interactive filesystem attributes and metadata. - - File + + * - file + - Interactive filesystem attributes and metadata. + - File - File Metadata - - * - magic - - Magic number recognition library table. - - File + + * - magic + - Magic number recognition library table. + - File - File Metadata - - * - ntfs_acl_permissions - - Retrieve NTFS ACL permission information for files and directories. - - File + + * - ntfs_acl_permissions + - Retrieve NTFS ACL permission information for files and directories. + - File - File Metadata - - * - signature - - File (executable, bundle, installer, disk) code signing status. - - File + + * - signature + - File (executable, bundle, installer, disk) code signing status. + - File - File Metadata - - * - ntfs_journal_events - - Track time/action changes to files specified in configuration data. - - File + + * - ntfs_journal_events + - Track time/action changes to files specified in configuration data. + - File - File Metadata - - * - acpi_tables - - Firmware ACPI functional table common metadata and content. - - Firmware + + * - acpi_tables + - Firmware ACPI functional table common metadata and content. + - Firmware - Firmware Metadata - - * - memory_array_mapped_addresses - - Data associated for address mapping of physical memory arrays. - - Kernel + + * - memory_array_mapped_addresses + - Data associated for address mapping of physical memory arrays. + - Kernel - Kernel Metadata - - * - memory_device_mapped_addresses - - Data associated for address mapping of physical memory devices. - - Kernel + + * - memory_device_mapped_addresses + - Data associated for address mapping of physical memory devices. + - Kernel - Kernel Metadata - - * - memory_error_info - - Data associated with errors of a physical memory array. - - Sensor Health - - Host Status - - * - memory_arrays - - Data associated with collection of memory devices that operate to form a memory address. - - Kernel + + * - memory_error_info + - Data associated with errors of a physical memory array. + - Sensor Health + - Host Status + + * - memory_arrays + - Data associated with collection of memory devices that operate to form a memory address. + - Kernel - Kernel Metadata - - * - memory_devices - - Physical memory device (type 17) information retrieved from SMBIOS. - - Kernel + + * - memory_devices + - Physical memory device (type 17) information retrieved from SMBIOS. + - Kernel - Kernel Metadata - - * - shared_memory - - OS shared memory regions. - - Kernel + + * - shared_memory + - OS shared memory regions. + - Kernel - Kernel Metadata - - * - virtual_memory_info - - Darwin Virtual Memory statistics. - - Kernel + + * - virtual_memory_info + - Darwin Virtual Memory statistics. + - Kernel - Kernel Metadata - - * - arp_cache - - Address resolution cache, both static and dynamic (from ARP, NDP) - - Sensor Health + + * - arp_cache + - Address resolution cache, both static and dynamic (from ARP, NDP) + - Sensor Health - Network Status - - * - dns_cache - - Enumerate the DNS cache using the undocumented DnsGetCacheDataTable function in dnsapi.dll. - - Sensor Health + + * - dns_cache + - Enumerate the DNS cache using the undocumented DnsGetCacheDataTable function in dnsapi.dll. + - Sensor Health - Network Status - - * - dns_resolvers - - Resolvers used by this host. - - Sensor Health + + * - dns_resolvers + - Resolvers used by this host. + - Sensor Health - Network Status - - * - lldp_neighbors - - LLDP neighbors of interfaces. - - Sensor Health + + * - lldp_neighbors + - LLDP neighbors of interfaces. + - Sensor Health - Network Status - - * - etc_protocols - - Line-parsed /etc/protocols. - - Sensor Health + + * - etc_protocols + - Line-parsed /etc/protocols. + - Sensor Health - Network Status - - * - etc_hosts - - Line-parsed /etc/hosts. - - Sensor Health + + * - etc_hosts + - Line-parsed /etc/hosts. + - Sensor Health - Network Status - - * - etc_services - - Line-parsed /etc/services. - - Sensor Health + + * - etc_services + - Line-parsed /etc/services. + - Sensor Health - Network Status - - * - routes - - The active route table for the host system. - - Sensor Health + + * - routes + - The active route table for the host system. + - Sensor Health - Network Status - - * - interface_details - - Detailed information and stats of network interfaces. - - Sensor Health + + * - interface_details + - Detailed information and stats of network interfaces. + - Sensor Health - Network Status - - * - interfaces - - Network interfaces and relevant metadata. - - Sensor Health + + * - interfaces + - Network interfaces and relevant metadata. + - Sensor Health - Network Status - - * - interface_ipv6 - - IPv6 configuration and stats of network interfaces. - - Sensor Health + + * - interface_ipv6 + - IPv6 configuration and stats of network interfaces. + - Sensor Health - Network Status - - * - wifi_status - - OS X current WiFi status. - - Sensor Health + + * - wifi_status + - OS X current WiFi status. + - Sensor Health - Network Status - - * - shared_folders - - Folders available to others via SMB or AFP. - - Network Share + + * - shared_folders + - Folders available to others via SMB or AFP. + - Network Share - Network Share Access - - * - nfs_shares - - NFS shares exported by the host. - - Network Share + + * - nfs_shares + - NFS shares exported by the host. + - Network Share - Network Share Access - - * - office_mru - - View recently opened Office documents. - - File + + * - office_mru + - View recently opened Office documents. + - File - File Access - - * - portage_keywords - - A summary about portage configurations like keywords, mask and unmask. - - Sensor Health - - Host Status - - * - portage_use - - List of enabled portage USE values for specific package. - - Sensor Health - - Host Status - - * - deb_packages - - The installed DEB package database. - - Sensor Health - - Host Status - - * - homebrew_packages - - The installed homebrew package database. - - Application Log + + * - portage_keywords + - A summary about portage configurations like keywords, mask and unmask. + - Sensor Health + - Host Status + + * - portage_use + - List of enabled portage USE values for specific package. + - Sensor Health + - Host Status + + * - deb_packages + - The installed DEB package database. + - Sensor Health + - Host Status + + * - homebrew_packages + - The installed homebrew package database. + - Application Log - Application Log Content - - * - npm_packages - - Lists all npm packages in a directory or globally installed in a system. - - Sensor Health - - Host Status - - * - portage_packages - - List of currently installed packages. - - Sensor Health - - Host Status - - * - programs - - Represents products as they are installed by Windows Installer. A product generally correlates to one installation package on Windows. Some fields may be blank as Windows installation details are left to the discretion of the product author. - - Sensor Health - - Host Status - - * - python_packages - - Python packages installed in a system. - - Sensor Health - - Host Status - - * - rpm_package_files - - RPM packages that are currently installed on the host system. - - Sensor Health - - Host Status - - * - rpm_packages - - RPM packages that are currently installed on the host system. - - Sensor Health - - Host Status - - * - apt_sources - - Current list of APT repositories or software channels. - - Sensor Health - - Host Status - - * - pipes - - Named and Anonymous pipes. - - Named Pipe + + * - npm_packages + - Lists all npm packages in a directory or globally installed in a system. + - Sensor Health + - Host Status + + * - portage_packages + - List of currently installed packages. + - Sensor Health + - Host Status + + * - programs + - Represents products as they are installed by Windows Installer. A product generally correlates to one installation package on Windows. Some fields may be blank as Windows installation details are left to the discretion of the product author. + - Sensor Health + - Host Status + + * - python_packages + - Python packages installed in a system. + - Sensor Health + - Host Status + + * - rpm_package_files + - RPM packages that are currently installed on the host system. + - Sensor Health + - Host Status + + * - rpm_packages + - RPM packages that are currently installed on the host system. + - Sensor Health + - Host Status + + * - apt_sources + - Current list of APT repositories or software channels. + - Sensor Health + - Host Status + + * - pipes + - Named and Anonymous pipes. + - Named Pipe - Named Pipe Enumeration - - * - plist - - Read and parse a plist file. - - File + + * - plist + - Read and parse a plist file. + - File - File Access - - * - powershell_events - - Powershell script blocks reconstructed to their full script content, this table requires script block logging to be enabled. - - Script + + * - powershell_events + - Powershell script blocks reconstructed to their full script content, this table requires script block logging to be enabled. + - Script - Script Execution - - * - process_events - - Track time/action process executions. - - Process + + * - process_events + - Track time/action process executions. + - Process - Process Metadata - - * - process_envs - - A key/value table of environment variables for each process. - - Process + + * - process_envs + - A key/value table of environment variables for each process. + - Process - Process Metadata - - * - listening_ports - - Processes with listening (bound) network sockets/ports. - - Sensor Health + + * - listening_ports + - Processes with listening (bound) network sockets/ports. + - Sensor Health - Network Status - - * - process_memory_map - - Process memory mapped files and pseudo device/regions. - - Process + + * - process_memory_map + - Process memory mapped files and pseudo device/regions. + - Process - Process Metadata - - * - process_namespaces - - Linux namespaces for processes running on the host system. - - Process + + * - process_namespaces + - Linux namespaces for processes running on the host system. + - Process - Process Metadata - - * - process_open_files - - File descriptors for each process. - - Process + + * - process_open_files + - File descriptors for each process. + - Process - Process Metadata - - * - process_open_pipes - - Pipes and partner processes for each process. - - Process + + * - process_open_pipes + - Pipes and partner processes for each process. + - Process - Process Metadata - - * - process_open_sockets - - Processes which have open network sockets on the system. - - Process + + * - process_open_sockets + - Processes which have open network sockets on the system. + - Process - Process Metadata - - * - process_file_events - - A File Integrity Monitor implementation using the audit service. - - File + + * - process_file_events + - A File Integrity Monitor implementation using the audit service. + - File - File Metadata - - * - processes - - All running processes on the host system. - - Process + + * - processes + - All running processes on the host system. + - Process - Process Enumeration - - * - appcompat_shims - - Application Compatibility shims are a way to persist malware. This table presents the AppCompat Shim information from the registry in a nice format. - - Windows Registry + + * - appcompat_shims + - Application Compatibility shims are a way to persist malware. This table presents the AppCompat Shim information from the registry in a nice format. + - Windows Registry - Windows Registry Key Access - - * - registry - - All of the Windows registry hives. - - Windows Registry + + * - registry + - All of the Windows registry hives. + - Windows Registry - Windows Registry Key Access - - * - userassist - - UserAssist Registry Key tracks when a user executes an application from Windows Explorer. - - Windows Registry + + * - userassist + - UserAssist Registry Key tracks when a user executes an application from Windows Explorer. + - Windows Registry - Windows Registry Key Access - - * - selinux_events - - Track SELinux events. - - Sensor Health - - Host Status - - * - selinux_settings - - Track active SELinux settings. - - Sensor Health - - Host Status - - * - services - - Lists all installed Windows services and their relevant data. - - Service + + * - selinux_events + - Track SELinux events. + - Sensor Health + - Host Status + + * - selinux_settings + - Track active SELinux settings. + - Sensor Health + - Host Status + + * - services + - Lists all installed Windows services and their relevant data. + - Service - Service Enumeration - - * - socket_events - - Track network socket opens and closes. - - Network Traffic + + * - socket_events + - Track network socket opens and closes. + - Network Traffic - Network Traffic Content - - * - authorized_keys - - A line-delimited authorized_keys table - - User Account + + * - authorized_keys + - A line-delimited authorized_keys table + - User Account - User Account Metadata - - * - ssh_configs - - A table of parsed ssh_configs. - - Sensor Health + + * - ssh_configs + - A table of parsed ssh_configs. + - Sensor Health - Network Status - - * - known_hosts - - A line-delimited known_hosts table. - - Sensor Health + + * - known_hosts + - A line-delimited known_hosts table. + - Sensor Health - Network Status - - * - ad_config - - OS X Active Directory configuration. - - Active Directory + + * - ad_config + - OS X Active Directory configuration. + - Active Directory - Active Directory Metadata - - * - sandboxes - - OS X application sandboxes container details. - - Image + + * - sandboxes + - OS X application sandboxes container details. + - Image - Image Metadata - - * - app_schemes - - OS X application schemes and handlers (e.g., http, file, mailto). - - Sensor Health - - Host Status - - * - patches - - Lists all the patches applied. Note: This does not include patches applied via MSI or downloaded from Windows Update (e.g. Service Packs). - - Sensor Health - - Host Status - - * - authorization_mechanisms - - OS X Authorization mechanisms database. - - Kernel + + * - app_schemes + - OS X application schemes and handlers (e.g., http, file, mailto). + - Sensor Health + - Host Status + + * - patches + - Lists all the patches applied. Note: This does not include patches applied via MSI or downloaded from Windows Update (e.g. Service Packs). + - Sensor Health + - Host Status + + * - authorization_mechanisms + - OS X Authorization mechanisms database. + - Kernel - Kernel Module Load - - * - authorizations - - OS X Authorization rights database. - - User Account + + * - authorizations + - OS X Authorization rights database. + - User Account - User Account Metadata - - * - autoexec - - Aggregate of executables that will automatically execute on the target machine. This is an amalgamation of other tables like services, scheduled_tasks, startup_items and more. - - Windows Registry + + * - autoexec + - Aggregate of executables that will automatically execute on the target machine. This is an amalgamation of other tables like services, scheduled_tasks, startup_items and more. + - Windows Registry - Windows Registry Key Access - - * - background_activities_moderator - - Background Activities Moderator (BAM) tracks application execution. - - Process + + * - background_activities_moderator + - Background Activities Moderator (BAM) tracks application execution. + - Process - Process Metadata - - * - winbaseobj - - Lists named Windows objects in the default object directories, across all terminal services sessions. Example Windows ojbect types include Mutexes, Events, Jobs and Semaphors. - - Sensor Health - - Host Status - - * - system_info - - System information for identification. - - Sensor Health - - Host Status - - * - battery - - Provides information about the internal battery of a Macbook. - - Sensor Health - - Host Status - - * - bitlocker_info - - Retrieve bitlocker status of the machine. - - Driver + + * - winbaseobj + - Lists named Windows objects in the default object directories, across all terminal services sessions. Example Windows ojbect types include Mutexes, Events, Jobs and Semaphors. + - Sensor Health + - Host Status + + * - system_info + - System information for identification. + - Sensor Health + - Host Status + + * - battery + - Provides information about the internal battery of a Macbook. + - Sensor Health + - Host Status + + * - bitlocker_info + - Retrieve bitlocker status of the machine. + - Driver - Driver Metadata - - * - block_devices - - Block (buffered access) device file nodes: disks, ramdisks, and DMG containers. - - Sensor Health - - Host Status - - * - certificates - - Certificate Authorities installed in Keychains/ca-bundles. - - Certificate + + * - block_devices + - Block (buffered access) device file nodes: disks, ramdisks, and DMG containers. + - Sensor Health + - Host Status + + * - certificates + - Certificate Authorities installed in Keychains/ca-bundles. + - Certificate - Certificate Registration - - * - chassis_info - - Display information pertaining to the chassis and its security status. - - Sensor Health - - Host Status - - * - cpuid - - Useful CPU features from the cpuid ASM call. - - Sensor Health - - Host Status - - * - cpu_info - - Info about the CPU running on the machine. - - Sensor Health - - Host Status - - * - cpu_time - - Displays information from /proc/stat file about the time the cpu cores spent in different parts of the system. - - Sensor Health - - Host Status - - * - windows_crashes - - Extracted information from Windows crash logs (Minidumps). - - Sensor Health - - Host Status - - * - crashes - - Application, System, and Mobile App crash logs. - - Sensor Health - - Host Status - - * - crontab - - Line parsed values from system and user cron/tab. - - Scheduled Job + + * - chassis_info + - Display information pertaining to the chassis and its security status. + - Sensor Health + - Host Status + + * - cpuid + - Useful CPU features from the cpuid ASM call. + - Sensor Health + - Host Status + + * - cpu_info + - Info about the CPU running on the machine. + - Sensor Health + - Host Status + + * - cpu_time + - Displays information from /proc/stat file about the time the cpu cores spent in different parts of the system. + - Sensor Health + - Host Status + + * - windows_crashes + - Extracted information from Windows crash logs (Minidumps). + - Sensor Health + - Host Status + + * - crashes + - Application, System, and Mobile App crash logs. + - Sensor Health + - Host Status + + * - crontab + - Line parsed values from system and user cron/tab. + - Scheduled Job - Scheduled Job Metadata - - * - default_environment - - Default environment variables and values. - - Sensor Health - - Host Status - - * - preferences - - OS X defaults and managed preferences. - - Sensor Health - - Host Status - - * - device_file - - Similar to the file table, but use TSK and allow block address access - - Drive + + * - default_environment + - Default environment variables and values. + - Sensor Health + - Host Status + + * - preferences + - OS X defaults and managed preferences. + - Sensor Health + - Host Status + + * - device_file + - Similar to the file table, but use TSK and allow block address access + - Drive - Drive Access - - * - device_firmware - - A best-effort list of discovered firmware versions. - - Sensor Health - - Host Status - - * - device_hash - - Similar to the hash table, but use TSK and allow block address access - - File + + * - device_firmware + - A best-effort list of discovered firmware versions. + - Sensor Health + - Host Status + + * - device_hash + - Similar to the hash table, but use TSK and allow block address access + - File - File Metadata - - * - asl - - Queries the Apple System Log data structure for system events - - Sensor Health - - Host Status - - * - event_taps - - Returns information about installed event taps. - - Sensor Health - - Host Status - - * - fan_speed_sensors - - Fan speeds. - - Sensor Health - - Host Status - - * - alf - - OS X application layer firewall (ALF) service details. - - Firewall + + * - asl + - Queries the Apple System Log data structure for system events + - Sensor Health + - Host Status + + * - event_taps + - Returns information about installed event taps. + - Sensor Health + - Host Status + + * - fan_speed_sensors + - Fan speeds. + - Sensor Health + - Host Status + + * - alf + - OS X application layer firewall (ALF) service details. + - Firewall - Firewall Metadata - - * - alf_explicit_auths - - ALF services explicitly allowed to perform networking. - - Firewall + + * - alf_explicit_auths + - ALF services explicitly allowed to perform networking. + - Firewall - Firewall Enumeration - - * - alf_exceptions - - OS X application layer firewall (ALF) service exceptions - - Firewall + + * - alf_exceptions + - OS X application layer firewall (ALF) service exceptions + - Firewall - Firewall Rule Modification - - * - gatekeeper_apps - - Gatekeeper apps a user has allowed to run. - - Service + + * - gatekeeper_apps + - Gatekeeper apps a user has allowed to run. + - Service - Service Metadata - - * - gatekeeper - - OS X Gatekeeper Details. - - Service + + * - gatekeeper + - OS X Gatekeeper Details. + - Service - Service Metadata - - * - video_info - - Retrieve video card information of the machine. - - Sensor Health - - Host Status - - * - hvci_status - - Retrieve HVCI info of the machine. - - Sensor Health - - Host Status - - * - ibridge_info - - Information about the Apple iBridge hardware controller. - - Sensor Health - - Host Status - - * - windows_optional_features - - Lists names and installation states of windows features. Maps to Win32_OptionalFeature WMI class. - - Sensor Health - - Host Status - - * - apps - - OS X applications installed in known search paths (e.g., /Applications) - - Sensor Health - - Host Status - - * - sip_config - - Apple's System Integrity Protection (rootless) status. - - Sensor Health - - Host Status - - * - intel_me_info - - Intel ME/CSE Info. - - Sensor Health - - Host Status - - * - iokit_devicetree - - The IOKit registry matching the DeviceTree plane. - - Driver + + * - video_info + - Retrieve video card information of the machine. + - Sensor Health + - Host Status + + * - hvci_status + - Retrieve HVCI info of the machine. + - Sensor Health + - Host Status + + * - ibridge_info + - Information about the Apple iBridge hardware controller. + - Sensor Health + - Host Status + + * - windows_optional_features + - Lists names and installation states of windows features. Maps to Win32_OptionalFeature WMI class. + - Sensor Health + - Host Status + + * - apps + - OS X applications installed in known search paths (e.g., /Applications) + - Sensor Health + - Host Status + + * - sip_config + - Apple's System Integrity Protection (rootless) status. + - Sensor Health + - Host Status + + * - intel_me_info + - Intel ME/CSE Info. + - Sensor Health + - Host Status + + * - iokit_devicetree + - The IOKit registry matching the DeviceTree plane. + - Driver - Driver Metadata - - * - iokit_registry - - The full IOKit registry without selecting a plane. - - Driver + + * - iokit_registry + - The full IOKit registry without selecting a plane. + - Driver - Driver Metadata - - * - kernel_extensions - - OS X's kernel extensions, both loaded and within the load search path. - - Kernel + + * - kernel_extensions + - OS X's kernel extensions, both loaded and within the load search path. + - Kernel - Kernel Metadata - - * - kernel_info - - Basic active kernel information. - - Kernel + + * - kernel_info + - Basic active kernel information. + - Kernel - Kernel Metadata - - * - kernel_panics - - System kernel panic logs. - - Sensor Health - - Host Status - - * - system_controls - - sysctl names, values, and settings information. - - Sensor Health - - Host Status - - * - kva_speculative_info - - Display kernel virtual address and speculative execution information for the system. - - Kernel + + * - kernel_panics + - System kernel panic logs. + - Sensor Health + - Host Status + + * - system_controls + - sysctl names, values, and settings information. + - Sensor Health + - Host Status + + * - kva_speculative_info + - Display kernel virtual address and speculative execution information for the system. + - Kernel - Kernel Metadata - - * - keychain_acls - - Applications that have ACL entries in the keychain. - - Sensor Health - - Host Status - - * - keychain_items - - Generic details about keychain items. - - Sensor Health - - Host Status - - * - launchd - - LaunchAgents and LaunchDaemons from default search paths. - - Scheduled Job + + * - keychain_acls + - Applications that have ACL entries in the keychain. + - Sensor Health + - Host Status + + * - keychain_items + - Generic details about keychain items. + - Sensor Health + - Host Status + + * - launchd + - LaunchAgents and LaunchDaemons from default search paths. + - Scheduled Job - Scheduled Job Metadata - - * - launchd_overrides - - Override keys, per user, for LaunchDaemons and Agents. - - Scheduled Job + + * - launchd_overrides + - Override keys, per user, for LaunchDaemons and Agents. + - Scheduled Job - Scheduled Job Metadata - - * - fbsd_kmods - - Loaded FreeBSD kernel modules. - - Kernel + + * - fbsd_kmods + - Loaded FreeBSD kernel modules. + - Kernel - Kernel Module Load - - * - kernel_modules - - Linux kernel modules both loaded and within the load search path. - - Kernel + + * - kernel_modules + - Linux kernel modules both loaded and within the load search path. + - Kernel - Kernel Module Load - - * - groups - - Local system groups. - - Group + + * - groups + - Local system groups. + - Group - Group Metadata - - * - logged_in_users - - Users with an active shell on the system. - - Logon Session + + * - logged_in_users + - Users with an active shell on the system. + - Logon Session - Logon Session Metadata - - * - last - - System logins and logouts. - - Logon Session + + * - last + - System logins and logouts. + - Logon Session - Logon Session Metadata - - * - managed_policies - - The managed configuration policies from AD, MDM, MCX, etc. - - Active Directory + + * - managed_policies + - The managed configuration policies from AD, MDM, MCX, etc. + - Active Directory - Active Directory Object Access - - * - memory_info - - Main memory information in bytes. - - Sensor Health - - Host Status - - * - memory_map - - OS memory region map. - - Sensor Health - - Host Status - - * - connectivity - - Booleans about Windows network connectivity. - - Sensor Health - - Host Status - - * - ntdomains - - Display basic NT domain information of a Windows machine. - - Sensor Health - - Host Status - - * - os_version - - A single row containing the operating system name and version. - - Sensor Health - - Host Status - - * - package_bom - - OS X package bill of materials (BOM) file list. - - File + + * - memory_info + - Main memory information in bytes. + - Sensor Health + - Host Status + + * - memory_map + - OS memory region map. + - Sensor Health + - Host Status + + * - connectivity + - Booleans about Windows network connectivity. + - Sensor Health + - Host Status + + * - ntdomains + - Display basic NT domain information of a Windows machine. + - Sensor Health + - Host Status + + * - os_version + - A single row containing the operating system name and version. + - Sensor Health + - Host Status + + * - package_bom + - OS X package bill of materials (BOM) file list. + - File - File Metadata - - * - package_receipts - - OS X package receipt details. - - Process + + * - package_receipts + - OS X package receipt details. + - Process - Process Metadata - - * - iptables - - Linux IP packet filtering and NAT tool. - - Firewall + + * - iptables + - Linux IP packet filtering and NAT tool. + - Firewall - Firewall Enumeration - - * - cups_jobs - - Returns all completed print jobs from cups. - - Sensor Health - - Host Status - - * - cups_destinations - - Returns all configured printers. - - Sensor Health - - Host Status - - * - quicklook_cache - - Files and thumbnails within OS X's Quicklook Cache. - - File + + * - cups_jobs + - Returns all completed print jobs from cups. + - Sensor Health + - Host Status + + * - cups_destinations + - Returns all configured printers. + - Sensor Health + - Host Status + + * - quicklook_cache + - Files and thumbnails within OS X's Quicklook Cache. + - File - File Metadata - - * - windows_security_products - - Enumeration of registered Windows security products. - - Sensor Health - - Host Status - - * - ulimit_info - - System resource usage limits. - - Sensor Health - - Host Status - - * - running_apps - - macOS applications currently running on the host system. - - Process + + * - windows_security_products + - Enumeration of registered Windows security products. + - Sensor Health + - Host Status + + * - ulimit_info + - System resource usage limits. + - Sensor Health + - Host Status + + * - running_apps + - macOS applications currently running on the host system. + - Process - Process Creation - - * - screenlock - - macOS screenlock status for the current logged in user context. - - User Interface + + * - screenlock + - macOS screenlock status for the current logged in user context. + - User Interface - System Settings - - * - apparmor_events - - Track AppArmor (security auditing) events. - - Sensor Health - - Host Status - - * - apparmor_profiles - - Track active AppArmor profiles. - - Sensor Health - - Host Status - - * - windows_security_center - - The health status of Window Security features. Health values can be "Good", "Poor". "Snoozed", "Not Monitored", and "Error". - - Sensor Health - - Host Status - - * - shared_resources - - Displays shared resources on a computer system running Windows. This may be a disk drive, printer, interprocess communication, or other sharable device. - - Sensor Health - - Host Status - - * - sharing_preferences - - OS X Sharing preferences. - - Network Share + + * - apparmor_events + - Track AppArmor (security auditing) events. + - Sensor Health + - Host Status + + * - apparmor_profiles + - Track active AppArmor profiles. + - Sensor Health + - Host Status + + * - windows_security_center + - The health status of Window Security features. Health values can be "Good", "Poor". "Snoozed", "Not Monitored", and "Error". + - Sensor Health + - Host Status + + * - shared_resources + - Displays shared resources on a computer system running Windows. This may be a disk drive, printer, interprocess communication, or other sharable device. + - Sensor Health + - Host Status + + * - sharing_preferences + - OS X Sharing preferences. + - Network Share - Network Share Access - - * - shimcache - - Application Compatibility Cache, contains artifacts of execution. - - File + + * - shimcache + - Application Compatibility Cache, contains artifacts of execution. + - File - File Metadata - - * - mdfind - - Run searches against the spotlight database. - - File + + * - mdfind + - Run searches against the spotlight database. + - File - File Metadata - - * - mdls - - Query file metadata in the Spotlight database. - - File + + * - mdls + - Query file metadata in the Spotlight database. + - File - File Metadata - - * - startup_items - - Applications and binaries set as user/login startup items. - - Windows Registry + + * - startup_items + - Applications and binaries set as user/login startup items. + - Windows Registry - Windows Registry Key Access - - * - sudoers - - Rules for running commands as other users via sudo. - - Sensor Health - - Host Status - - * - suid_bin - - suid binaries in common locations. - - File + + * - sudoers + - Rules for running commands as other users via sudo. + - Sensor Health + - Host Status + + * - suid_bin + - suid binaries in common locations. + - File - File Metadata - - * - syslog_events - - Linux syslog events. - - Sensor Health - - Host Status - - * - time_machine_backups - - Backups to drives using TimeMachine. - - Drive + + * - syslog_events + - Linux syslog events. + - Sensor Health + - Host Status + + * - time_machine_backups + - Backups to drives using TimeMachine. + - Drive - Drive Modification - - * - time_machine_destinations - - Locations backed up to using Time Machine. - - Drive + + * - time_machine_destinations + - Locations backed up to using Time Machine. + - Drive - Drive Metadata - - * - usb_devices - - USB devices that are actively plugged into the host system. - - Drive + + * - usb_devices + - USB devices that are actively plugged into the host system. + - Drive - Drive Creation - - * - xprotect_meta - - Database of the machine's XProtect browser-related signatures. - - Sensor Health - - Host Status - - * - xprotect_entries - - Database of the machine's XProtect signatures. - - Sensor Health - - Host Status - - * - xprotect_reports - - Database of XProtect matches (if user generated/sent an XProtect report). - - Sensor Health - - Host Status - - * - scheduled_tasks - - Lists all of the tasks in the Windows task scheduler. - - Scheduled Task + + * - xprotect_meta + - Database of the machine's XProtect browser-related signatures. + - Sensor Health + - Host Status + + * - xprotect_entries + - Database of the machine's XProtect signatures. + - Sensor Health + - Host Status + + * - xprotect_reports + - Database of XProtect matches (if user generated/sent an XProtect report). + - Sensor Health + - Host Status + + * - scheduled_tasks + - Lists all of the tasks in the Windows task scheduler. + - Scheduled Task - Scheduled Task Enumeration - - * - account_policy_data - - Additional OS X user account data from the AccountPolicy section of OpenDirectory. - - User Account + + * - account_policy_data + - Additional OS X user account data from the AccountPolicy section of OpenDirectory. + - User Account - User Account Metadata - - * - users - - Local user accounts (including domain accounts that have logged on locally (Windows)). - - User Account + + * - users + - Local user accounts (including domain accounts that have logged on locally (Windows)). + - User Account - User Account Access - - * - user_events - - Track user events from the audit framework. - - User Account + + * - user_events + - Track user events from the audit framework. + - User Account - User Account Authentication - - * - user_groups - - Local system user group relationships. - - Group + + * - user_groups + - Local system user group relationships. + - Group - Group Metadata - - * - logon_sessions - - Windows Logon Session. - - Logon Session + + * - logon_sessions + - Windows Logon Session. + - Logon Session - Logon Session Metadata - - * - shadow - - Local system users encrypted passwords and related information. Please note, that you usually need superuser rights to access `/etc/shadow`. - - User Account + + * - shadow + - Local system users encrypted passwords and related information. Please note, that you usually need superuser rights to access `/etc/shadow`. + - User Account - User Account Metadata - * - user_ssh_keys - - Returns the private keys in the users ~/.ssh directory and whether or not they are encrypted. - - User Account + * - user_ssh_keys + - Returns the private keys in the users ~/.ssh directory and whether or not they are encrypted. + - User Account - User Account Metadata - - * - wmi_cli_event_consumers - - WMI CommandLineEventConsumer, which can be used for persistence on Windows. - - WMI + + * - wmi_cli_event_consumers + - WMI CommandLineEventConsumer, which can be used for persistence on Windows. + - WMI - WMI Creation - - * - wmi_filter_consumer_binding - - Lists the relationship between event consumers and filters. - - WMI + + * - wmi_filter_consumer_binding + - Lists the relationship between event consumers and filters. + - WMI - WMI Enumeration - - * - wmi_event_filters - - Lists WMI event filters. - - WMI + + * - wmi_event_filters + - Lists WMI event filters. + - WMI - WMI Enumeration - - * - wmi_script_event_consumers - - WMI ActiveScriptEventConsumer, which can be used for persistence on Windows. - - WMI + + * - wmi_script_event_consumers + - WMI ActiveScriptEventConsumer, which can be used for persistence on Windows. + - WMI - WMI Creation -.. /MAPPINGS_TABLE \ No newline at end of file +.. /MAPPINGS_TABLE diff --git a/docs/levels/mapping_sysmon.rst b/docs/levels/mapping_sysmon.rst index 67d1699..0d265d5 100644 --- a/docs/levels/mapping_sysmon.rst +++ b/docs/levels/mapping_sysmon.rst @@ -1,9 +1,21 @@ Sysmon ====== -`Sysmon mappings STIX JSON `_: STIX bundle file output of Sysmon sensor mappings. +Browse the Sysmon mappings on this page, download the mappings (in CSV/STIX format), or +visualize the sensor coverage in ATT&CK Navigator. -`Sysmon ATT&CK Navigator Layer `_: Navigator layer of Sysmon events mapped to data objects associated with specific (sub-)techniques. +.. raw:: html + +

+ + Download CSV + + + Download STIX + + + Open in ATT&CK Navigator +

.. MAPPINGS_TABLE Generated at: 2023-10-03T10:40:58.770502Z @@ -16,133 +28,133 @@ Sysmon - ATT&CK DATA SOURCE - ATT&CK DATA COMPONENT - * - 1 - - A new process has been created - - Process + * - 1 + - A new process has been created + - Process - process creation - - * - 2 - - A process changed a file creation time - - File + + * - 2 + - A process changed a file creation time + - File - file modification - - * - 3 - - Network connection - - network traffic + + * - 3 + - Network connection + - network traffic - network connection creation - - * - 4 - - Sysmon service state changed - - service + + * - 4 + - Sysmon service state changed + - service - service metadata - - * - 5 - - Process terminated - - Process + + * - 5 + - Process terminated + - Process - process termination - - * - 6 - - Driver loaded - - Driver + + * - 6 + - Driver loaded + - Driver - Driver load - - * - 7 - - Image Loaded - - module + + * - 7 + - Image Loaded + - module - module load - - * - 8 - - The CreateRemoteThread event detects when a process creates a thread in another process. - - Process + + * - 8 + - The CreateRemoteThread event detects when a process creates a thread in another process. + - Process - process modification - - * - 9 - - The RawAccessRead event detects when a process conducts reading operations from the drive using the \.\ denotation - - File + + * - 9 + - The RawAccessRead event detects when a process conducts reading operations from the drive using the \.\ denotation + - File - file access - - * - 10 - - ProcessAccess - - Process + + * - 10 + - ProcessAccess + - Process - process access - - * - 11 - - FileCreate - - File + + * - 11 + - FileCreate + - File - file creation - - * - 12 - - RegistryEvent (Object create and delete) - - windows registry + + * - 12 + - RegistryEvent (Object create and delete) + - windows registry - windows registry key creation - - * - 12 - - RegistryEvent (Object create and delete) - - windows registry + + * - 12 + - RegistryEvent (Object create and delete) + - windows registry - windows registry key deletion - - * - 13 - - RegistryEvent (Value Set) - - windows registry + + * - 13 + - RegistryEvent (Value Set) + - windows registry - windows registry key modification - - * - 14 - - RegistryEvent (Key and Value Rename) - - windows registry + + * - 14 + - RegistryEvent (Key and Value Rename) + - windows registry - windows registry key modification - - * - 15 - - FileCreateStreamHash - - File + + * - 15 + - FileCreateStreamHash + - File - file creation - * - 17 - - PipeEvent (Pipe Created) - - named pipe + * - 17 + - PipeEvent (Pipe Created) + - named pipe - named pipe created - - * - 18 - - PipeEvent (Pipe Connected) - - Named Pipe + + * - 18 + - PipeEvent (Pipe Connected) + - Named Pipe - Named Pipe Connection - - * - 19 - - WmiEvent (WmiEventFilter activity detected). - - wmi + + * - 19 + - WmiEvent (WmiEventFilter activity detected). + - wmi - wmi creation - - * - 19 - - WmiEvent (WmiEventFilter activity detected). - - wmi + + * - 19 + - WmiEvent (WmiEventFilter activity detected). + - wmi - wmi deletion - - * - 20 - - WmiEvent (WmiEventConsumer activity detected). - - wmi + + * - 20 + - WmiEvent (WmiEventConsumer activity detected). + - wmi - wmi creation - - * - 20 - - WmiEvent (WmiEventConsumer activity detected). - - wmi + + * - 20 + - WmiEvent (WmiEventConsumer activity detected). + - wmi - wmi deletion - - * - 23 - - FileDelete - - File + + * - 23 + - FileDelete + - File - file deletion - - * - 25 - - Process Tampering - - Process + + * - 25 + - Process Tampering + - Process - process modification - - * - 26 - - File Delete logged - - File + + * - 26 + - File Delete logged + - File - file deletion - - * - 30 - - EventID(30) - - Process + + * - 30 + - EventID(30) + - Process - process metadata -.. /MAPPINGS_TABLE \ No newline at end of file +.. /MAPPINGS_TABLE diff --git a/docs/levels/mapping_winevtx.rst b/docs/levels/mapping_winevtx.rst index 76f8a86..9adce4c 100644 --- a/docs/levels/mapping_winevtx.rst +++ b/docs/levels/mapping_winevtx.rst @@ -1,9 +1,21 @@ WinEvtx ======= -`Windows Event Log mappings STIX JSON `_: STIX bundle file output of Windows Event Log sensor mappings. +Browse the WinEvtx mappings on this page, download the mappings (in CSV/STIX format), or +visualize the sensor coverage in ATT&CK Navigator. -`Windows Event Log ATT&CK Navigator Layer `_: Navigator layer of Windows Event Log events mapped to data objects associated with specific (sub-)techniques. +.. raw:: html + +

+ + Download CSV + + + Download STIX + + + Open in ATT&CK Navigator +

.. MAPPINGS_TABLE Generated at: 2023-10-03T10:40:58.770502Z @@ -16,763 +28,763 @@ WinEvtx - ATT&CK DATA SOURCE - ATT&CK DATA COMPONENT - * - 1100 - - The event logging service has shut down. - - sensor health + * - 1100 + - The event logging service has shut down. + - sensor health - host status - - * - 1101 - - Audit events have been dropped by the transport. - - sensor health + + * - 1101 + - Audit events have been dropped by the transport. + - sensor health - host status - - * - 1102 - - The audit log was cleared. - - sensor health + + * - 1102 + - The audit log was cleared. + - sensor health - host status - - * - 1104 - - The security Log is now full. - - sensor health + + * - 1104 + - The security Log is now full. + - sensor health - host status - - * - 2002 - - A Windows Defender Firewall setting has changed. - - firewall + + * - 2002 + - A Windows Defender Firewall setting has changed. + - firewall - firewall metadata - - * - 2003 - - A Windows Defender Firewall setting in the Private profile has changed. - - firewall + + * - 2003 + - A Windows Defender Firewall setting in the Private profile has changed. + - firewall - firewall metadata - - * - 2004 - - A rule has been added to the Windows Defender Firewall exception list - - firewall + + * - 2004 + - A rule has been added to the Windows Defender Firewall exception list + - firewall - firewall rule modification - - * - 2005 - - A rule has been modified in the Windows Defender Firewall exception list. - - firewall + + * - 2005 + - A rule has been modified in the Windows Defender Firewall exception list. + - firewall - firewall rule modification - - * - 2006 - - A rule has been deleted in the Windows Defender Firewall exception list - - firewall + + * - 2006 + - A rule has been deleted in the Windows Defender Firewall exception list + - firewall - firewall rule modification - - * - 2009 - - The Windows Firewall service failed to load Group Policy. - - firewall + + * - 2009 + - The Windows Firewall service failed to load Group Policy. + - firewall - firewall metadata - - * - 2033 - - All rules have been deleted from the Windows Firewall configuration on this computer. - - firewall + + * - 2033 + - All rules have been deleted from the Windows Firewall configuration on this computer. + - firewall - firewall rule modification - - * - 4103 - - Module logging. - - command + + * - 4103 + - Module logging. + - command - command execution - - * - 4103 - - Module logging. - - script + + * - 4103 + - Module logging. + - script - script execution - - * - 4104 - - Script Block Logging. - - script + + * - 4104 + - Script Block Logging. + - script - script execution - - * - 4610 - - An authentication package has been loaded by the Local Security Authority. - - logon session + + * - 4610 + - An authentication package has been loaded by the Local Security Authority. + - logon session - logon session metadata - - * - 4611 - - A trusted logon process has been registered with the Local Security Authority. - - logon session + + * - 4611 + - A trusted logon process has been registered with the Local Security Authority. + - logon session - logon session metadata - - * - 4614 - - A notification package has been loaded by the Security Account Manager. - - logon session + + * - 4614 + - A notification package has been loaded by the Security Account Manager. + - logon session - logon session metadata - - * - 4616 - - The system time was changed. - - sensor health + + * - 4616 + - The system time was changed. + - sensor health - host status - - * - 4622 - - A security package has been loaded by the Local Security Authority. - - logon session + + * - 4622 + - A security package has been loaded by the Local Security Authority. + - logon session - logon session metadata - - * - 4624 - - An account was successfully logged on - - logon session + + * - 4624 + - An account was successfully logged on + - logon session - logon session creation - - * - 4625 - - An account failed to log on - - user account - - user account authentication - - * - 4627 - - Group membership information. - - Group + + * - 4625 + - An account failed to log on + - user account + - user account authentication + + * - 4627 + - Group membership information. + - Group - Group Metdata - - * - 4634 - - An account was logged off - - logon session + + * - 4634 + - An account was logged off + - logon session - logon session metadata - - * - 4647 - - User initiated logoff. - - logon session + + * - 4647 + - User initiated logoff. + - logon session - logon session metadata - - * - 4648 - - A logon was attempted using explicit credentials. - - user account + + * - 4648 + - A logon was attempted using explicit credentials. + - user account - user account authentication - - * - 4656 - - A handle to an object was requested. - - File + + * - 4656 + - A handle to an object was requested. + - File - file access - - * - 4656 - - A handle to an object was requested. - - named pipe + + * - 4656 + - A handle to an object was requested. + - named pipe - named pipe metadata - - * - 4656 - - A handle to an object was requested - - Process + + * - 4656 + - A handle to an object was requested + - Process - process access - - * - 4656 - - A handle to an object was requested. - - service + + * - 4656 + - A handle to an object was requested. + - service - service access - - * - 4656 - - A handle to an object was requested - - windows registry + + * - 4656 + - A handle to an object was requested + - windows registry - Windows Registry Key Access - - * - 4657 - - A registry value was modified. - - windows registry + + * - 4657 + - A registry value was modified. + - windows registry - windows registry key creation - - * - 4657 - - A registry value was modified. - - windows registry + + * - 4657 + - A registry value was modified. + - windows registry - windows registry key deletion - - * - 4657 - - A registry value was modified. - - windows registry + + * - 4657 + - A registry value was modified. + - windows registry - windows registry key modification - - * - 4660 - - An object was deleted. - - File + + * - 4660 + - An object was deleted. + - File - file deletion - - * - 4660 - - An object was deleted. - - windows registry + + * - 4660 + - An object was deleted. + - windows registry - windows registry key deletion - - * - 4661 - - A handle to an object was requested. - - active directory + + * - 4661 + - A handle to an object was requested. + - active directory - active directory object access - - * - 4661 - - A handle to an object was requested. - - File + + * - 4661 + - A handle to an object was requested. + - File - file access - - * - 4662 - - An operation was performed on an object. - - active directory + + * - 4662 + - An operation was performed on an object. + - active directory - active directory object access - - * - 4663 - - An attempt was made to access an object - - File + + * - 4663 + - An attempt was made to access an object + - File - file access - - * - 4663 - - An attempt was made to access an object. - - File + + * - 4663 + - An attempt was made to access an object. + - File - file creation - - * - 4663 - - An attempt was made to access an object. - - File + + * - 4663 + - An attempt was made to access an object. + - File - file deletion - - * - 4663 - - An attempt was made to access an object - - Process + + * - 4663 + - An attempt was made to access an object + - Process - process access - - * - 4663 - - An attempt was made to access an object - - windows registry + + * - 4663 + - An attempt was made to access an object + - windows registry - windows registry key access - - * - 4663 - - An attempt was made to access an object - - windows registry + + * - 4663 + - An attempt was made to access an object + - windows registry - windows registry key modification - - * - 4664 - - An attempt was made to create a hard link. - - File + + * - 4664 + - An attempt was made to create a hard link. + - File - file modification - - * - 4670 - - Permissions on an object were changed. - - File + + * - 4670 + - Permissions on an object were changed. + - File - file modification - - * - 4670 - - Permissions on an object were changed. - - windows registry + + * - 4670 + - Permissions on an object were changed. + - windows registry - windows registry key modification - - * - 4672 - - Special privileges assigned to new logon. - - logon session + + * - 4672 + - Special privileges assigned to new logon. + - logon session - logon session modification - - * - 4673 - - A privileged service was called. - - logon session + + * - 4673 + - A privileged service was called. + - logon session - logon session metadata - - * - 4674 - - An operation was attempted on a privileged object - - User Account + + * - 4674 + - An operation was attempted on a privileged object + - User Account - User Account Metadata - - * - 4674 - - An operation was attempted on a privileged object. - - logon session + + * - 4674 + - An operation was attempted on a privileged object. + - logon session - logon session metadata - - * - 4688 - - Program execution. When you start a program you are creating a process that stays open until the program ends - - Process + + * - 4688 + - Program execution. When you start a program you are creating a process that stays open until the program ends + - Process - process creation - - * - 4689 - - A process has exited. - - Process + + * - 4689 + - A process has exited. + - Process - process termination - - * - 4690 - - An attempt was made to duplicate a handle to an object. - - File + + * - 4690 + - An attempt was made to duplicate a handle to an object. + - File - file access - - * - 4696 - - A primary token was assigned to process. The assigning process fields identifies the process that started the child (new) process - - Process + + * - 4696 + - A primary token was assigned to process. The assigning process fields identifies the process that started the child (new) process + - Process - process creation - - * - 4697 - - A service was installed in the system. - - service + + * - 4697 + - A service was installed in the system. + - service - service creation - - * - 4698 - - A scheduled task was created. - - scheduled job + + * - 4698 + - A scheduled task was created. + - scheduled job - scheduled job creation - - * - 4699 - - A scheduled task was deleted. - - scheduled job + + * - 4699 + - A scheduled task was deleted. + - scheduled job - scheduled job deletion - - * - 4700 - - A scheduled task was enabled. - - scheduled job + + * - 4700 + - A scheduled task was enabled. + - scheduled job - scheduled job modification - - * - 4701 - - A scheduled task was disabled. - - scheduled job + + * - 4701 + - A scheduled task was disabled. + - scheduled job - scheduled job modification - - * - 4702 - - A scheduled task was updated. - - scheduled job + + * - 4702 + - A scheduled task was updated. + - scheduled job - scheduled job modification - - * - 4703 - - A user right was adjusted. - - user account + + * - 4703 + - A user right was adjusted. + - user account - user account modification - - * - 4717 - - System security access was granted to an account. - - user account + + * - 4717 + - System security access was granted to an account. + - user account - user account modification - - * - 4718 - - System security access was removed from an account. - - user account + + * - 4718 + - System security access was removed from an account. + - user account - user account modification - - * - 4719 - - System audit policy was changed. - - active directory + + * - 4719 + - System audit policy was changed. + - active directory - active directory object modification - - * - 4720 - - A user account was created - - user account + + * - 4720 + - A user account was created + - user account - user account creation - - * - 4722 - - A user account was enabled. - - user account + + * - 4722 + - A user account was enabled. + - user account - user account modification - - * - 4723 - - An attempt was made to change an account's password. - - user account + + * - 4723 + - An attempt was made to change an account's password. + - user account - user account modification - - * - 4724 - - An attempt was made to reset an account's password - - user account + + * - 4724 + - An attempt was made to reset an account's password + - user account - user account modification - - * - 4725 - - A user account was disabled. - - user account + + * - 4725 + - A user account was disabled. + - user account - user account modification - - * - 4726 - - A user account was deleted - - user account + + * - 4726 + - A user account was deleted + - user account - user account deletion - - * - 4727 - - A security-enabled global group was created. - - group + + * - 4727 + - A security-enabled global group was created. + - group - group creation - - * - 4728 - - A member was added to a security-enabled global group. - - group + + * - 4728 + - A member was added to a security-enabled global group. + - group - group modification - - * - 4729 - - A member was removed from a security-enabled global group. - - group + + * - 4729 + - A member was removed from a security-enabled global group. + - group - group modification - - * - 4730 - - A security-enabled global group was deleted. - - group + + * - 4730 + - A security-enabled global group was deleted. + - group - group deletion - - * - 4731 - - A security-enabled local group was created. - - group + + * - 4731 + - A security-enabled local group was created. + - group - group creation - - * - 4732 - - A member was added to a security-enabled local group. - - group + + * - 4732 + - A member was added to a security-enabled local group. + - group - group modification - - * - 4733 - - A member was removed from a security-enabled local group. - - group + + * - 4733 + - A member was removed from a security-enabled local group. + - group - group modification - - * - 4734 - - A security-enabled local group was deleted. - - group + + * - 4734 + - A security-enabled local group was deleted. + - group - group deletion - - * - 4735 - - A security-enabled local group was changed. - - group + + * - 4735 + - A security-enabled local group was changed. + - group - group modification - - * - 4737 - - A security-enabled global group was changed. - - active directory + + * - 4737 + - A security-enabled global group was changed. + - active directory - active directory object modification - - * - 4738 - - A user account was changed. - - user account + + * - 4738 + - A user account was changed. + - user account - user account modification - - * - 4740 - - A user account was locked out. - - user account + + * - 4740 + - A user account was locked out. + - user account - user account modification - - * - 4741 - - A computer account was created. - - user account + + * - 4741 + - A computer account was created. + - user account - user account creation - - * - 4742 - - A computer account was changed. - - user account + + * - 4742 + - A computer account was changed. + - user account - user account modification - - * - 4743 - - A computer account was deleted. - - user account + + * - 4743 + - A computer account was deleted. + - user account - user account deletion - - * - 4754 - - A security-enabled universal group was created. - - group + + * - 4754 + - A security-enabled universal group was created. + - group - group creation - - * - 4755 - - A security-enabled universal group was changed. - - group + + * - 4755 + - A security-enabled universal group was changed. + - group - group modification - - * - 4756 - - A member was added to a security-enabled universal group. - - group + + * - 4756 + - A member was added to a security-enabled universal group. + - group - group modification - - * - 4757 - - A member was removed from a security-enabled universal group. - - group + + * - 4757 + - A member was removed from a security-enabled universal group. + - group - group modification - - * - 4758 - - A security-enabled universal group was deleted. - - group + + * - 4758 + - A security-enabled universal group was deleted. + - group - group deletion - - * - 4764 - - A groups type was changed. - - group + + * - 4764 + - A groups type was changed. + - group - group modification - - * - 4767 - - A user account was unlocked. - - user account + + * - 4767 + - A user account was unlocked. + - user account - user account modification - - * - 4768 - - A Kerberos authentication ticket (TGT) was requested. - - active directory + + * - 4768 + - A Kerberos authentication ticket (TGT) was requested. + - active directory - active directory credential request - - * - 4769 - - A Kerberos service ticket was requested. - - active directory + + * - 4769 + - A Kerberos service ticket was requested. + - active directory - active directory credential request - - * - 4770 - - A Kerberos service ticket was renewed - - active directory + + * - 4770 + - A Kerberos service ticket was renewed + - active directory - active directory object modification - - * - 4771 - - Kerberos pre-authentication failed - - active directory - - active directory credential request - - * - 4773 - - A Kerberos service ticket request failed - - active directory + + * - 4771 + - Kerberos pre-authentication failed + - active directory + - active directory credential request + + * - 4773 + - A Kerberos service ticket request failed + - active directory - active directory object access - - * - 4776 - - The computer attempted to validate the credentials for an account - - user account + + * - 4776 + - The computer attempted to validate the credentials for an account + - user account - user account authentication - - * - 4778 - - A session was reconnected to a Window Station. - - logon session + + * - 4778 + - A session was reconnected to a Window Station. + - logon session - logon session creation - - * - 4779 - - A session was disconnected from a Window Station - - logon session + + * - 4779 + - A session was disconnected from a Window Station + - logon session - logon session terminated - - * - 4781 - - The name of an account was changed. - - user account + + * - 4781 + - The name of an account was changed. + - user account - user account modification - - * - 4798 - - A user's local group membership was enumerated. - - group + + * - 4798 + - A user's local group membership was enumerated. + - group - group enumeration - - * - 4799 - - A security-enabled local group membership was enumerated. - - group + + * - 4799 + - A security-enabled local group membership was enumerated. + - group - group enumeration - - * - 4932 - - Synchronization of a replica of an Active Directory naming context has begun. - - active directory + + * - 4932 + - Synchronization of a replica of an Active Directory naming context has begun. + - active directory - active directory object access - - * - 4946 - - A change has been made to Windows Firewall exception list. A rule was added. - - firewall + + * - 4946 + - A change has been made to Windows Firewall exception list. A rule was added. + - firewall - firewall rule modification - - * - 4947 - - A change has been made to Windows Firewall exception list. A rule was modified. - - firewall + + * - 4947 + - A change has been made to Windows Firewall exception list. A rule was modified. + - firewall - firewall rule modification - - * - 4948 - - A change has been made to Windows Firewall exception list. A rule was deleted. - - firewall + + * - 4948 + - A change has been made to Windows Firewall exception list. A rule was deleted. + - firewall - firewall rule modification - - * - 4950 - - A windows firewall setting has changed - - firewall + + * - 4950 + - A windows firewall setting has changed + - firewall - firewall metadata - - * - 4954 - - Windows firewall group policy settings has changed - - firewall + + * - 4954 + - Windows firewall group policy settings has changed + - firewall - firewall metadata - - * - 4964 - - Special groups have been assigned to a new logon. - - logon session + + * - 4964 + - Special groups have been assigned to a new logon. + - logon session - logon session creation - - * - 5024 - - The Windows Firewall Service has started successfully. - - firewall + + * - 5024 + - The Windows Firewall Service has started successfully. + - firewall - firewall enabled - - * - 5025 - - The Windows Firewall Service has been stopped. - - firewall + + * - 5025 + - The Windows Firewall Service has been stopped. + - firewall - firewall disable - - * - 5031 - - The Windows Firewall Service blocked an application from accepting incoming connections on the network. - - network traffic + + * - 5031 + - The Windows Firewall Service blocked an application from accepting incoming connections on the network. + - network traffic - network connection creation - - * - 5034 - - The Windows Firewall Driver was stopped. - - firewall + + * - 5034 + - The Windows Firewall Driver was stopped. + - firewall - firewall disable - - * - 5136 - - A directory service object was modified. - - active directory + + * - 5136 + - A directory service object was modified. + - active directory - active directory object modification - - * - 5137 - - A directory service object was created. - - active directory + + * - 5137 + - A directory service object was created. + - active directory - active directory object creation - - * - 5138 - - A directory service object was undeleted - - active directory + + * - 5138 + - A directory service object was undeleted + - active directory - active directory object creation - - * - 5139 - - A directory service object was moved. - - active directory + + * - 5139 + - A directory service object was moved. + - active directory - active directory object modification - - * - 5140 - - A network share object was accessed. - - network share + + * - 5140 + - A network share object was accessed. + - network share - network share access - - * - 5141 - - A directory service object was deleted. - - active directory + + * - 5141 + - A directory service object was deleted. + - active directory - active directory object deletion - - * - 5142 - - A network share object was added. - - network share + + * - 5142 + - A network share object was added. + - network share - network share creation - - * - 5143 - - A network share object was modified. - - network share + + * - 5143 + - A network share object was modified. + - network share - network share modification - - * - 5144 - - A network share object was deleted. - - network share + + * - 5144 + - A network share object was deleted. + - network share - network share deletion - - * - 5145 - - A network share object was checked to see whether client can be granted desired access. - - named pipe + + * - 5145 + - A network share object was checked to see whether client can be granted desired access. + - named pipe - named pipe metadata - - * - 5145 - - A network share object was checked to see whether client can be granted desired access. - - network share - - network share access - - * - 5154 - - The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. - - network traffic + + * - 5145 + - A network share object was checked to see whether client can be granted desired access. + - network share + - network share access + + * - 5154 + - The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. + - network traffic - network connection creation - - * - 5154 - - The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. - - network traffic + + * - 5154 + - The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. + - network traffic - network connection creation - - * - 5155 - - The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. - - network traffic + + * - 5155 + - The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. + - network traffic - network connection creation - - * - 5155 - - The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. - - network traffic + + * - 5155 + - The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. + - network traffic - network connection creation - - * - 5156 - - The Windows Filtering Platform has permitted a connection. - - network traffic + + * - 5156 + - The Windows Filtering Platform has permitted a connection. + - network traffic - network connection creation - - * - 5157 - - The Windows Filtering Platform has blocked a connection. - - network traffic + + * - 5157 + - The Windows Filtering Platform has blocked a connection. + - network traffic - network connection creation - - * - 5157 - - The Windows Filtering Platform has blocked a connection. - - network traffic + + * - 5157 + - The Windows Filtering Platform has blocked a connection. + - network traffic - network connection creation - - * - 5158 - - The Windows Filtering Platform has permitted a bind to a local port. - - network traffic + + * - 5158 + - The Windows Filtering Platform has permitted a bind to a local port. + - network traffic - network connection creation - - * - 5159 - - The Windows Filtering Platform has blocked a bind to a local port. - - network traffic + + * - 5159 + - The Windows Filtering Platform has blocked a bind to a local port. + - network traffic - network connection creation - - * - 5159 - - The Windows Filtering Platform has blocked a bind to a local port. - - network traffic - - network connection creation - - * - 5857 - - WMIProv provider started. - - wmi + + * - 5159 + - The Windows Filtering Platform has blocked a bind to a local port. + - network traffic + - network connection creation + + * - 5857 + - WMIProv provider started. + - wmi - wmi creation - - * - 5858 - - WMI Query Error. - - wmi + + * - 5858 + - WMI Query Error. + - wmi - wmi creation - - * - 5859 - - WMI Event. - - wmi + + * - 5859 + - WMI Event. + - wmi - wmi creation - - * - 5860 - - WMI temporary event created. - - wmi + + * - 5860 + - WMI temporary event created. + - wmi - wmi creation - - * - 5861 - - WMI permanent event created. - - wmi + + * - 5861 + - WMI permanent event created. + - wmi - wmi creation - - * - 6005 - - The Event log service was started. - - sensor health + + * - 6005 + - The Event log service was started. + - sensor health - host status - - * - 6005 - - The Event log service was started. - - service + + * - 6005 + - The Event log service was started. + - service - service metadata - - * - 6006 - - The Event log service was stopped. - - sensor health + + * - 6006 + - The Event log service was stopped. + - sensor health - host status - - * - 6006 - - The Event log service was stopped. - - service - - service metadata - - * - 6416 - - A new external device was recognized by the system. - - drive + + * - 6006 + - The Event log service was stopped. + - service + - service metadata + + * - 6416 + - A new external device was recognized by the system. + - drive - drive creation - - * - 6419 - - A request was made to disable a device. - - drive + + * - 6419 + - A request was made to disable a device. + - drive - drive modification - - * - 6420 - - A device was disabled. - - drive + + * - 6420 + - A device was disabled. + - drive - drive modification - - * - 6421 - - A request was made to enable a device. - - drive + + * - 6421 + - A request was made to enable a device. + - drive - drive modification - - * - 6422 - - A device was enabled. - - drive + + * - 6422 + - A device was enabled. + - drive - drive modification - - * - 6423 - - The installation of this device is forbidden by system policy. - - drive + + * - 6423 + - The installation of this device is forbidden by system policy. + - drive - drive creation - - * - 6424 - - The installation of this device was allowed, after having previously been forbidden by policy. - - drive + + * - 6424 + - The installation of this device was allowed, after having previously been forbidden by policy. + - drive - drive creation -.. /MAPPINGS_TABLE \ No newline at end of file +.. /MAPPINGS_TABLE diff --git a/docs/levels/mapping_zeek.rst b/docs/levels/mapping_zeek.rst index ee513a8..9c7b672 100644 --- a/docs/levels/mapping_zeek.rst +++ b/docs/levels/mapping_zeek.rst @@ -1,10 +1,21 @@ ZEEK ==== +Browse the Zeek mappings on this page, download the mappings (in CSV/STIX format), or +visualize the sensor coverage in ATT&CK Navigator. -`Zeek mappings STIX JSON `_: STIX bundle file output of Zeek sensor mappings. +.. raw:: html -`Zeek ATT&CK Navigator Layer `_: Navigator layer of Zeek events mapped to data objects associated with specific (sub-)techniques. +

+ + Download CSV + + + Download STIX + + + Open in ATT&CK Navigator +

.. MAPPINGS_TABLE Generated at: 2023-10-03T10:40:58.770502Z @@ -17,1138 +28,1138 @@ ZEEK - ATT&CK DATA SOURCE - ATT&CK DATA COMPONENT - * - dce_rpc_alter_context_resp - - Generated for every DCE-RPC alter context response message. - - Network Traffic - - Network Traffic Flow - - * - dce_rpc_alter_context - - Generated for every DCE-RPC alter context request message. - - Network Traffic - - Network Traffic Flow - - * - dce_rpc_bind - - Generated for every DCE-RPC bind request message. - - Network Traffic - - Network Traffic Flow - - * - dce_rpc_bind_ack - - Generated for every DCE-RPC bind request ack message. - - Network Traffic - - Network Traffic Flow - - * - mime_all_data - - Generated for passing on all data decoded from a single email MIME message. - - Network Traffic - - Network Traffic Content - - * - mime_all_headers - - Generated for MIME headers extracted from email MIME entities, passing all headers at once. - - Network Traffic - - Network Traffic Flow - - * - mime_entity_data - - Generated for data decoded from an email MIME entity. - - Network Traffic - - Network Traffic Content - - * - mime_content_hash - - Generated for decoded MIME entities extracted from email messages, passing on their MD5 checksums. - - Network Traffic - - Network Traffic Content - - * - http_content_type - - Generated for reporting an HTTP body’s content type. - - Network Traffic - - Network Traffic Content - - * - http_entity_data - - Generated when parsing an HTTP body entity, passing on the data. - - Network Traffic - - Network Traffic Content - - * - http_all_headers - - Generated for HTTP headers, passing on all headers of an HTTP message at once. - - Network Traffic - - Network Traffic Content - - * - icmp_unreachable - - Generated for ICMP destination unreachable messages. - - Network Traffic - - Network Traffic Content - - * - icmp_neighbor_advertisement - - Generated for ICMP neighbor advertisement messages. - - Network Traffic - - Network Traffic Content - - * - icmp_neighbor_solicitation - - Generated for ICMP neighbor solicitation messages. - - Network Traffic - - Network Traffic Content - - * - icmp_neighbor_advertisement - - Generated for ICMP router advertisement messages. - - Network Traffic - - Network Traffic Content - - * - icmp_neighbor_solicitation - - Generated for ICMP router solicitation messages. - - Network Traffic - - Network Traffic Content - - * - imap_capabilities - - Generated when a server sends a capability list to the client, after being queried using the CAPABILITY command. - - Network Traffic - - Network Traffic Flow - - * - imap_start_tls - - Generated when a IMAP connection goes encrypted after a successful StartTLS exchange between the client and the server. - - Network Traffic - - Network Traffic Flow - - * - krb_ap_request - - A Kerberos 5 Authentication Header (AP) Request as defined in RFC 4120. - - Network Traffic - - Network Traffic Flow - - * - krb_ap_response - - A Kerberos 5 Authentication Header (AP) Response as defined in RFC 4120. - - Network Traffic - - Network Traffic Flow - - * - krb_as_request - - A Kerberos 5 Authentication Server (AS) Request as defined in RFC 4120. - - Network Traffic - - Network Traffic Flow - - * - krb_as_response - - A Kerberos 5 Authentication Server (AS) Response as defined in RFC 4120. - - Network Traffic - - Network Traffic Flow - - * - krb_tgs_request - - A Kerberos 5 Ticket Granting Service (TGS) Request as defined in RFC 4120. - - Network Traffic - - Network Traffic Flow - - * - krb_tgs_response - - A Kerberos 5 Ticket Granting Service (TGS) Response as defined in RFC 4120. - - Network Traffic - - Network Traffic Flow - - * - netbios_session_accepted - - Generated for NetBIOS messages of type positive session response. - - Network Traffic - - Network Traffic Flow - - * - netbios_session_keepalive - - Generated for NetBIOS messages of type keep-alive. - - Network Traffic - - Network Traffic Flow - - * - netbios_session_message - - Generated for all NetBIOS SSN and DGM messages. - - Network Traffic - - Network Traffic Flow - - * - netbios_session_raw_message - - Generated for NetBIOS messages of type session message that are not carrying an SMB payload. - - Network Traffic - - Network Traffic Content - - * - netbios_session_rejected - - Generated for NetBIOS messages of type negative session response. - - Network Traffic - - Network Traffic Flow - - * - netbios_session_request - - Generated for NetBIOS messages of type session request. - - Network Traffic - - Network Traffic Flow - - * - netbios_session_ret_arg_resp - - Generated for NetBIOS messages of type retarget response. - - Network Traffic - - Network Traffic Flow - - * - ntlm_authenticate - - Generated for NTLM messages of type authenticate. - - Network Traffic + * - dce_rpc_alter_context_resp + - Generated for every DCE-RPC alter context response message. + - Network Traffic + - Network Traffic Flow + + * - dce_rpc_alter_context + - Generated for every DCE-RPC alter context request message. + - Network Traffic + - Network Traffic Flow + + * - dce_rpc_bind + - Generated for every DCE-RPC bind request message. + - Network Traffic + - Network Traffic Flow + + * - dce_rpc_bind_ack + - Generated for every DCE-RPC bind request ack message. + - Network Traffic + - Network Traffic Flow + + * - mime_all_data + - Generated for passing on all data decoded from a single email MIME message. + - Network Traffic + - Network Traffic Content + + * - mime_all_headers + - Generated for MIME headers extracted from email MIME entities, passing all headers at once. + - Network Traffic + - Network Traffic Flow + + * - mime_entity_data + - Generated for data decoded from an email MIME entity. + - Network Traffic + - Network Traffic Content + + * - mime_content_hash + - Generated for decoded MIME entities extracted from email messages, passing on their MD5 checksums. + - Network Traffic + - Network Traffic Content + + * - http_content_type + - Generated for reporting an HTTP body’s content type. + - Network Traffic + - Network Traffic Content + + * - http_entity_data + - Generated when parsing an HTTP body entity, passing on the data. + - Network Traffic + - Network Traffic Content + + * - http_all_headers + - Generated for HTTP headers, passing on all headers of an HTTP message at once. + - Network Traffic + - Network Traffic Content + + * - icmp_unreachable + - Generated for ICMP destination unreachable messages. + - Network Traffic + - Network Traffic Content + + * - icmp_neighbor_advertisement + - Generated for ICMP neighbor advertisement messages. + - Network Traffic + - Network Traffic Content + + * - icmp_neighbor_solicitation + - Generated for ICMP neighbor solicitation messages. + - Network Traffic + - Network Traffic Content + + * - icmp_neighbor_advertisement + - Generated for ICMP router advertisement messages. + - Network Traffic + - Network Traffic Content + + * - icmp_neighbor_solicitation + - Generated for ICMP router solicitation messages. + - Network Traffic + - Network Traffic Content + + * - imap_capabilities + - Generated when a server sends a capability list to the client, after being queried using the CAPABILITY command. + - Network Traffic + - Network Traffic Flow + + * - imap_start_tls + - Generated when a IMAP connection goes encrypted after a successful StartTLS exchange between the client and the server. + - Network Traffic + - Network Traffic Flow + + * - krb_ap_request + - A Kerberos 5 Authentication Header (AP) Request as defined in RFC 4120. + - Network Traffic + - Network Traffic Flow + + * - krb_ap_response + - A Kerberos 5 Authentication Header (AP) Response as defined in RFC 4120. + - Network Traffic + - Network Traffic Flow + + * - krb_as_request + - A Kerberos 5 Authentication Server (AS) Request as defined in RFC 4120. + - Network Traffic + - Network Traffic Flow + + * - krb_as_response + - A Kerberos 5 Authentication Server (AS) Response as defined in RFC 4120. + - Network Traffic + - Network Traffic Flow + + * - krb_tgs_request + - A Kerberos 5 Ticket Granting Service (TGS) Request as defined in RFC 4120. + - Network Traffic + - Network Traffic Flow + + * - krb_tgs_response + - A Kerberos 5 Ticket Granting Service (TGS) Response as defined in RFC 4120. + - Network Traffic + - Network Traffic Flow + + * - netbios_session_accepted + - Generated for NetBIOS messages of type positive session response. + - Network Traffic + - Network Traffic Flow + + * - netbios_session_keepalive + - Generated for NetBIOS messages of type keep-alive. + - Network Traffic + - Network Traffic Flow + + * - netbios_session_message + - Generated for all NetBIOS SSN and DGM messages. + - Network Traffic + - Network Traffic Flow + + * - netbios_session_raw_message + - Generated for NetBIOS messages of type session message that are not carrying an SMB payload. + - Network Traffic + - Network Traffic Content + + * - netbios_session_rejected + - Generated for NetBIOS messages of type negative session response. + - Network Traffic + - Network Traffic Flow + + * - netbios_session_request + - Generated for NetBIOS messages of type session request. + - Network Traffic + - Network Traffic Flow + + * - netbios_session_ret_arg_resp + - Generated for NetBIOS messages of type retarget response. + - Network Traffic + - Network Traffic Flow + + * - ntlm_authenticate + - Generated for NTLM messages of type authenticate. + - Network Traffic - Network Connection Creation - - * - ntlm_challenge - - Generated for NTLM messages of type challenge. - - Network Traffic + + * - ntlm_challenge + - Generated for NTLM messages of type challenge. + - Network Traffic - Network Connection Creation - - * - ntlm_negotiate - - Generated for NTLM messages of type negotiate. - - Network Traffic - - Network Traffic Flow - - * - ntp_message - - Generated for all NTP messages. - - Network Traffic - - Network Traffic Flow - - * - pop3_data - - Generated for server-side multi-line responses on POP3 connections. - - Network Traffic - - Network Traffic Flow - - * - pop3_login_failure - - Generated for unsuccessful authentications on POP3 connections. - - Network Traffic - - Network Traffic Flow - - * - pop3_login_success - - Generated for successful authentications on POP3 connections. - - Network Traffic + + * - ntlm_negotiate + - Generated for NTLM messages of type negotiate. + - Network Traffic + - Network Traffic Flow + + * - ntp_message + - Generated for all NTP messages. + - Network Traffic + - Network Traffic Flow + + * - pop3_data + - Generated for server-side multi-line responses on POP3 connections. + - Network Traffic + - Network Traffic Flow + + * - pop3_login_failure + - Generated for unsuccessful authentications on POP3 connections. + - Network Traffic + - Network Traffic Flow + + * - pop3_login_success + - Generated for successful authentications on POP3 connections. + - Network Traffic - Network Connection Creation - - * - pop3_starttls - - Generated when a POP3 connection goes encrypted. - - Network Traffic - - Network Traffic Flow - - * - rdp_begin_encryption - - Generated when an RDP session becomes encrypted. - - Network Traffic - - Network Traffic Flow - - * - rdp_client_cluster_data - - Generated for client cluster data packets. - - Network Traffic - - Network Traffic Content - - * - rdp_client_core_data - - Generated for MCS client requests. - - Network Traffic - - Network Traffic Content - - * - rdp_client_network_data - - Generated for Client Network Data (TS_UD_CS_NET) packets. - - Network Traffic - - Network Traffic Content - - * - rdp_client_security_data - - Generated for client security data packets. - - Network Traffic - - Network Traffic Content - - * - rdp_connect_request - - Generated for X.224 client requests. - - Network Traffic - - Network Traffic Flow - - * - rdp_gcc_server_create_response - - Generated for MCS server responses. - - Network Traffic - - Network Traffic Flow - - * - rdp_native_encrypted_data - - Generated for each packet after RDP native encryption begins. - - Network Traffic - - Network Traffic Flow - - * - rdp_negotiation_failure - - Generated for RDP Negotiation Failure messages. - - Network Traffic - - Network Traffic Flow - - * - rdp_negotiation_response - - Generated for RDP Negotiation Response messages. - - Network Traffic - - Network Traffic Flow - - * - rdp_server_certificate - - Generated for a server certificate section. - - Network Traffic - - Network Traffic Content - - * - rdp_server_security - - Generated for MCS server responses. - - Network Traffic - - Network Traffic Flow - - * - rdpeudp_data - - Generated when for data messages exchanged after a RDPEUDP connection establishes - - Network Traffic - - Network Traffic Flow - - * - rdpeudp_established - - Generated when RDPEUDP connections are established (both sides SYN) - - Network Traffic + + * - pop3_starttls + - Generated when a POP3 connection goes encrypted. + - Network Traffic + - Network Traffic Flow + + * - rdp_begin_encryption + - Generated when an RDP session becomes encrypted. + - Network Traffic + - Network Traffic Flow + + * - rdp_client_cluster_data + - Generated for client cluster data packets. + - Network Traffic + - Network Traffic Content + + * - rdp_client_core_data + - Generated for MCS client requests. + - Network Traffic + - Network Traffic Content + + * - rdp_client_network_data + - Generated for Client Network Data (TS_UD_CS_NET) packets. + - Network Traffic + - Network Traffic Content + + * - rdp_client_security_data + - Generated for client security data packets. + - Network Traffic + - Network Traffic Content + + * - rdp_connect_request + - Generated for X.224 client requests. + - Network Traffic + - Network Traffic Flow + + * - rdp_gcc_server_create_response + - Generated for MCS server responses. + - Network Traffic + - Network Traffic Flow + + * - rdp_native_encrypted_data + - Generated for each packet after RDP native encryption begins. + - Network Traffic + - Network Traffic Flow + + * - rdp_negotiation_failure + - Generated for RDP Negotiation Failure messages. + - Network Traffic + - Network Traffic Flow + + * - rdp_negotiation_response + - Generated for RDP Negotiation Response messages. + - Network Traffic + - Network Traffic Flow + + * - rdp_server_certificate + - Generated for a server certificate section. + - Network Traffic + - Network Traffic Content + + * - rdp_server_security + - Generated for MCS server responses. + - Network Traffic + - Network Traffic Flow + + * - rdpeudp_data + - Generated when for data messages exchanged after a RDPEUDP connection establishes + - Network Traffic + - Network Traffic Flow + + * - rdpeudp_established + - Generated when RDPEUDP connections are established (both sides SYN) + - Network Traffic - Network Connection Creation - - * - rdpeudp_syn - - Generated for RDPEUDP SYN UDP Datagram - - Network Traffic + + * - rdpeudp_syn + - Generated for RDPEUDP SYN UDP Datagram + - Network Traffic - Network Connection Creation - - * - rdpeudp_synack - - Generated for RDPEUDP SYNACK UDP Datagram - - Network Traffic + + * - rdpeudp_synack + - Generated for RDPEUDP SYNACK UDP Datagram + - Network Traffic - Network Connection Creation - - * - rpc_call - - Generated for RPC call messages. - - Network Traffic - - Network Traffic Flow - - * - rpc_reply - - Generated for RPC reply messages. - - Network Traffic - - Network Traffic Flow - - * - rpc_dialogue - - Generated for RPC request/reply pairs. - - Network Traffic - - Network Traffic Flow - - * - mount_proc_mnt - - Generated for MOUNT3 request/reply dialogues of type mnt. - - Network Traffic - - Network Traffic Flow - - * - mount_proc_not_implemented - - Generated for MOUNT3 request/reply dialogues of a type that Zeek’s MOUNTv3 analyzer does not implement. - - Network Traffic - - Network Traffic Flow - - * - mount_proc_null - - Generated for MOUNT3 request/reply dialogues of type null. - - Network Traffic - - Network Traffic Flow - - * - mount_proc_umnt - - Generated for MOUNT3 request/reply dialogues of type umnt. - - Network Traffic - - Network Traffic Flow - - * - mount_proc_umnt_all - - Generated for MOUNT3 request/reply dialogues of type umnt_all. - - Network Traffic - - Network Traffic Flow - - * - mount_reply_status - - Generated for each MOUNT3 reply message received, reporting just the status included. - - Network Traffic - - Network Traffic Content - - * - nfs_proc_create - - Generated for NFSv3 request/reply dialogues of type create. - - Network Traffic - - Network Traffic Flow - - * - nfs_proc_getattr - - Generated for NFSv3 request/reply dialogues of type getattr. - - Network Traffic - - Network Traffic Flow - - * - nfs_proc_link - - Generated for NFSv3 request/reply dialogues of type link. - - Network Traffic - - Network Traffic Flow - - * - nfs_proc_lookup - - Generated for NFSv3 request/reply dialogues of type lookup. - - Network Traffic - - Network Traffic Flow - - * - nfs_proc_mkdir - - Generated for NFSv3 request/reply dialogues of type mkdir. - - Network Traffic - - Network Traffic Flow - - * - nfs_proc_mkdir - - Generated for NFSv3 request/reply dialogues of type null. - - Network Traffic - - Network Traffic Flow - - * - nfs_proc_read - - Generated for NFSv3 request/reply dialogues of type read. - - Network Traffic - - Network Traffic Flow - - * - nfs_proc_readdir - - Generated for NFSv3 request/reply dialogues of type readdir. - - Network Traffic - - Network Traffic Flow - - * - nfs_proc_readlink - - Generated for NFSv3 request/reply dialogues of type readlink. - - Network Traffic - - Network Traffic Flow - - * - nfs_proc_remove - - Generated for NFSv3 request/reply dialogues of type remove. - - Network Traffic - - Network Traffic Flow - - * - nfs_proc_rename - - Generated for NFSv3 request/reply dialogues of type rename. - - Network Traffic - - Network Traffic Flow - - * - nfs_proc_rmdir - - Generated for NFSv3 request/reply dialogues of type rmdir. - - Network Traffic - - Network Traffic Flow - - * - nfs_proc_sattr - - Generated for NFSv3 request/reply dialogues of type sattr. - - Network Traffic - - Network Traffic Flow - - * - nfs_proc_symlink - - Generated for NFSv3 request/reply dialogues of type symlink. - - Network Traffic - - Network Traffic Flow - - * - nfs_proc_write - - Generated for NFSv3 request/reply dialogues of type write. - - Network Traffic - - Network Traffic Flow - - * - nfs_reply_status - - Generated for each NFSv3 reply message received, reporting just the status included. - - Network Traffic - - Network Traffic Flow - - * - pm_attempt_callit - - Generated for failed Portmapper requests of type callit. - - Network Traffic - - Network Traffic Flow - - * - pm_attempt_dump - - Generated for failed Portmapper requests of type dump. - - Network Traffic - - Network Traffic Flow - - * - pm_attempt_getport - - Generated for failed Portmapper requests of type getport. - - Network Traffic - - Network Traffic Flow - - * - pm_attempt_null - - Generated for failed Portmapper requests of type null. - - Network Traffic - - Network Traffic Flow - - * - pm_attempt_set - - Generated for failed Portmapper requests of type set. - - Network Traffic - - Network Traffic Flow - - * - pm_attempt_unset - - Generated for failed Portmapper requests of type unset. - - Network Traffic - - Network Traffic Flow - - * - pm_bad_port - - Generated for Portmapper requests or replies that include an invalid port number. - - Network Traffic - - Network Traffic Flow - - * - pm_request_callit - - Generated for Portmapper request/reply dialogues of type callit. - - Network Traffic - - Network Traffic Content - - * - pm_request_dump - - Generated for Portmapper request/reply dialogues of type dump. - - Network Traffic - - Network Traffic Content - - * - pm_request_getport - - Generated for Portmapper request/reply dialogues of type getport. - - Network Traffic - - Network Traffic Content - - * - pm_request_null - - Generated for Portmapper request/reply dialogues of type null. - - Network Traffic - - Network Traffic Content - - * - pm_request_set - - Generated for Portmapper request/reply dialogues of type set. - - Network Traffic - - Network Traffic Content - - * - pm_request_unset - - Generated for Portmapper request/reply dialogues of type unset. - - Network Traffic - - Network Traffic Content - - * - sip_all_headers - - Generated once for all SIP headers from the originator or responder. - - Network Traffic - - Network Traffic Content - - * - sip_reply - - Generated for SIP replies, used in Voice over IP (VoIP). - - Network Traffic - - Network Traffic Flow - - * - sip_request - - Generated for SIP requests, used in Voice over IP (VoIP). - - Network Traffic - - Network Traffic Flow - - * - smb2_negotiate_request - - Generated for SMB/CIFS version 2 requests of type negotiate. - - Network Traffic - - Network Traffic Content - - * - smb2_negotiate_response - - Generated for SMB/CIFS version 2 responses of type negotiate. - - Network Traffic - - Network Traffic Content - - * - smb2_read_request - - Generated for SMB/CIFS version 2 requests of type read. - - Network Traffic - - Network Traffic Content - - * - smb2_session_setup_request - - Generated for SMB/CIFS version 2 requests of type session_setup. - - Network Traffic - - Network Traffic Content - - * - smb2_session_setup_response - - Generated for SMB/CIFS version 2 responses of type session_setup. - - Network Traffic - - Network Traffic Content - - * - smb2_file_allocation - - Generated for SMB/CIFS version 2 requests of type set_info of the allocation subtype - - Network Traffic - - Network Traffic Content - - * - smb2_file_allocation - - Generated for SMB/CIFS version 2 requests of type set_info of the delete subtype - - Network Traffic - - Network Traffic Content - - * - smb2_file_endoffile - - Generated for SMB/CIFS version 2 requests of type set_info of the end_of_file subtype - - Network Traffic - - Network Traffic Content - - * - smb2_file_fscontrol - - Generated for SMB/CIFS version 2 requests of type set_info of the fs_control subtype - - Network Traffic - - Network Traffic Content - - * - smb2_file_fsobjectid - - Generated for SMB/CIFS version 2 requests of type set_info of the fs_object_id subtype - - Network Traffic - - Network Traffic Content - - * - smb2_file_fullea - - Generated for SMB/CIFS version 2 requests of type set_info of the full_EA subtype - - Network Traffic - - Network Traffic Content - - * - smb2_file_link - - Generated for SMB/CIFS version 2 requests of type set_info of the link subtype - - Network Traffic - - Network Traffic Content - - * - smb2_file_mode - - Generated for SMB/CIFS version 2 requests of type set_info of the mode subtype - - Network Traffic - - Network Traffic Content - - * - smb2_file_pipe - - Generated for SMB/CIFS version 2 requests of type set_info of the pipe subtype - - Network Traffic - - Network Traffic Content - - * - smb2_file_position - - Generated for SMB/CIFS version 2 requests of type set_info of the position subtype - - Network Traffic - - Network Traffic Content - - * - smb2_file_rename - - Generated for SMB/CIFS version 2 requests of type set_info of the rename subtype - - Network Traffic - - Network Traffic Content - - * - smb2_file_sattr - - Generated for SMB/CIFS version 2 requests of type set_info of the sattr subtype - - Network Traffic - - Network Traffic Content - - * - smb2_file_shortname - - Generated for SMB/CIFS version 2 requests of type set_info of the short_name subtype - - Network Traffic - - Network Traffic Content - - * - smb2_file_validdatalength - - Generated for SMB/CIFS version 2 requests of type set_info of the valid_data_length subtype - - Network Traffic - - Network Traffic Content - - * - smb2_transform_header - - Generated for SMB/CIFS version 3.x transform_header. - - Network Traffic - - Network Traffic Content - - * - smb2_tree_connect_request - - Generated for SMB/CIFS version 2 requests of type tree_connect. - - Network Traffic - - Network Traffic Content - - * - smb2_tree_connect_response - - Generated for SMB/CIFS version 2 responses of type tree_connect. - - Network Traffic - - Network Traffic Content - - * - smb2_tree_disconnect_request - - Generated for SMB/CIFS version 2 requests of type tree disconnect. - - Network Traffic - - Network Traffic Content - - * - smb2_tree_disconnect_response - - Generated for SMB/CIFS version 2 responses of type tree disconnect. - - Network Traffic - - Network Traffic Content - - * - smb2_write_request - - Generated for SMB/CIFS version 2 requests of type write. - - Network Traffic - - Network Traffic Content - - * - smb2_write_response - - Generated for SMB/CIFS version 2 responses of type write. - - Network Traffic - - Network Traffic Content - - * - smtp_data - - Generated for DATA transmitted on SMTP sessions. - - Network Traffic - - Network Traffic Flow - - * - smtp_starttls - - Generated if a connection switched to using TLS using STARTTLS or X-ANONYMOUSTLS. - - Network Traffic - - Network Traffic Flow - - * - snmp_encrypted_pdu - - An SNMPv3 encrypted PDU message. - - Network Traffic - - Network Traffic Content - - * - snmp_get_bulk_request - - An SNMP GetBulkRequest-PDU message from RFC 3416. - - Network Traffic - - Network Traffic Flow - - * - snmp_get_next_request - - An SNMP GetNextRequest-PDU message from either RFC 1157 or RFC 3416. - - Network Traffic - - Network Traffic Flow - - * - snmp_get_request - - An SNMP GetRequest-PDU message from either RFC 1157 or RFC 3416. - - Network Traffic - - Network Traffic Content - - * - snmp_inform_request - - An SNMP InformRequest-PDU message from RFC 3416. - - Network Traffic - - Network Traffic Flow - - * - snmp_report - - An SNMP Report-PDU message from RFC 3416. - - Network Traffic - - Network Traffic Content - - * - snmp_response - - An SNMP GetResponse-PDU message from RFC 1157 or a Response-PDU from RFC 3416. - - Network Traffic - - Network Traffic Flow - - * - snmp_set_request - - An SNMP SetRequest-PDU message from either RFC 1157 or RFC 3416. - - Network Traffic - - Network Traffic Content - - * - snmp_trap - - An SNMP Trap-PDU message from RFC 1157. - - Network Traffic - - Network Traffic Content - - * - snmp_trapv2 - - An SNMP SNMPv2-Trap-PDU message from RFC 1157. - - Network Traffic - - Network Traffic Content - - * - socks_login_userpass_reply - - Generated when a SOCKS server replies to a username/password login attempt. - - Network Traffic + + * - rpc_call + - Generated for RPC call messages. + - Network Traffic + - Network Traffic Flow + + * - rpc_reply + - Generated for RPC reply messages. + - Network Traffic + - Network Traffic Flow + + * - rpc_dialogue + - Generated for RPC request/reply pairs. + - Network Traffic + - Network Traffic Flow + + * - mount_proc_mnt + - Generated for MOUNT3 request/reply dialogues of type mnt. + - Network Traffic + - Network Traffic Flow + + * - mount_proc_not_implemented + - Generated for MOUNT3 request/reply dialogues of a type that Zeek’s MOUNTv3 analyzer does not implement. + - Network Traffic + - Network Traffic Flow + + * - mount_proc_null + - Generated for MOUNT3 request/reply dialogues of type null. + - Network Traffic + - Network Traffic Flow + + * - mount_proc_umnt + - Generated for MOUNT3 request/reply dialogues of type umnt. + - Network Traffic + - Network Traffic Flow + + * - mount_proc_umnt_all + - Generated for MOUNT3 request/reply dialogues of type umnt_all. + - Network Traffic + - Network Traffic Flow + + * - mount_reply_status + - Generated for each MOUNT3 reply message received, reporting just the status included. + - Network Traffic + - Network Traffic Content + + * - nfs_proc_create + - Generated for NFSv3 request/reply dialogues of type create. + - Network Traffic + - Network Traffic Flow + + * - nfs_proc_getattr + - Generated for NFSv3 request/reply dialogues of type getattr. + - Network Traffic + - Network Traffic Flow + + * - nfs_proc_link + - Generated for NFSv3 request/reply dialogues of type link. + - Network Traffic + - Network Traffic Flow + + * - nfs_proc_lookup + - Generated for NFSv3 request/reply dialogues of type lookup. + - Network Traffic + - Network Traffic Flow + + * - nfs_proc_mkdir + - Generated for NFSv3 request/reply dialogues of type mkdir. + - Network Traffic + - Network Traffic Flow + + * - nfs_proc_mkdir + - Generated for NFSv3 request/reply dialogues of type null. + - Network Traffic + - Network Traffic Flow + + * - nfs_proc_read + - Generated for NFSv3 request/reply dialogues of type read. + - Network Traffic + - Network Traffic Flow + + * - nfs_proc_readdir + - Generated for NFSv3 request/reply dialogues of type readdir. + - Network Traffic + - Network Traffic Flow + + * - nfs_proc_readlink + - Generated for NFSv3 request/reply dialogues of type readlink. + - Network Traffic + - Network Traffic Flow + + * - nfs_proc_remove + - Generated for NFSv3 request/reply dialogues of type remove. + - Network Traffic + - Network Traffic Flow + + * - nfs_proc_rename + - Generated for NFSv3 request/reply dialogues of type rename. + - Network Traffic + - Network Traffic Flow + + * - nfs_proc_rmdir + - Generated for NFSv3 request/reply dialogues of type rmdir. + - Network Traffic + - Network Traffic Flow + + * - nfs_proc_sattr + - Generated for NFSv3 request/reply dialogues of type sattr. + - Network Traffic + - Network Traffic Flow + + * - nfs_proc_symlink + - Generated for NFSv3 request/reply dialogues of type symlink. + - Network Traffic + - Network Traffic Flow + + * - nfs_proc_write + - Generated for NFSv3 request/reply dialogues of type write. + - Network Traffic + - Network Traffic Flow + + * - nfs_reply_status + - Generated for each NFSv3 reply message received, reporting just the status included. + - Network Traffic + - Network Traffic Flow + + * - pm_attempt_callit + - Generated for failed Portmapper requests of type callit. + - Network Traffic + - Network Traffic Flow + + * - pm_attempt_dump + - Generated for failed Portmapper requests of type dump. + - Network Traffic + - Network Traffic Flow + + * - pm_attempt_getport + - Generated for failed Portmapper requests of type getport. + - Network Traffic + - Network Traffic Flow + + * - pm_attempt_null + - Generated for failed Portmapper requests of type null. + - Network Traffic + - Network Traffic Flow + + * - pm_attempt_set + - Generated for failed Portmapper requests of type set. + - Network Traffic + - Network Traffic Flow + + * - pm_attempt_unset + - Generated for failed Portmapper requests of type unset. + - Network Traffic + - Network Traffic Flow + + * - pm_bad_port + - Generated for Portmapper requests or replies that include an invalid port number. + - Network Traffic + - Network Traffic Flow + + * - pm_request_callit + - Generated for Portmapper request/reply dialogues of type callit. + - Network Traffic + - Network Traffic Content + + * - pm_request_dump + - Generated for Portmapper request/reply dialogues of type dump. + - Network Traffic + - Network Traffic Content + + * - pm_request_getport + - Generated for Portmapper request/reply dialogues of type getport. + - Network Traffic + - Network Traffic Content + + * - pm_request_null + - Generated for Portmapper request/reply dialogues of type null. + - Network Traffic + - Network Traffic Content + + * - pm_request_set + - Generated for Portmapper request/reply dialogues of type set. + - Network Traffic + - Network Traffic Content + + * - pm_request_unset + - Generated for Portmapper request/reply dialogues of type unset. + - Network Traffic + - Network Traffic Content + + * - sip_all_headers + - Generated once for all SIP headers from the originator or responder. + - Network Traffic + - Network Traffic Content + + * - sip_reply + - Generated for SIP replies, used in Voice over IP (VoIP). + - Network Traffic + - Network Traffic Flow + + * - sip_request + - Generated for SIP requests, used in Voice over IP (VoIP). + - Network Traffic + - Network Traffic Flow + + * - smb2_negotiate_request + - Generated for SMB/CIFS version 2 requests of type negotiate. + - Network Traffic + - Network Traffic Content + + * - smb2_negotiate_response + - Generated for SMB/CIFS version 2 responses of type negotiate. + - Network Traffic + - Network Traffic Content + + * - smb2_read_request + - Generated for SMB/CIFS version 2 requests of type read. + - Network Traffic + - Network Traffic Content + + * - smb2_session_setup_request + - Generated for SMB/CIFS version 2 requests of type session_setup. + - Network Traffic + - Network Traffic Content + + * - smb2_session_setup_response + - Generated for SMB/CIFS version 2 responses of type session_setup. + - Network Traffic + - Network Traffic Content + + * - smb2_file_allocation + - Generated for SMB/CIFS version 2 requests of type set_info of the allocation subtype + - Network Traffic + - Network Traffic Content + + * - smb2_file_allocation + - Generated for SMB/CIFS version 2 requests of type set_info of the delete subtype + - Network Traffic + - Network Traffic Content + + * - smb2_file_endoffile + - Generated for SMB/CIFS version 2 requests of type set_info of the end_of_file subtype + - Network Traffic + - Network Traffic Content + + * - smb2_file_fscontrol + - Generated for SMB/CIFS version 2 requests of type set_info of the fs_control subtype + - Network Traffic + - Network Traffic Content + + * - smb2_file_fsobjectid + - Generated for SMB/CIFS version 2 requests of type set_info of the fs_object_id subtype + - Network Traffic + - Network Traffic Content + + * - smb2_file_fullea + - Generated for SMB/CIFS version 2 requests of type set_info of the full_EA subtype + - Network Traffic + - Network Traffic Content + + * - smb2_file_link + - Generated for SMB/CIFS version 2 requests of type set_info of the link subtype + - Network Traffic + - Network Traffic Content + + * - smb2_file_mode + - Generated for SMB/CIFS version 2 requests of type set_info of the mode subtype + - Network Traffic + - Network Traffic Content + + * - smb2_file_pipe + - Generated for SMB/CIFS version 2 requests of type set_info of the pipe subtype + - Network Traffic + - Network Traffic Content + + * - smb2_file_position + - Generated for SMB/CIFS version 2 requests of type set_info of the position subtype + - Network Traffic + - Network Traffic Content + + * - smb2_file_rename + - Generated for SMB/CIFS version 2 requests of type set_info of the rename subtype + - Network Traffic + - Network Traffic Content + + * - smb2_file_sattr + - Generated for SMB/CIFS version 2 requests of type set_info of the sattr subtype + - Network Traffic + - Network Traffic Content + + * - smb2_file_shortname + - Generated for SMB/CIFS version 2 requests of type set_info of the short_name subtype + - Network Traffic + - Network Traffic Content + + * - smb2_file_validdatalength + - Generated for SMB/CIFS version 2 requests of type set_info of the valid_data_length subtype + - Network Traffic + - Network Traffic Content + + * - smb2_transform_header + - Generated for SMB/CIFS version 3.x transform_header. + - Network Traffic + - Network Traffic Content + + * - smb2_tree_connect_request + - Generated for SMB/CIFS version 2 requests of type tree_connect. + - Network Traffic + - Network Traffic Content + + * - smb2_tree_connect_response + - Generated for SMB/CIFS version 2 responses of type tree_connect. + - Network Traffic + - Network Traffic Content + + * - smb2_tree_disconnect_request + - Generated for SMB/CIFS version 2 requests of type tree disconnect. + - Network Traffic + - Network Traffic Content + + * - smb2_tree_disconnect_response + - Generated for SMB/CIFS version 2 responses of type tree disconnect. + - Network Traffic + - Network Traffic Content + + * - smb2_write_request + - Generated for SMB/CIFS version 2 requests of type write. + - Network Traffic + - Network Traffic Content + + * - smb2_write_response + - Generated for SMB/CIFS version 2 responses of type write. + - Network Traffic + - Network Traffic Content + + * - smtp_data + - Generated for DATA transmitted on SMTP sessions. + - Network Traffic + - Network Traffic Flow + + * - smtp_starttls + - Generated if a connection switched to using TLS using STARTTLS or X-ANONYMOUSTLS. + - Network Traffic + - Network Traffic Flow + + * - snmp_encrypted_pdu + - An SNMPv3 encrypted PDU message. + - Network Traffic + - Network Traffic Content + + * - snmp_get_bulk_request + - An SNMP GetBulkRequest-PDU message from RFC 3416. + - Network Traffic + - Network Traffic Flow + + * - snmp_get_next_request + - An SNMP GetNextRequest-PDU message from either RFC 1157 or RFC 3416. + - Network Traffic + - Network Traffic Flow + + * - snmp_get_request + - An SNMP GetRequest-PDU message from either RFC 1157 or RFC 3416. + - Network Traffic + - Network Traffic Content + + * - snmp_inform_request + - An SNMP InformRequest-PDU message from RFC 3416. + - Network Traffic + - Network Traffic Flow + + * - snmp_report + - An SNMP Report-PDU message from RFC 3416. + - Network Traffic + - Network Traffic Content + + * - snmp_response + - An SNMP GetResponse-PDU message from RFC 1157 or a Response-PDU from RFC 3416. + - Network Traffic + - Network Traffic Flow + + * - snmp_set_request + - An SNMP SetRequest-PDU message from either RFC 1157 or RFC 3416. + - Network Traffic + - Network Traffic Content + + * - snmp_trap + - An SNMP Trap-PDU message from RFC 1157. + - Network Traffic + - Network Traffic Content + + * - snmp_trapv2 + - An SNMP SNMPv2-Trap-PDU message from RFC 1157. + - Network Traffic + - Network Traffic Content + + * - socks_login_userpass_reply + - Generated when a SOCKS server replies to a username/password login attempt. + - Network Traffic - Network Connection Creation - - * - socks_login_userpass_request - - Generated when a SOCKS client performs username and password based login. - - Network Traffic + + * - socks_login_userpass_request + - Generated when a SOCKS client performs username and password based login. + - Network Traffic - Network Connection Creation - - * - socks_reply - - Generated when a SOCKS reply is analyzed. - - Network Traffic - - Network Traffic Flow - - * - socks_request - - Generated when a SOCKS request is analyzed. - - Network Traffic - - Network Traffic Flow - - * - ssh_capabilities - - During the initial SSH key exchange, each endpoint lists the algorithms that it supports, in order of preference. - - Network Traffic - - Network Traffic Content - - * - ssh_client_version - - An SSH Protocol Version Exchange message from the client. - - Network Traffic - - Network Traffic Flow - - * - ssh_encrypted_packet - - This event is generated when an SSH encrypted packet is seen. - - Network Traffic - - Network Traffic Content - - * - ssh_server_version - - An SSH Protocol Version Exchange message from the server. - - Network Traffic - - Network Traffic Flow - - * - ssh1_server_host_key - - During the SSH key exchange, the server supplies its public host key. - - Network Traffic - - Network Traffic Content - - * - ssh2_dh_server_params - - Generated if the connection uses a Diffie-Hellman Group Exchange key exchange method. - - Network Traffic + + * - socks_reply + - Generated when a SOCKS reply is analyzed. + - Network Traffic + - Network Traffic Flow + + * - socks_request + - Generated when a SOCKS request is analyzed. + - Network Traffic + - Network Traffic Flow + + * - ssh_capabilities + - During the initial SSH key exchange, each endpoint lists the algorithms that it supports, in order of preference. + - Network Traffic + - Network Traffic Content + + * - ssh_client_version + - An SSH Protocol Version Exchange message from the client. + - Network Traffic + - Network Traffic Flow + + * - ssh_encrypted_packet + - This event is generated when an SSH encrypted packet is seen. + - Network Traffic + - Network Traffic Content + + * - ssh_server_version + - An SSH Protocol Version Exchange message from the server. + - Network Traffic + - Network Traffic Flow + + * - ssh1_server_host_key + - During the SSH key exchange, the server supplies its public host key. + - Network Traffic + - Network Traffic Content + + * - ssh2_dh_server_params + - Generated if the connection uses a Diffie-Hellman Group Exchange key exchange method. + - Network Traffic - Network Connection Creation - - * - ssh2_ecc_key - - The ECDH and ECMQV key exchange algorithms use two ephemeral key pairs to generate a shared secret. - - Network Traffic - - Network Traffic Content - - * - ssh2_server_host_key - - During the SSH key exchange, the server supplies its public host key. - - Network Traffic - - Network Traffic Content - - * - ssl_alert - - Generated for SSL/TLS alert records. - - Network Traffic - - Network Traffic Content - - * - ssl_change_cipher_spec - - This event is raised when a SSL/TLS ChangeCipherSpec message is encountered before encryption begins. - - Network Traffic - - Network Traffic Flow - - * - ssl_client_hello - - Generated for an SSL/TLS client’s initial hello message. - - Network Traffic + + * - ssh2_ecc_key + - The ECDH and ECMQV key exchange algorithms use two ephemeral key pairs to generate a shared secret. + - Network Traffic + - Network Traffic Content + + * - ssh2_server_host_key + - During the SSH key exchange, the server supplies its public host key. + - Network Traffic + - Network Traffic Content + + * - ssl_alert + - Generated for SSL/TLS alert records. + - Network Traffic + - Network Traffic Content + + * - ssl_change_cipher_spec + - This event is raised when a SSL/TLS ChangeCipherSpec message is encountered before encryption begins. + - Network Traffic + - Network Traffic Flow + + * - ssl_client_hello + - Generated for an SSL/TLS client’s initial hello message. + - Network Traffic - Network Connection Creation - - * - ssl_dh_client_params - - Generated if a client uses a DH-anon or DHE cipher suite. - - Network Traffic - - Network Traffic Content - - * - ssl_dh_server_params - - Generated if a server uses a DH-anon or DHE cipher suite. - - Network Traffic - - Network Traffic Content - - * - ssl_ecdh_client_params - - Generated if a client uses an ECDH-anon or ECDHE cipher suite. - - Network Traffic - - Network Traffic Content - - * - ssl_ecdh_server_params - - Generated if a server uses an ECDH-anon or ECDHE cipher suite using a named curve This event contains the named curve name and the server ECDH parameters contained in the ServerKeyExchange message as defined in RFC 4492. - - Network Traffic - - Network Traffic Content - - * - ssl_encrypted_data - - Generated for SSL/TLS messages that are sent after session encryption started. - - Network Traffic - - Network Traffic Content - - * - ssl_established - - Generated at the end of an SSL/TLS handshake. - - Network Traffic + + * - ssl_dh_client_params + - Generated if a client uses a DH-anon or DHE cipher suite. + - Network Traffic + - Network Traffic Content + + * - ssl_dh_server_params + - Generated if a server uses a DH-anon or DHE cipher suite. + - Network Traffic + - Network Traffic Content + + * - ssl_ecdh_client_params + - Generated if a client uses an ECDH-anon or ECDHE cipher suite. + - Network Traffic + - Network Traffic Content + + * - ssl_ecdh_server_params + - Generated if a server uses an ECDH-anon or ECDHE cipher suite using a named curve This event contains the named curve name and the server ECDH parameters contained in the ServerKeyExchange message as defined in RFC 4492. + - Network Traffic + - Network Traffic Content + + * - ssl_encrypted_data + - Generated for SSL/TLS messages that are sent after session encryption started. + - Network Traffic + - Network Traffic Content + + * - ssl_established + - Generated at the end of an SSL/TLS handshake. + - Network Traffic - Network Connection Creation - - * - ssl_extension - - Generated for SSL/TLS extensions seen in an initial handshake. - - Network Traffic - - Network Traffic Flow - - * - ssl_handshake_message - - This event is raised for each unencrypted SSL/TLS handshake message. - - Network Traffic - - Network Traffic Flow - - * - ssl_heartbeat - - Generated for SSL/TLS heartbeat messages that are sent before session encryption starts. - - Network Traffic - - Network Traffic Flow - - * - ssl_plaintext_data - - Generated for SSL/TLS messages that are sent before full session encryption starts. - - Network Traffic - - Network Traffic Content - - * - ssl_rsa_client_pms - - Generated if a client uses RSA key exchange. - - Network Traffic + + * - ssl_extension + - Generated for SSL/TLS extensions seen in an initial handshake. + - Network Traffic + - Network Traffic Flow + + * - ssl_handshake_message + - This event is raised for each unencrypted SSL/TLS handshake message. + - Network Traffic + - Network Traffic Flow + + * - ssl_heartbeat + - Generated for SSL/TLS heartbeat messages that are sent before session encryption starts. + - Network Traffic + - Network Traffic Flow + + * - ssl_plaintext_data + - Generated for SSL/TLS messages that are sent before full session encryption starts. + - Network Traffic + - Network Traffic Content + + * - ssl_rsa_client_pms + - Generated if a client uses RSA key exchange. + - Network Traffic - Network Connection Creation - - * - ssl_server_hello - - Generated for an SSL/TLS server’s initial hello message. - - Network Traffic + + * - ssl_server_hello + - Generated for an SSL/TLS server’s initial hello message. + - Network Traffic - Network Connection Creation - - * - ssl_server_signature - - Generated if a server uses a non-anonymous DHE or ECDHE cipher suite. - - Network Traffic - - Network Traffic Content - - * - ssl_session_ticket_handshake - - Generated for SSL/TLS handshake messages that are a part of the stateless-server session resumption mechanism. - - Network Traffic + + * - ssl_server_signature + - Generated if a server uses a non-anonymous DHE or ECDHE cipher suite. + - Network Traffic + - Network Traffic Content + + * - ssl_session_ticket_handshake + - Generated for SSL/TLS handshake messages that are a part of the stateless-server session resumption mechanism. + - Network Traffic - Network Connection Creation - - * - connection_attempt - - Generated for an unsuccessful connection attempt. - - Network Traffic - - Network Traffic Flow - - * - connection_eof - - Generated at the end of reassembled TCP connections. - - Network Traffic - - Network Traffic Flow - - * - connection_established - - Generated when seeing a SYN-ACK packet from the responder in a TCP handshake. - - Network Traffic + + * - connection_attempt + - Generated for an unsuccessful connection attempt. + - Network Traffic + - Network Traffic Flow + + * - connection_eof + - Generated at the end of reassembled TCP connections. + - Network Traffic + - Network Traffic Flow + + * - connection_established + - Generated when seeing a SYN-ACK packet from the responder in a TCP handshake. + - Network Traffic - Network Connection Creation - - * - connection_finished - - Generated for a TCP connection that finished normally. - - Network Traffic - - Network Traffic Flow - - * - connection_first_ack - - Generated for the first ACK packet seen for a TCP connection from its originator. - - Network Traffic + + * - connection_finished + - Generated for a TCP connection that finished normally. + - Network Traffic + - Network Traffic Flow + + * - connection_first_ack + - Generated for the first ACK packet seen for a TCP connection from its originator. + - Network Traffic - Network Connection Creation - - * - connection_half_finished - - Generated when one endpoint of a TCP connection attempted to gracefully close the connection, but the other endpoint is in the TCP_INACTIVE state. - - Network Traffic - - Network Traffic Flow - - * - connection_partial_close - - Generated when a previously inactive endpoint attempts to close a TCP connection via a normal FIN handshake or an abort RST sequence. - - Network Traffic - - Network Traffic Flow - - * - connection_pending - - Generated for each still-open TCP connection when Zeek terminates. - - Network Traffic - - Network Traffic Flow - - * - connection_rejected - - Generated for a rejected TCP connection. - - Network Traffic - - Network Traffic Flow - - * - connection_reset - - Generated when an endpoint aborted a TCP connection. - - Network Traffic - - Network Traffic Flow - - * - connection_SYN_packet - - Generated for a SYN packet. - - Network Traffic + + * - connection_half_finished + - Generated when one endpoint of a TCP connection attempted to gracefully close the connection, but the other endpoint is in the TCP_INACTIVE state. + - Network Traffic + - Network Traffic Flow + + * - connection_partial_close + - Generated when a previously inactive endpoint attempts to close a TCP connection via a normal FIN handshake or an abort RST sequence. + - Network Traffic + - Network Traffic Flow + + * - connection_pending + - Generated for each still-open TCP connection when Zeek terminates. + - Network Traffic + - Network Traffic Flow + + * - connection_rejected + - Generated for a rejected TCP connection. + - Network Traffic + - Network Traffic Flow + + * - connection_reset + - Generated when an endpoint aborted a TCP connection. + - Network Traffic + - Network Traffic Flow + + * - connection_SYN_packet + - Generated for a SYN packet. + - Network Traffic - Network Connection Creation - - * - tcp_contents - - Generated for each chunk of reassembled TCP payload. - - Network Traffic - - Network Traffic Content - - * - tcp_options - - Generated for each TCP header that contains TCP options. - - Network Traffic - - Network Traffic Content - - * - tcp_packet - - Generated for every TCP packet. - - Network Traffic - - Network Traffic Content - - * - partial_connection - - Generated for a new active TCP connection if Zeek did not see the initial handshake. - - Network Traffic - - Network Traffic Flow - - * - tcp_rexmit - - Generated for each detected TCP segment retransmission. - - Network Traffic - - Network Traffic Flow - - * - ssh_auth_attempted - - This event is generated when an SSH connection was determined to have had an authentication attempt. - - Network Traffic - - Network Traffic Flow - - * - ssh_auth_successful - - This event is generated when an SSH connection was determined to have had a successful authentication. - - Network Traffic + + * - tcp_contents + - Generated for each chunk of reassembled TCP payload. + - Network Traffic + - Network Traffic Content + + * - tcp_options + - Generated for each TCP header that contains TCP options. + - Network Traffic + - Network Traffic Content + + * - tcp_packet + - Generated for every TCP packet. + - Network Traffic + - Network Traffic Content + + * - partial_connection + - Generated for a new active TCP connection if Zeek did not see the initial handshake. + - Network Traffic + - Network Traffic Flow + + * - tcp_rexmit + - Generated for each detected TCP segment retransmission. + - Network Traffic + - Network Traffic Flow + + * - ssh_auth_attempted + - This event is generated when an SSH connection was determined to have had an authentication attempt. + - Network Traffic + - Network Traffic Flow + + * - ssh_auth_successful + - This event is generated when an SSH connection was determined to have had a successful authentication. + - Network Traffic - Network Connection Creation - - * - arp_request - - Generated for ARP requests. - - Network Traffic - - Network Traffic Flow - - * - arp_reply - - Generated for ARP replies. - - Network Traffic - - Network Traffic Flow - - * - dns_request - - Generated for DNS requests. - - Network Traffic - - Network Traffic Flow - - * - dns_unknown_reply - - Generated on DNS reply resource records when the type of record is not one that Zeek knows how to parse and generate another more specific event. - - Network Traffic - - Network Traffic Flow - - * - dns_a6_reply - - Generated for DNS replies of type A6. - - Network Traffic - - Network Traffic Flow - - * - dns_AAAA_reply - - Generated for DNS replies of type AAAA. - - Network Traffic - - Network Traffic Flow - - * - dns_A_reply - - Generated for DNS replies of type A. - - Network Traffic - - Network Traffic Flow - - * - dns_CAA_reply - - Generated for DNS replies of type CAA (Certification Authority Authorization). - - Network Traffic - - Network Traffic Flow - - * - dns_CNAME_reply - - Generated for DNS replies of type CNAME. - - Network Traffic - - Network Traffic Flow - - * - dns_DNSKEY_reply - - Generated for DNS replies of type DNSKEY. - - Network Traffic - - Network Traffic Flow - - * - dns_DS_reply - - Generated for DNS replies of type DS. - - Network Traffic - - Network Traffic Flow - - * - dns_EDNS_addl_reply - - Generated for DNS replies of type EDNS. - - Network Traffic - - Network Traffic Flow - - * - dns_EDNS_ecs_reply - - Generated for DNS replies of type EDNS. - - Network Traffic - - Network Traffic Flow - - * - dns_HINFO_reply - - Generated for DNS replies of type HINFO. - - Network Traffic - - Network Traffic Flow - - * - dns_MX_reply - - Generated for DNS replies of type MX. - - Network Traffic - - Network Traffic Flow - - * - dns_NSEC_reply - - Generated for DNS replies of type NSEC. - - Network Traffic - - Network Traffic Flow - - * - dns_NSEC_reply - - Generated for DNS replies of type NSEC3. - - Network Traffic - - Network Traffic Flow - - * - dns_NS_reply - - Generated for DNS replies of type NS. - - Network Traffic - - Network Traffic Flow - - * - dns_PTR_reply - - Generated for DNS replies of type PTR. - - Network Traffic - - Network Traffic Flow - - * - dns_RRSIG_reply - - Generated for DNS replies of type RRSIG. - - Network Traffic - - Network Traffic Flow - - * - dns_SOA_reply - - Generated for DNS replies of type SOA. - - Network Traffic - - Network Traffic Flow - - * - dns_SPF_reply - - Generated for DNS replies of type SPF. - - Network Traffic - - Network Traffic Flow - - * - dns_SRV_reply - - Generated for DNS replies of type SRV. - - Network Traffic - - Network Traffic Flow - - * - dns_TSIG_reply - - Generated for DNS replies of type TSIG. - - Network Traffic - - Network Traffic Flow - - * - dns_TXT_reply - - Generated for DNS replies of type TXT. - - Network Traffic - - Network Traffic Flow - - * - dns_WKS_reply - - Generated for DNS replies of type WKS. - - Network Traffic - - Network Traffic Flow - - * - ftp_request - - Generated for client-side FTP commands. - - Network Traffic - - Network Traffic Flow - - * - ftp_reply - - Generated for server-side FTP replies. - - Network Traffic - - Network Traffic Flow - - * - smb2_close_request - - Generated for SMB/CIFS version 2 requests of type close. - - Network Traffic - - Network Traffic Content - - * - smb2_close_response - - Generated for SMB/CIFS version 2 responses of type close. - - Network Traffic - - Network Traffic Flow - - * - smb2_create_request - - Generated for SMB/CIFS version 2 requests of type create. - - Network Traffic - - Network Traffic Content - - * - smb2_create_response - - Generated for SMB/CIFS version 2 responses of type create. - - Network Traffic - - Network Traffic Flow - - * - pop3_request - - Generated for client-side commands on POP3 connections. - - Network Traffic - - Network Traffic Flow - - * - pop3_reply - - Generated for server-side replies to commands on POP3 connections. - - Network Traffic - - Network Traffic Flow - - * - smtp_request - - Generated for client-side SMTP commands. - - Network Traffic - - Network Traffic Flow - - * - smtp_reply - - Generated for server-side SMTP commands. - - Network Traffic - - Network Traffic Flow - - * - dhcp_message - - Generated for all DHCP messages. - - Network Traffic - - Network Traffic Flow - - * - icmp_echo_request - - Generated for ICMP echo request messages. - - Network Traffic - - Network Traffic Flow - - * - icmp_echo_reply - - Generated for ICMP echo reply messages. - - Network Traffic - - Network Traffic Flow - - * - dce_rpc_request - - Generated for every DCE-RPC request message. - - Network Traffic - - Network Traffic Flow - - * - dce_rpc_reply - - Generated for every DCE-RPC reply message. - - Network Traffic - - Network Traffic Flow - - * - http_request - - Generated for HTTP requests. - - Network Traffic - - Network Traffic Flow - - * - http_reply - - Generated for HTTP replies. - - Network Traffic - - Network Traffic Flow - - * - udp_contents - - Generated for UDP packets to pass on their payload. - - Network Traffic - - Network Traffic Content - - * - udp_reply - - Generated for each packet sent by a UDP flow’s responder. - - Network Traffic - - Network Traffic Flow - - * - udp_request - - Generated for each packet sent by a UDP flow’s originator. - - Network Traffic - - Network Traffic Flow -.. /MAPPINGS_TABLE \ No newline at end of file + + * - arp_request + - Generated for ARP requests. + - Network Traffic + - Network Traffic Flow + + * - arp_reply + - Generated for ARP replies. + - Network Traffic + - Network Traffic Flow + + * - dns_request + - Generated for DNS requests. + - Network Traffic + - Network Traffic Flow + + * - dns_unknown_reply + - Generated on DNS reply resource records when the type of record is not one that Zeek knows how to parse and generate another more specific event. + - Network Traffic + - Network Traffic Flow + + * - dns_a6_reply + - Generated for DNS replies of type A6. + - Network Traffic + - Network Traffic Flow + + * - dns_AAAA_reply + - Generated for DNS replies of type AAAA. + - Network Traffic + - Network Traffic Flow + + * - dns_A_reply + - Generated for DNS replies of type A. + - Network Traffic + - Network Traffic Flow + + * - dns_CAA_reply + - Generated for DNS replies of type CAA (Certification Authority Authorization). + - Network Traffic + - Network Traffic Flow + + * - dns_CNAME_reply + - Generated for DNS replies of type CNAME. + - Network Traffic + - Network Traffic Flow + + * - dns_DNSKEY_reply + - Generated for DNS replies of type DNSKEY. + - Network Traffic + - Network Traffic Flow + + * - dns_DS_reply + - Generated for DNS replies of type DS. + - Network Traffic + - Network Traffic Flow + + * - dns_EDNS_addl_reply + - Generated for DNS replies of type EDNS. + - Network Traffic + - Network Traffic Flow + + * - dns_EDNS_ecs_reply + - Generated for DNS replies of type EDNS. + - Network Traffic + - Network Traffic Flow + + * - dns_HINFO_reply + - Generated for DNS replies of type HINFO. + - Network Traffic + - Network Traffic Flow + + * - dns_MX_reply + - Generated for DNS replies of type MX. + - Network Traffic + - Network Traffic Flow + + * - dns_NSEC_reply + - Generated for DNS replies of type NSEC. + - Network Traffic + - Network Traffic Flow + + * - dns_NSEC_reply + - Generated for DNS replies of type NSEC3. + - Network Traffic + - Network Traffic Flow + + * - dns_NS_reply + - Generated for DNS replies of type NS. + - Network Traffic + - Network Traffic Flow + + * - dns_PTR_reply + - Generated for DNS replies of type PTR. + - Network Traffic + - Network Traffic Flow + + * - dns_RRSIG_reply + - Generated for DNS replies of type RRSIG. + - Network Traffic + - Network Traffic Flow + + * - dns_SOA_reply + - Generated for DNS replies of type SOA. + - Network Traffic + - Network Traffic Flow + + * - dns_SPF_reply + - Generated for DNS replies of type SPF. + - Network Traffic + - Network Traffic Flow + + * - dns_SRV_reply + - Generated for DNS replies of type SRV. + - Network Traffic + - Network Traffic Flow + + * - dns_TSIG_reply + - Generated for DNS replies of type TSIG. + - Network Traffic + - Network Traffic Flow + + * - dns_TXT_reply + - Generated for DNS replies of type TXT. + - Network Traffic + - Network Traffic Flow + + * - dns_WKS_reply + - Generated for DNS replies of type WKS. + - Network Traffic + - Network Traffic Flow + + * - ftp_request + - Generated for client-side FTP commands. + - Network Traffic + - Network Traffic Flow + + * - ftp_reply + - Generated for server-side FTP replies. + - Network Traffic + - Network Traffic Flow + + * - smb2_close_request + - Generated for SMB/CIFS version 2 requests of type close. + - Network Traffic + - Network Traffic Content + + * - smb2_close_response + - Generated for SMB/CIFS version 2 responses of type close. + - Network Traffic + - Network Traffic Flow + + * - smb2_create_request + - Generated for SMB/CIFS version 2 requests of type create. + - Network Traffic + - Network Traffic Content + + * - smb2_create_response + - Generated for SMB/CIFS version 2 responses of type create. + - Network Traffic + - Network Traffic Flow + + * - pop3_request + - Generated for client-side commands on POP3 connections. + - Network Traffic + - Network Traffic Flow + + * - pop3_reply + - Generated for server-side replies to commands on POP3 connections. + - Network Traffic + - Network Traffic Flow + + * - smtp_request + - Generated for client-side SMTP commands. + - Network Traffic + - Network Traffic Flow + + * - smtp_reply + - Generated for server-side SMTP commands. + - Network Traffic + - Network Traffic Flow + + * - dhcp_message + - Generated for all DHCP messages. + - Network Traffic + - Network Traffic Flow + + * - icmp_echo_request + - Generated for ICMP echo request messages. + - Network Traffic + - Network Traffic Flow + + * - icmp_echo_reply + - Generated for ICMP echo reply messages. + - Network Traffic + - Network Traffic Flow + + * - dce_rpc_request + - Generated for every DCE-RPC request message. + - Network Traffic + - Network Traffic Flow + + * - dce_rpc_reply + - Generated for every DCE-RPC reply message. + - Network Traffic + - Network Traffic Flow + + * - http_request + - Generated for HTTP requests. + - Network Traffic + - Network Traffic Flow + + * - http_reply + - Generated for HTTP replies. + - Network Traffic + - Network Traffic Flow + + * - udp_contents + - Generated for UDP packets to pass on their payload. + - Network Traffic + - Network Traffic Content + + * - udp_reply + - Generated for each packet sent by a UDP flow’s responder. + - Network Traffic + - Network Traffic Flow + + * - udp_request + - Generated for each packet sent by a UDP flow’s originator. + - Network Traffic + - Network Traffic Flow +.. /MAPPINGS_TABLE diff --git a/docs/methodology/index.rst b/docs/methodology/index.rst index 8b386a7..f12cc29 100644 --- a/docs/methodology/index.rst +++ b/docs/methodology/index.rst @@ -1,32 +1,32 @@ -.. _Methodology Pages: - -========================= Mapping Methodology -========================= +=================== Philosophy ---------- -Mappings are created by analyzing each in-scope sensor in relation to ATT&CK Data Sources. Events collected -by sensors and ATT&CK objects are at different levels of abstraction and cannot always perfectly detect -the adversary behaviors that they are meant to represent. By completing the connection of conceptual data -sources and components to concrete logs, sensors, and other security capabilities, cyber defenders have a -information to help identify relevant security data to collect for specific behaviors and environments. +Mappings are created by analyzing each in-scope sensor in relation to ATT&CK Data +Sources. Events collected by sensors are at a different level of abstraction than ATT&CK +objects, so they cannot always perfectly detect the adversary behaviors that they are +mapped to. By completing the connection of conceptual data sources and components to +concrete logs, sensors, and other security capabilities, cyber defenders have +information to help identify relevant security data to collect for specific behaviors +and environments. Process ------- -The Sensor Mappings to ATT&CK mapping methodology consists of the following steps: +.. image:: ../_static/build_sensor_mappings.png + :width: 700 -- **Identify the Sensor's Events/Telemetry** - Identify the event logs available to the sensor. -- **Definition Correlation** - For each identified event, understand the security capabilities it provides. -- **Relationship Correlation** - Identify the ATT&CK Data Sources mappable to event IDs. +The Sensor Mappings to ATT&CK mapping methodology consists of the following steps: .. toctree:: + :hidden: step1 step2 step3 -.. image:: ../_static/build_sensor_mappings.png - :width: 700 +- :doc:`step1`: Identify the types of events the sensor can emit. +- :doc:`step2`: For each identified event, understand the security capabilities it provides. +- :doc:`step3`: Identify the ATT&CK Data Sources mappable to event IDs. diff --git a/docs/methodology/step1.rst b/docs/methodology/step1.rst index d3cb135..4366c59 100644 --- a/docs/methodology/step1.rst +++ b/docs/methodology/step1.rst @@ -1,56 +1,66 @@ Step 1: Identify the Sensor's Events ===================================== -Sensors generate logs of real-time data that is indicative of a sequence of actions conducted by the user of -a computer system. With those actions having a potential to inform a defender of adversary activity, this is -the first location to look for further evidence. Typically, sensors can be broken out into two categories: - -**Host:** data gathered from endpoints in the environment (e.g., Windows, MacOS, Linux) - - - Examples: - - Windows Event Log - - Sysmon - - OSQuery - - EDR Products (Carbon Black, Crowdstrike, Microsoft Defender ATP, etc.) - - Services, Processes, Command-lines, Loaded Modules, DLLs - - Files, Registry - - Scheduled Tasks, Cron Jobs, Launch Agents - - User Account, Hardware Info - - Memory Data - -**Network:** data gathered from network communications, typically outbound connections - - - Examples: +Sensors generate logs of real-time data that is indicative of a sequence of actions +conducted by the user of a computer or network. Typically, sensors can be broken out +into two categories: + +**Host-based sensor data** is gathered from endpoints in the environment (e.g., Windows, +MacOS, Linux). Examples include: + +- Windows Event Log +- Sysmon +- OSQuery +- EDR Products (Carbon Black, Crowdstrike, Microsoft Defender ATP, etc.) +- Services, Processes, Command-lines, Loaded Modules, DLLs +- Files, Registry +- Scheduled Tasks, Cron Jobs, Launch Agents +- User Account, Hardware Info +- Memory Data + +**Network-based sensor data** is gathered from network communications. Examples include: + - Firewall Logs - Proxy Logs - IDS/IPS Logs - - Netflow Data + - Netflow Data - Bro/Zeek - Packet Capture -One widely used Windows-centric sensor is Windows Event Log. The Windows Event Log is an in-depth record of events -related to the system, security, and applications stored on a Windows operating system. These event logs can be -used to track certain system and application issues and potentially forecast future problems. Defenders will utilize -this tool to help track potential threats and problems potentially occurring within an organization's environment. -The events store information in a standard format that allows for a clear understanding of the information collected -(i.e., Log name, Event ID, Source, User, Computer, Event Data/Time, etc.) - -These sensors or tools have user documentation for the security capabilities of each platform (e.g., security -reference architectures, security benchmarks, security documentation of various services) and should be reviewed -to understand event types offered by the platform for detecting workloads on the platform. This project focused on -security event logs for data related to the safety of a computer system, such as failed and valid logins and file -deletions. This user documentation was reviewed to develop the Events and Event IDs to be mapped for each sensor, -including: - -- `Windows Event Logs from Microsoft `_ -- `Ultimate Windows Security Encyclopedia `_ +One widely used host-based sensor is Windows Event Log (WEL). WEL logs events related to +the system, security, and applications on a Windows operating system. These event logs +can be used to track certain system and application issues and potentially forecast +future problems. Defenders will utilize this tool to help track potential threats and +problems potentially occurring within an organization's environment. The events store +information in a standard format that allows for a clear understanding of the +information collected (i.e., Log name, Event ID, Source, User, Computer, Event +Data/Time, etc.) + +These sensors or tools have user documentation for the security capabilities of each +platform (e.g., security reference architectures, security benchmarks, security +documentation of various services) and should be reviewed to understand event types +offered by the platform for detecting workloads on the platform. This project focused on +security event logs for data related to the cybersecurity of a computer system, such as +failed and valid logins and file deletions. This user documentation was reviewed to +develop the Events and Event IDs to be mapped for each sensor, including: + +- `Windows Event Logs from Microsoft + `_ +- `Ultimate Windows Security Encyclopedia + `_ - `Sysmon Event Logs `_ - `OSQuery Schema `_ -- `Zeek Reference Documentation `_ -- `CloudTrail Documentation `_ +- `Zeek Reference Documentation + `_ +- `CloudTrail Documentation `_ - `Auditd Linux man page `_ When selecting events to map, the following considerations were used: -- The scope of the events consists of telemetry that can be collected by a sensor or logging system which may collect information relevant to identifying the action being performed by an adversary, sequence of actions, or the results of those actions. -- The events are considered as native to the sensor and made available on the platform. The intent is not to provide a mapping for all settings/features of individual platform services. This is a non-trivial undertaking that may be explored at a later time. +- The scope of the events consists of telemetry that can be collected by a sensor or + logging system which may collect information relevant to identifying the action being + performed by an adversary, sequence of actions, or the results of those actions. +- The events are considered as native to the sensor and made available on the platform. + The intent is not to provide a mapping for all settings/features of individual + platform services. This is a non-trivial undertaking that may be explored at a later + time. diff --git a/docs/methodology/step2.rst b/docs/methodology/step2.rst index 3a27580..d5e2634 100644 --- a/docs/methodology/step2.rst +++ b/docs/methodology/step2.rst @@ -1,52 +1,63 @@ Step 2: Definition Correlation =============================== -What makes sensors useful to defenders is the meaning and context associated with the event. For each identified event ID, -consult the available documentation to understand its capabilities. Gather specific facts about the event ID that will -later help in mapping the event to the set of ATT&CK Data Sources it is able to detect. +What makes sensors useful to defenders is the meaning and context associated with the +event. For each identified event ID, consult the available documentation to understand +its capabilities. Gather specific facts about the event ID that will later help in +mapping the event to the set of ATT&CK Data Sources it is able to detect. -The most common way to bring context to the event is by applying the description and other types of metadata such as the -Data Elements and Fields. Documented description, elements, and fields can help provide understanding of what the sensor is -truly capturing, and make creating mappings more efficient. +The most common way to bring context to the event is by applying the description and +other types of metadata such as the Data Elements and Fields. Documented description, +elements, and fields can help provide understanding of what the sensor is truly +capturing, and it makes the mappings process more efficient. Identify the Source of Data --------------------------- -Start with **identifying the source of data**. In a Windows environment, we can collect information pertaining to "Processes" -from built-in event providers such as Microsoft-Windows-Security-Auditing and open third-party tools, including Sysmon. +Start with **identifying the source of data**. In a Windows environment, we can collect +information pertaining to "Processes" from built-in event providers such as +Microsoft-Windows-Security-Auditing and open third-party tools, including Sysmon. Additional context on potential source of the data can be gained by considering: - *Why were these security events generated in my environment? (Activity)* - *What operating system supports its generation? (Platform)* -For example, the documentation provided by Microsoft for Windows `Event ID 4688: A new process has been created `_ -provides context for this event. By the event description, 4688 is generated every time a new process starts. The information -provided by this event includes the user account that requested the creation of the process, and information of a process that -executed a new process. This event also provides metadata that can help us to describe the data elements needed later on in -Step 3 of this methodology. +For example, the documentation provided by Microsoft for Windows `Event ID 4688: A new +process has been created +`_ +provides context for this event. By the event description, 4688 is generated every time +a new process starts. The information provided by this event includes the user account +that requested the creation of the process, and information of a process that executed a +new process. This event also provides metadata that can help us to describe the data +elements needed later on in Step 3 of this methodology. .. image:: ../_static/msdn_4688_ex.png :width: 600 -- The action that triggered the generation of this event was the creation of a new process (Activity). -- This security event can be collected by using the built-in event logging application for devices that work with the Windows operating system (Platform). Within a Windows environment, it is typically known to have a "process" as a source of data. +- The action that triggered the generation of this event was the creation of a new + process (Activity). +- This security event can be collected by using the built-in event logging application + for devices that work with the Windows operating system (Platform). Within a Windows + environment, it is typically known to have a "process" as a source of data. Correlate to ATT&CK Data Component Definition --------------------------------------------- -To correlate with ATT&CK, the `Data Source `_ pages provide definitions for each -individual Data Source. +To correlate with ATT&CK, the `Data Source `_ +pages provide definitions for each individual Data Source. .. image:: ../_static/attack_ex_pc.png :width: 600 -For Process Creation, ATT&CK's definition is : **..the initial construction of an executable..**. Through key word review, it -can be determined that this is the same as **..a process is created..** Therefore, event ID 4688 can be linked with this -ATT&CK Data Component. +For Process Creation, ATT&CK's definition is : **..the initial construction of an +executable..**. Through key word review, it can be determined that this is the same as +**..a process is created..** Therefore, event ID 4688 can be linked with this ATT&CK +Data Component. -A similar process can be used to examine Sysmon EID 1, Sysmon EID 8, WinEvtx 4688, and WinEvtx 4696. The image below shows that -the definitions all have some correlation with either starting or executing a process. +A similar process can be used to examine Sysmon EID 1, Sysmon EID 8, WinEvtx 4688, and +WinEvtx 4696. The image below shows that the definitions all have some correlation with +either starting or executing a process. .. image:: ../_static/definitioncorrelation_ex.png :width: 700 diff --git a/docs/methodology/step3.rst b/docs/methodology/step3.rst index 0e4d8f9..7cf8b6e 100644 --- a/docs/methodology/step3.rst +++ b/docs/methodology/step3.rst @@ -4,49 +4,57 @@ Step 3: Relationship Correlation Identify the Data Element ------------------------- -The next step in reviewing the event ID is **identify the data element**. Once more about sources of data -that can be mapped to an ATT&CK Data Source is identified and understood, data elements within the event -fields potentially representing adversary behavior can start to be identified from a data perspective. - -As mentioned in Step 2, `Event ID 4688: A new process has been created `_ also provides attributes -that can help to describe the data elements needed. For instance, regarding the user account data element, -information on the logon ID and the domain it belongs to is collected. +The next step in reviewing the event ID is **identify the data element**. As mentioned +in Step 2, `Event ID 4688: A new process has been created +`_ +provides attributes that describe the data elements needed, such as the logon ID and the +domain it belongs to. .. image:: ../_static/msdn_4688_ex_attributes.png :width: 600 -The use of Data Elements helps to understand key attributes that are related to the adversary behavior. -For example, if an adversary behavior modifies a Windows Registry value, collection of Windows Registry -telemetry is needed for visbility of that behavior. +The use of Data Elements helps to understand key attributes that are related to the +adversary behavior. For example, if an adversary behavior modifies a Windows Registry +value, then defenders need to collect Windows Registry telemetry to get visbility into +that behavior. -Additional context on how to establish data elements can be gained by considering: +Additional context on how to establish data elements can be gained by considering: - *How is the adversary conducting a behavior?* - *What are all the data objects that define the context of the data source?* -- *What are some attributes from the event log that contributes to the activity of the adversary behavior?* +- *What are some attributes from the event log that contribute to the activity of the + adversary behavior?* .. image:: ../_static/dataelement_ex.png :width: 700 -This method can also be used to provide a general idea of what information needs to be collected. +This method can also be used to provide a general idea of what information needs to be +collected. + +.. tip:: -Note: There is a fundamental rule that should be considered when defining: **there is no one correct way to -define data elements**. Please look to your organizational needs to help define what data elements mean to you. + **There is not just one correct way to define data elements**. Please look to your + organizational needs to help define what data elements mean to you. Identify Relationships among Data Elements ------------------------------------------ -By documenting the event collection, source (creation of a new process), and data elements (user account and -process), descriptions of **interactions among elements through relationships** can start to be documented. +By documenting the event collection, source (e.g. creation of a new process), and data +elements (e.g. user account and process), defenders can start to document descriptions +of **interactions among elements through relationships**. + +.. tip:: -Note: Relationships in ATT&CK have been categorized between *activity* and *information*. Activity -relationships are the ones that make references to the action that triggered the generation of the event. -Informational relationships are the ones defined based on the metadata provided by the event. Therefore, -please be aware of alternative data elements (i.e., a thread can create a process). + Relationships in ATT&CK have been categorized between *activity* and *information*. + Activity relationships are the ones that make references to the action that triggered + the generation of the event. Informational relationships are the ones defined based + on the metadata provided by the event. Therefore, please be aware of alternative data + elements (i.e., a thread can create a process). .. image:: ../_static/relationship_ex.png :width: 700 -As discussed by `OSSEM `_ at their ATT&CKcon 2018 and 2019 presentation, the activity of the -relationship leads to Data Components. Data Components will help to categorize relationships among data elements -based on the security context they describe (i.e., Creation, Execution, Deletion). \ No newline at end of file +As discussed by `OSSEM `_ at their ATT&CKcon 2018 and +2019 presentation, the activity of the relationship leads to Data Components. Data +Components help to categorize relationships among data elements based on the security +context they describe (i.e., Creation, Execution, Deletion). diff --git a/docs/overview.rst b/docs/overview.rst index 9af8610..433577d 100644 --- a/docs/overview.rst +++ b/docs/overview.rst @@ -2,79 +2,79 @@ Overview ======== Cyber threat detection starts with understanding the data sources and sensors that can -be used to detect a given adversary tactic, technique, or procedure (TTP). Extending -ATT&CK Data Sources to link adversary behaviors to tools, capabilities, and sensors that -provide visibility can help cyber defenders understand how specific tools and capabilities -provide visibility into specific adversary TTPs. +be used to detect a given adversary tactic, technique, or procedure (TTP). -Sensor Mappings to ATT&CK helps cyber defenders understand whether the sensors, logs, tools, -and other security capabilities available to them provide visibility into specific ATT&CK -behaviors they care about; and, if they can't, what they can do to change that. This information -can be used to answer questions such as: +The Sensor Mappings to ATT&CK Project (SMAP) extends MITRE ATT&CK® Data Sources to map +out how sensors and tools provide visibility into specific adversary TTPs. This helps +cyber defenders understand whether their sensors and other security capabilities provide +visibility into the adversary behaviors they care most about. And if they cannot provide +visibility, then what should defenders do to change that? This information can be used +to answer questions such as: -- What's my coverage for ATT&CK TTPs given my current tools? +- What is my coverage for ATT&CK TTPs given my current tools? - If I were to add Tool X, how does that coverage change? -- I'm concerned about a particular recent threat report. Can I see it if it were to happen in my environment and, if so, where do I look? +- If I'm concerned about a recent threat report, how can I look for that threat in my + environment? Background ---------- -ATT&CK began bridging offensive actions with potential defensive countermeasures in the v9 release. This -goal was achieved by tagging each (sub-)technique with defensive-focused fields/properties, such as what -data to collect (data sources) and how to analyze that data in order to potentially identify -specific behaviors (detections). +ATT&CK began bridging offensive actions with defensive countermeasures `in +version 9.0 `__. +This goal was achieved by tagging each (sub-)technique with defensive-focused fields, +such as what data to collect (Data Sources) and how to analyze that data in order to +identify specific behaviors (Detections). -`ATT&CK's Data Sources `_ usually fall into one of the following buckets: +`ATT&CK's Data Sources `_ usually fall into one of +the following buckets: - Granular basic system artifacts (e.g., process, file, registry) - Granular basic user activities (e.g., logon session) - Abstract types of system artifacts, with children as sub-types (e.g., scheduled jobs) -- Associated network traffic (e.g., wmi and registry), in such cases, it's important to capture the set of - protocols that encompasses this traffic, so that users may understand where they need to look in their - logs/PCAPs/DPI appliances/etc. +- Associated network traffic (e.g., wmi and registry), in such cases, it's important to + capture the set of protocols that encompasses this traffic, so that users may + understand where they need to look in their logs/PCAPs/DPI appliances/etc. - Associated cloud (e.g. Instance, Container, Cloud Storage, Cloud Service) -ATT&CK Data Sources do not describe fully the specific events or sensors that can provide -visibility into each individiual data source. This leaves the users with significant work to -understand how their tools map to the generic data sources and inhibits automated analysis to -easily answer the questions SOCs need to ask. This project is intended to build on ATT&CK -Data Sources, extending them to connect conceptual data sources to concrete sensors, logs, -tools, and other security capabilities, allowing the users of ATT&CK to easily go from a -technique they're concerned about to capabilities they might have or could acquire to detect it. - -Prior research into building on ATT&CK Data Objects has been undertaken by The Open Source Security -Events Metadata (OSSEM) (https://github.com/OTRF/OSSEM) project and the Center's Atomic Data Sources project (https://github.com/mitre-attack/attack-datasources). OSSEM is a -community-led project created by Roberto and Jose Rodriguez that provides security context telemetry of -behaviors occurring in an environment and metadata describing relationships between security events and -ATT&CK TTPs. Atomic Data Sources developed data source objects and context to help describe activity -within a network and provided a proof-of-concept approach to mapping ATT&CK Data Sources to sensors. +ATT&CK Data Sources do not fully describe the specific events or sensors that provide +visibility. This leaves the users with significant work to understand how their tools +map to ATT&CK Data Sources and hinders automated reasoning. This project is intended to +build on ATT&CK Data Sources, extending them to connect *conceptual* data sources to +*concrete* sensors, logs, tools, and other security capabilities. This mapping allows +the users of ATT&CK to go from a technique they're concerned about to capabilities they +might have or could acquire to detect it. + +Prior research into building on ATT&CK Data Objects has been undertaken by `The Open +Source Security Events Metadata (OSSEM) `__ project and +the Center's `Atomic Data Sources project +`__. OSSEM is a community-led +project created by Roberto and Jose Rodriguez that provides security context telemetry +of behaviors occurring in an environment and metadata describing relationships between +security events and ATT&CK TTPs. Atomic Data Sources developed data source objects and +context to help describe activity within a network and provided a proof-of-concept +approach to mapping ATT&CK Data Sources to sensors. STIX Representation and Mapping Tools ------------------------------------- To make the mapping between sensor events and ATT&CK easily accessible to defenders that -use STIX, the mappings are also published in a machine-readable STIX 2 representation. -This format uses STIX representation to represent the mappings between sensor events and -ATT&CK. - -A set of Python tools is provided to support data manipulation, including the creation -of new mappings and the customization of existing mappings. A command line interface -(CLI) tool is available for validation of mapping file syntax, ensuring conformity to -the data format specification and accurate references of ATT&CK Data Sources. The CLI -tool also supports the production of ATT&CK Navigator layers and Markdown Summary -visualizations from mapping files. - -Users can easily refine and extend the mappings for their needs and locally rebuild the -full set of supporting artifacts using the scripts in this repository. +use STIX, the mappings are also published in a machine-readable STIX 2 representation. A +set of Python tools is provided to support data manipulation, including the creation of +new mappings and the customization of existing mappings. A command line interface (CLI) +tool is available for validation of mapping file syntax, ensuring conformity to the data +format specification and accurate references of ATT&CK Data Sources. The CLI tool also +supports the production of ATT&CK Navigator layers and Markdown Summary visualizations +from mapping files. Users can refine and extend the mappings for their needs and build a +local copy of the SMAP artifacts using the scripts in this repository. Get Involved ------------ -The resulting mapping between Events and ATT&CK allow cyber defenders to create a more -detailed picture of cyber incidents, including the threat actor, technical behavior, -telemetry collection, and impact. These improvements can be used to develop better -predictions and insights into how we might be attacked in the future by better -understanding how and why were attacked in the past. +The mapping between ATT&CK Data Sources and concrete sensors allows cyber defenders to +create a more detailed picture of cyber incidents, including the threat actor, technical +behavior, telemetry collection, and impact. These improvements can be used to develop +better predictions and insights into how we might be attacked in the future by better +understanding of how and why were attacked in the past. We encourage you to review the mappings, use them, and tell us what you think. Please see the guidance for contributors if you are interested in `contributing diff --git a/docs/use_cases.rst b/docs/use_cases.rst index 756c832..41f73a1 100644 --- a/docs/use_cases.rst +++ b/docs/use_cases.rst @@ -4,35 +4,31 @@ Use Cases Target Audience --------------- -The existing communities of Sensors and ATT&CK users include many roles and responsibilities -associated with organizational detection processes and procedures. These roles and responsibilities -include: +The existing communities of Sensors and ATT&CK users include many roles and +responsibilities associated with organizational detection processes and procedures. +These roles and responsibilities include: Incident Response (IR) Professional - Responsibilities include response, - management, and coordination, and remediation activities for cyber incidents such as - malware infections, data theft, ransomware encryption, denial of service, and - control systems intrusions. + Responsibilities include response, management, coordination, and remediation + activities for cyber incidents such as malware infections, data theft, ransomware + encryption, denial of service, and control systems intrusions. Chief Information Security Officer (CISO) - Responsibilities include carrying - out information security policies, procedures, and controls, and providing primary - interface between senior managers and information system owners. + Responsibilities include carrying out information security policies, procedures, and + controls, and providing the primary interface between senior managers and + information system owners. Information System Security Officer (ISSO) - Responsibilities include ensuring - the appropriate operational security posture is maintained for information systems - or programs. + Responsibilities include ensuring the appropriate operational security posture is + maintained for information systems or programs. Security Operations Center (SOC) Analyst - Responsibilities include monitoring - an organization's networks and systems to detect threats and investigating potential - security incidents. + Responsibilities include monitoring an organization's networks and systems to detect + threats and investigating potential security incidents. Security Engineer (SE) - Responsibilities include developing and implementing - security controls and solutions to protect networks and systems from unauthorized - access and attacks. + Responsibilities include developing and implementing security controls and solutions + to protect networks and systems from unauthorized access and attacks. Usage ----- @@ -43,7 +39,7 @@ Understanding Current Visibility - Understand which techniques you have visibility into given current set of tools and capabilities. - +.. image:: ./_static/sensors.png Filling Defensive Gaps ^^^^^^^^^^^^^^^^^^^^^^ @@ -51,34 +47,43 @@ Filling Defensive Gaps - Identify tools and capabilities to acquire or enable in order to fill gaps. - +.. image:: ./_static/gaps.png Find Potential Threats ^^^^^^^^^^^^^^^^^^^^^^ -*I'm concerned about a recent threat report. Can I see it if it were to happen in my environment and where do I look?* +*I'm concerned about a recent threat report. Can I see it if it were to happen in my +environment and where do I look?* - Determine which tools and capabilities to use to find adversary behaviors. - +.. image:: ./_static/threats.png User Stories ------------ -This section describes user stories associated with organizational detection processes and -procedures, based on the roles and usage identified above. +This section describes user stories associated with organizational detection processes +and procedures, based on the roles and usage identified above. -1. As an IR, I want to ensure I have complete visibility of an active security incident. +1. As an IR, I want to ensure I have complete visibility of an active security incident. - Use the mappings to take the observed adversary behaviors as described in ATT&CK to understand current visibility of potential suspicious activities and tie in actionable intelligence from CTI reporting. + Use the mappings to take the observed adversary behaviors as described in ATT&CK to + understand current visibility of potential suspicious activities and tie in + actionable intelligence from CTI reporting. -2. As a CISO or ISSO, I need to align defensive posture with the real-world threats targeting my industry. +2. As a CISO or ISSO, I need to align defensive posture with the real-world threats + targeting my industry. - Use the mappings to understand which of tools and capabilities provide visibility into specific real-world adversary techniques and where gaps may lie. + Use the mappings to understand which of tools and capabilities provide visibility + into specific real-world adversary techniques and where gaps may lie. -3. As a SOC Analyst, I need visibility into threats launched against my organization. +3. As a SOC Analyst, I need visibility into threats launched against my organization. - Use the mappings for identified Data Sources associated with adversary techniques used to identify areas to look for additional indicators of potential suspicious activities. + Use the mappings for identified Data Sources associated with adversary techniques + used to identify areas to look for additional indicators of potential suspicious + activities. -4. As a SE, I want to detect entire classes of adversarial behavior. +4. As an SE, I want to detect entire classes of adversarial behavior. - Build in defensive countermeasures for specific adversary TTPs, using the mappings to identify areas and fill in defensive coverage gaps by reconfiguring existing or adding additional tools or capabilities. + Build in defensive countermeasures for specific adversary TTPs, using the mappings to + identify areas and fill in defensive coverage gaps by reconfiguring existing or + adding additional tools or capabilities. diff --git a/mappings/input/enterprise/xlsx/Sensor to Data Source.xlsx b/mappings/input/enterprise/xlsx/Sensor to Data Source.xlsx new file mode 100644 index 0000000..826e029 Binary files /dev/null and b/mappings/input/enterprise/xlsx/Sensor to Data Source.xlsx differ diff --git a/mappings/layers/enterprise/Auditd-heatmap.json b/mappings/layers/enterprise/Auditd-heatmap.json index 6f2bc84..b3c8aef 100644 --- a/mappings/layers/enterprise/Auditd-heatmap.json +++ b/mappings/layers/enterprise/Auditd-heatmap.json @@ -9,2867 +9,977 @@ "description": "", "domain": "enterprise-attack", "techniques": [ - { - "techniqueID": "T1053.005", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1560.001", - "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, { "techniqueID": "T1047", "score": 1, "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" + "color": "#ed0858" }, { "techniqueID": "T1113", "score": 1, "comment": "Auditd: USYS_CONFIG", - "color": "#79709F" + "color": "#ed0858" }, { "techniqueID": "T1037", "score": 1, "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG", - "color": "#79709F" + "color": "#ed0858" }, { "techniqueID": "T1033", "score": 1, "comment": "Auditd: ANOM_LINK, MAC_UNLBL_ALLOW, TTY, USER_AVC, USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1218.011", - "score": 1, - "comment": "Auditd: USER_CMD, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1222.002", - "score": 1, - "comment": "Auditd: USER_CMD, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1216.001", - "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" + "color": "#ed0858" }, { "techniqueID": "T1003", "score": 1, "comment": "Auditd: ANOM_LINK, MAC_UNLBL_ALLOW, TTY, USER_AVC, USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1561.002", - "score": 1, - "comment": "Auditd: FS_RELABEL, USER_CMD, USYS_CONFIG", - "color": "#79709F" + "color": "#ed0858" }, { "techniqueID": "T1006", "score": 1, "comment": "Auditd: USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1564.008", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1546.013", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1059.007", - "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" + "color": "#ed0858" }, { "techniqueID": "T1123", "score": 1, "comment": "Auditd: USYS_CONFIG", - "color": "#79709F" + "color": "#ed0858" }, { "techniqueID": "T1543", "score": 1, "comment": "Auditd: ANOM_PROMISCUOUS, CONFIG_CHANGE, DAEMON_CONFIG, DAEMON_START, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_CIPSOV4_ADD, MAC_CIPSOV4_DEL, MAC_CONFIG_CHANGE, MAC_MAP_ADD, MAC_MAP_DEL, MAC_POLICY_LOAD, MAC_STATUS, ROLE_ASSIGN, ROLE_REMOVE, USER_CMD, USYS_CONFIG", - "color": "#79709F" + "color": "#ed0858" }, { - "techniqueID": "T1546.006", + "techniqueID": "T1069", "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT, USYS_CONFIG", - "color": "#79709F" + "comment": "Auditd: USER_CMD, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1548.002", + "techniqueID": "T1114", "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" + "comment": "Auditd: ANOM_LINK, CRYPTO_SESSION, USER_AVC, USER_LOGIN, USER_START, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1016.001", + "techniqueID": "T1561", "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" + "comment": "Auditd: FS_RELABEL, USER_CMD, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1548.003", + "techniqueID": "T1615", "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG", - "color": "#79709F" + "comment": "Auditd: MAC_UNLBL_ALLOW, USER_CMD, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1069", + "techniqueID": "T1025", "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" + "comment": "Auditd: ANOM_LINK, USER_AVC, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1114", + "techniqueID": "T1547", "score": 1, - "comment": "Auditd: ANOM_LINK, CRYPTO_SESSION, USER_AVC, USER_LOGIN, USER_START, USYS_CONFIG", - "color": "#79709F" + "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1003.002", + "techniqueID": "T1489", "score": 1, - "comment": "Auditd: ANOM_LINK, USER_AVC, USYS_CONFIG", - "color": "#79709F" + "comment": "Auditd: ANOM_ABEND, DAEMON_ABORT, DAEMON_END, DAEMON_RESUME, DAEMON_ROTATE, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, SELINUX_ERR, USER_CMD, USER_TTY, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1069.003", + "techniqueID": "T1652", "score": 1, "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" + "color": "#ed0858" }, { - "techniqueID": "T1574.011", + "techniqueID": "T1564", "score": 1, - "comment": "Auditd: ANOM_PROMISCUOUS, CONFIG_CHANGE, DAEMON_CONFIG, MAC_CIPSOV4_ADD, MAC_CIPSOV4_DEL, MAC_CONFIG_CHANGE, MAC_MAP_ADD, MAC_MAP_DEL, MAC_STATUS, ROLE_ASSIGN, ROLE_REMOVE, USER_CMD, USYS_CONFIG", - "color": "#79709F" + "comment": "Auditd: ADD_USER, ANOM_ADD_ACCOUNT, CRED_ACQ, CRED_DISP, DAEMON_START, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_POLICY_LOAD, USER_CHAUTHTOK, USER_CMD, USER_ERR, USER_LABELED_EXPORT, USER_ROLE_CHANGE, USER_UNLABELED_EXPORT, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1561", + "techniqueID": "T1137", "score": 1, - "comment": "Auditd: FS_RELABEL, USER_CMD, USYS_CONFIG", - "color": "#79709F" + "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1555.002", + "techniqueID": "T1119", "score": 1, - "comment": "Auditd: TTY, USYS_CONFIG", - "color": "#79709F" + "comment": "Auditd: ANOM_LINK, USER_AVC, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1615", + "techniqueID": "T1115", "score": 1, - "comment": "Auditd: MAC_UNLBL_ALLOW, USER_CMD, USYS_CONFIG", - "color": "#79709F" + "comment": "Auditd: USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1025", + "techniqueID": "T1007", "score": 1, - "comment": "Auditd: ANOM_LINK, USER_AVC, USYS_CONFIG", - "color": "#79709F" + "comment": "Auditd: USER_CMD, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1218.013", + "techniqueID": "T1040", "score": 1, "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" + "color": "#ed0858" }, { - "techniqueID": "T1074.001", + "techniqueID": "T1135", "score": 1, - "comment": "Auditd: ANOM_LINK, USER_AVC, USYS_CONFIG", - "color": "#79709F" + "comment": "Auditd: USER_CMD, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1114.001", + "techniqueID": "T1120", "score": 1, - "comment": "Auditd: ANOM_LINK, USER_AVC, USYS_CONFIG", - "color": "#79709F" + "comment": "Auditd: USER_CMD, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1555.001", + "techniqueID": "T1082", "score": 1, - "comment": "Auditd: ANOM_LINK, USER_AVC, USER_CMD, USYS_CONFIG", - "color": "#79709F" + "comment": "Auditd: USER_CMD, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1547", + "techniqueID": "T1053", "score": 1, "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG", - "color": "#79709F" + "color": "#ed0858" }, { - "techniqueID": "T1003.004", + "techniqueID": "T1176", "score": 1, - "comment": "Auditd: USYS_CONFIG", - "color": "#79709F" + "comment": "Auditd: USER_CMD, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1036.008", + "techniqueID": "T1202", "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USYS_CONFIG", - "color": "#79709F" + "comment": "Auditd: USER_CMD, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1489", + "techniqueID": "T1005", "score": 1, - "comment": "Auditd: ANOM_ABEND, DAEMON_ABORT, DAEMON_END, DAEMON_RESUME, DAEMON_ROTATE, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, SELINUX_ERR, USER_CMD, USER_TTY, USYS_CONFIG", - "color": "#79709F" + "comment": "Auditd: ANOM_LINK, USER_AVC, USER_CMD, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1652", + "techniqueID": "T1562", "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" + "comment": "Auditd: ANOM_ABEND, DAEMON_ABORT, DAEMON_END, DAEMON_RESUME, DAEMON_ROTATE, NETFILTER_CFG, SELINUX_ERR, SYSTEM_RUNLEVEL, SYSTEM_SHUTDOWN, USER_CHAUTHTOK, USER_CMD, USER_ROLE_CHANGE, USER_TTY, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1087.002", + "techniqueID": "T1558", "score": 1, - "comment": "Auditd: MAC_UNLBL_ALLOW, USER_CMD, USYS_CONFIG", - "color": "#79709F" + "comment": "Auditd: ANOM_LINK, CRYPTO_KEY_USER, LOGIN, USER_AVC, USER_END, USER_LOGOUT, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1547.014", + "techniqueID": "T1555", "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" + "comment": "Auditd: ANOM_LINK, TTY, USER_AVC, USER_CMD, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1564", + "techniqueID": "T1567", "score": 1, - "comment": "Auditd: ADD_USER, ANOM_ADD_ACCOUNT, CRED_ACQ, CRED_DISP, DAEMON_START, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_POLICY_LOAD, USER_CHAUTHTOK, USER_CMD, USER_ERR, USER_LABELED_EXPORT, USER_ROLE_CHANGE, USER_UNLABELED_EXPORT, USYS_CONFIG", - "color": "#79709F" + "comment": "Auditd: ANOM_LINK, MAC_UNLBL_ALLOW, USER_AVC, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1484.002", + "techniqueID": "T1036", "score": 1, - "comment": "Auditd: USYS_CONFIG", - "color": "#79709F" + "comment": "Auditd: DAEMON_ABORT, DAEMON_END, DAEMON_RESUME, DAEMON_ROTATE, DAEMON_START, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_POLICY_LOAD, SELINUX_ERR, USER_LABELED_EXPORT, USER_TTY, USER_UNLABELED_EXPORT, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1087.001", + "techniqueID": "T1552", "score": 1, - "comment": "Auditd: ANOM_LINK, USER_AVC, USER_CMD, USYS_CONFIG", - "color": "#79709F" + "comment": "Auditd: ANOM_LINK, ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USER_AVC, USER_CMD, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1562.009", + "techniqueID": "T1218", "score": 1, "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" + "color": "#ed0858" }, { - "techniqueID": "T1542.005", + "techniqueID": "T1010", "score": 1, - "comment": "Auditd: USYS_CONFIG", - "color": "#79709F" + "comment": "Auditd: USER_CMD, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1543.003", + "techniqueID": "T1011", "score": 1, - "comment": "Auditd: ANOM_PROMISCUOUS, CONFIG_CHANGE, DAEMON_CONFIG, DAEMON_START, MAC_CIPSOV4_ADD, MAC_CIPSOV4_DEL, MAC_CONFIG_CHANGE, MAC_MAP_ADD, MAC_MAP_DEL, MAC_POLICY_LOAD, MAC_STATUS, ROLE_ASSIGN, ROLE_REMOVE, USER_CMD, USYS_CONFIG", - "color": "#79709F" + "comment": "Auditd: ANOM_LINK, MAC_UNLBL_ALLOW, USER_AVC, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1497.001", + "techniqueID": "T1560", "score": 1, "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" + "color": "#ed0858" }, { - "techniqueID": "T1053.003", + "techniqueID": "T1021", "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG", - "color": "#79709F" + "comment": "Auditd: CRYPTO_SESSION, USER_CMD, USER_LOGIN, USER_START, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1069.002", + "techniqueID": "T1112", "score": 1, "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" + "color": "#ed0858" }, { - "techniqueID": "T1070.002", + "techniqueID": "T1563", "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CHAUTHTOK, USYS_CONFIG", - "color": "#79709F" + "comment": "Auditd: CRYPTO_SESSION, MAC_UNLBL_ALLOW, USER_CMD, USER_LOGIN, USER_START, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1137", + "techniqueID": "T1217", "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG", - "color": "#79709F" + "comment": "Auditd: ANOM_LINK, USER_AVC, USER_CMD, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1218.004", + "techniqueID": "T1222", "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" + "comment": "Auditd: USER_CMD, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1119", + "techniqueID": "T1548", "score": 1, - "comment": "Auditd: ANOM_LINK, USER_AVC, USYS_CONFIG", - "color": "#79709F" + "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1115", + "techniqueID": "T1125", "score": 1, "comment": "Auditd: USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1003.007", - "score": 1, - "comment": "Auditd: ANOM_LINK, USER_AVC, USYS_CONFIG", - "color": "#79709F" + "color": "#ed0858" }, { - "techniqueID": "T1555.005", + "techniqueID": "T1016", "score": 1, - "comment": "Auditd: ANOM_LINK, TTY, USER_AVC, USYS_CONFIG", - "color": "#79709F" + "comment": "Auditd: USER_CMD, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1553.001", + "techniqueID": "T1087", "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT, USYS_CONFIG", - "color": "#79709F" + "comment": "Auditd: ANOM_LINK, USER_AVC, USER_CMD, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1007", + "techniqueID": "T1059", "score": 1, "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" + "color": "#ed0858" }, { - "techniqueID": "T1040", + "techniqueID": "T1482", "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" + "comment": "Auditd: MAC_UNLBL_ALLOW, USER_CMD, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1552.002", + "techniqueID": "T1020", "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" + "comment": "Auditd: ANOM_LINK, MAC_UNLBL_ALLOW, USER_AVC, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1135", + "techniqueID": "T1070", "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" + "comment": "Auditd: ANOM_DEL_ACCOUNT, ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, DEL_USER, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_UNLBL_ALLOW, NETFILTER_CFG, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USER_CHAUTHTOK, USER_CMD, USER_LABELED_EXPORT, USER_ROLE_CHANGE, USER_UNLABELED_EXPORT, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1120", + "techniqueID": "T1609", "score": 1, "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" + "color": "#ed0858" }, { - "techniqueID": "T1222.001", + "techniqueID": "T1083", "score": 1, - "comment": "Auditd: USER_CMD, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT, USYS_CONFIG", - "color": "#79709F" + "comment": "Auditd: USER_CMD, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1137.006", + "techniqueID": "T1647", "score": 1, "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1082", - "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" + "color": "#ed0858" }, { - "techniqueID": "T1074.002", + "techniqueID": "T1074", "score": 1, "comment": "Auditd: ANOM_LINK, USER_AVC, USYS_CONFIG", - "color": "#79709F" + "color": "#ed0858" }, { - "techniqueID": "T1053", + "techniqueID": "T1649", "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG", - "color": "#79709F" + "comment": "Auditd: ANOM_LINK, CRYPTO_SESSION, USER_AVC, USER_LOGIN, USER_START, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1218.007", + "techniqueID": "T1049", "score": 1, "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" + "color": "#ed0858" }, { - "techniqueID": "T1505.005", + "techniqueID": "T1542", "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG", - "color": "#79709F" + "comment": "Auditd: FS_RELABEL, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1059.002", + "techniqueID": "T1497", "score": 1, "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" + "color": "#ed0858" }, { - "techniqueID": "T1176", + "techniqueID": "T1480", "score": 1, "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1070.007", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, NETFILTER_CFG, USER_CMD, USYS_CONFIG", - "color": "#79709F" + "color": "#ed0858" }, { - "techniqueID": "T1070.003", + "techniqueID": "T1204", "score": 1, - "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USER_CHAUTHTOK, USYS_CONFIG", - "color": "#79709F" + "comment": "Auditd: MAC_UNLBL_ALLOW, USER_CMD, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1202", + "techniqueID": "T1057", "score": 1, "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1005", - "score": 1, - "comment": "Auditd: ANOM_LINK, USER_AVC, USER_CMD, USYS_CONFIG", - "color": "#79709F" + "color": "#ed0858" }, { - "techniqueID": "T1137.005", + "techniqueID": "T1041", "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" + "comment": "Auditd: ANOM_LINK, MAC_UNLBL_ALLOW, USER_AVC, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1562", + "techniqueID": "T1098", "score": 1, - "comment": "Auditd: ANOM_ABEND, DAEMON_ABORT, DAEMON_END, DAEMON_RESUME, DAEMON_ROTATE, NETFILTER_CFG, SELINUX_ERR, SYSTEM_RUNLEVEL, SYSTEM_SHUTDOWN, USER_CHAUTHTOK, USER_CMD, USER_ROLE_CHANGE, USER_TTY, USYS_CONFIG", - "color": "#79709F" + "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CHAUTHTOK, USER_CMD, USER_ROLE_CHANGE, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1558", + "techniqueID": "T1048", "score": 1, - "comment": "Auditd: ANOM_LINK, CRYPTO_KEY_USER, LOGIN, USER_AVC, USER_END, USER_LOGOUT, USYS_CONFIG", - "color": "#79709F" + "comment": "Auditd: ANOM_LINK, MAC_UNLBL_ALLOW, USER_AVC, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1555", + "techniqueID": "T1110", "score": 1, - "comment": "Auditd: ANOM_LINK, TTY, USER_AVC, USER_CMD, USYS_CONFIG", - "color": "#79709F" + "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1567", + "techniqueID": "T1039", "score": 1, "comment": "Auditd: ANOM_LINK, MAC_UNLBL_ALLOW, USER_AVC, USYS_CONFIG", - "color": "#79709F" + "color": "#ed0858" }, { - "techniqueID": "T1036", + "techniqueID": "T1574", "score": 1, - "comment": "Auditd: DAEMON_ABORT, DAEMON_END, DAEMON_RESUME, DAEMON_ROTATE, DAEMON_START, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_POLICY_LOAD, SELINUX_ERR, USER_LABELED_EXPORT, USER_TTY, USER_UNLABELED_EXPORT, USYS_CONFIG", - "color": "#79709F" + "comment": "Auditd: DAEMON_ABORT, DAEMON_END, DAEMON_RESUME, DAEMON_ROTATE, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, SELINUX_ERR, USER_CMD, USER_TTY, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1546.011", + "techniqueID": "T1027", "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG", - "color": "#79709F" + "comment": "Auditd: USER_CMD, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1552", + "techniqueID": "T1201", "score": 1, - "comment": "Auditd: ANOM_LINK, ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USER_AVC, USER_CMD, USYS_CONFIG", - "color": "#79709F" + "comment": "Auditd: CRED_ACQ, CRED_DISP, USER_CHAUTHTOK, USER_CMD, USER_ERR, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1070.008", + "techniqueID": "T1546", "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CHAUTHTOK, USER_CMD, USYS_CONFIG", - "color": "#79709F" + "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1037.002", + "techniqueID": "T1486", "score": 1, "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG", - "color": "#79709F" + "color": "#ed0858" }, { - "techniqueID": "T1218", + "techniqueID": "T1553", "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" + "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1010", + "techniqueID": "T1570", "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" + "comment": "Auditd: MAC_UNLBL_ALLOW, USER_CMD, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1087.003", + "techniqueID": "T1012", "score": 1, "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" + "color": "#ed0858" }, { - "techniqueID": "T1497.003", + "techniqueID": "T1614", "score": 1, "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" + "color": "#ed0858" }, { - "techniqueID": "T1218.003", + "techniqueID": "T1197", "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" + "comment": "Auditd: DAEMON_ABORT, DAEMON_END, DAEMON_RESUME, DAEMON_ROTATE, SELINUX_ERR, USER_CMD, USER_TTY, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1563.001", + "techniqueID": "T1496", "score": 1, - "comment": "Auditd: CRYPTO_SESSION, MAC_UNLBL_ALLOW, USER_CMD, USER_LOGIN, USER_START, USYS_CONFIG", - "color": "#79709F" + "comment": "Auditd: SYSTEM_RUNLEVEL, SYSTEM_SHUTDOWN, USER_CMD, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1562.002", + "techniqueID": "T1569", "score": 1, - "comment": "Auditd: SYSTEM_RUNLEVEL, SYSTEM_SHUTDOWN, USER_CMD, USYS_CONFIG", - "color": "#79709F" + "comment": "Auditd: DAEMON_START, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_POLICY_LOAD, USER_CMD, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1021.002", + "techniqueID": "T1485", "score": 1, - "comment": "Auditd: CRYPTO_SESSION, USER_LOGIN, USER_START, USYS_CONFIG", - "color": "#79709F" + "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CHAUTHTOK, USER_CMD, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1218.002", + "techniqueID": "T1651", "score": 1, "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" + "color": "#ed0858" }, { - "techniqueID": "T1547.005", + "techniqueID": "T1134", "score": 1, - "comment": "Auditd: USYS_CONFIG", - "color": "#79709F" + "comment": "Auditd: CRED_ACQ, CRED_DISP, USER_CHAUTHTOK, USER_CMD, USER_ERR, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1011", - "score": 1, - "comment": "Auditd: ANOM_LINK, MAC_UNLBL_ALLOW, USER_AVC, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1562.004", - "score": 1, - "comment": "Auditd: NETFILTER_CFG, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1560", - "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1021", - "score": 1, - "comment": "Auditd: CRYPTO_SESSION, USER_CMD, USER_LOGIN, USER_START, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1059.009", - "score": 1, - "comment": "Auditd: USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1553.006", - "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1112", - "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1543.004", - "score": 1, - "comment": "Auditd: ANOM_PROMISCUOUS, CONFIG_CHANGE, DAEMON_CONFIG, DAEMON_START, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_CIPSOV4_ADD, MAC_CIPSOV4_DEL, MAC_CONFIG_CHANGE, MAC_MAP_ADD, MAC_MAP_DEL, MAC_POLICY_LOAD, MAC_STATUS, ROLE_ASSIGN, ROLE_REMOVE, USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1555.003", - "score": 1, - "comment": "Auditd: ANOM_LINK, TTY, USER_AVC, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1563", - "score": 1, - "comment": "Auditd: CRYPTO_SESSION, MAC_UNLBL_ALLOW, USER_CMD, USER_LOGIN, USER_START, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1484.001", - "score": 1, - "comment": "Auditd: USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1217", - "score": 1, - "comment": "Auditd: ANOM_LINK, USER_AVC, USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1552.004", - "score": 1, - "comment": "Auditd: ANOM_LINK, USER_AVC, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1021.006", - "score": 1, - "comment": "Auditd: CRYPTO_SESSION, DAEMON_ABORT, DAEMON_END, DAEMON_RESUME, DAEMON_ROTATE, SELINUX_ERR, USER_CMD, USER_LOGIN, USER_START, USER_TTY, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1011.001", - "score": 1, - "comment": "Auditd: ANOM_LINK, MAC_UNLBL_ALLOW, USER_AVC, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1547.003", - "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1546.005", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1574.006", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1136.001", - "score": 1, - "comment": "Auditd: ADD_USER, ANOM_ADD_ACCOUNT, USER_CMD, USER_ROLE_CHANGE, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1070.001", - "score": 1, - "comment": "Auditd: USER_CHAUTHTOK, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1222", - "score": 1, - "comment": "Auditd: USER_CMD, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1003.001", - "score": 1, - "comment": "Auditd: TTY, USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1548", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1134.002", - "score": 1, - "comment": "Auditd: USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1548.001", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1547.004", - "score": 1, - "comment": "Auditd: USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1003.005", - "score": 1, - "comment": "Auditd: USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1098.004", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1546.012", - "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1218.008", - "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1125", - "score": 1, - "comment": "Auditd: USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1016", - "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1546.008", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1087", - "score": 1, - "comment": "Auditd: ANOM_LINK, USER_AVC, USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1059", - "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1562.006", - "score": 1, - "comment": "Auditd: SYSTEM_RUNLEVEL, SYSTEM_SHUTDOWN, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1136.002", - "score": 1, - "comment": "Auditd: ADD_USER, ANOM_ADD_ACCOUNT, USER_CMD, USER_ROLE_CHANGE, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1482", - "score": 1, - "comment": "Auditd: MAC_UNLBL_ALLOW, USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1020", - "score": 1, - "comment": "Auditd: ANOM_LINK, MAC_UNLBL_ALLOW, USER_AVC, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1070", - "score": 1, - "comment": "Auditd: ANOM_DEL_ACCOUNT, ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, DEL_USER, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_UNLBL_ALLOW, NETFILTER_CFG, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USER_CHAUTHTOK, USER_CMD, USER_LABELED_EXPORT, USER_ROLE_CHANGE, USER_UNLABELED_EXPORT, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1048.001", - "score": 1, - "comment": "Auditd: ANOM_LINK, MAC_UNLBL_ALLOW, USER_AVC, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1137.001", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1609", - "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1083", - "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1036.004", - "score": 1, - "comment": "Auditd: DAEMON_ABORT, DAEMON_END, DAEMON_RESUME, DAEMON_ROTATE, DAEMON_START, MAC_POLICY_LOAD, SELINUX_ERR, USER_TTY, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1647", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1546.009", - "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1114.003", - "score": 1, - "comment": "Auditd: USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1074", - "score": 1, - "comment": "Auditd: ANOM_LINK, USER_AVC, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1649", - "score": 1, - "comment": "Auditd: ANOM_LINK, CRYPTO_SESSION, USER_AVC, USER_LOGIN, USER_START, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1049", - "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1542", - "score": 1, - "comment": "Auditd: FS_RELABEL, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1218.012", - "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1569.001", - "score": 1, - "comment": "Auditd: DAEMON_START, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_POLICY_LOAD, USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1059.008", - "score": 1, - "comment": "Auditd: USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1552.003", - "score": 1, - "comment": "Auditd: ANOM_LINK, USER_AVC, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1562.010", - "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1497", - "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1552.001", - "score": 1, - "comment": "Auditd: ANOM_LINK, USER_AVC, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1218.005", - "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1480", - "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1134.001", - "score": 1, - "comment": "Auditd: USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1567.001", - "score": 1, - "comment": "Auditd: ANOM_LINK, MAC_UNLBL_ALLOW, USER_AVC, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1204", - "score": 1, - "comment": "Auditd: MAC_UNLBL_ALLOW, USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1564.002", - "score": 1, - "comment": "Auditd: ADD_USER, ANOM_ADD_ACCOUNT, CRED_ACQ, CRED_DISP, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CHAUTHTOK, USER_CMD, USER_ERR, USER_ROLE_CHANGE, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1134.003", - "score": 1, - "comment": "Auditd: USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1552.006", - "score": 1, - "comment": "Auditd: ANOM_LINK, USER_AVC, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1048.002", - "score": 1, - "comment": "Auditd: ANOM_LINK, MAC_UNLBL_ALLOW, USER_AVC, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1087.004", - "score": 1, - "comment": "Auditd: USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1057", - "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1562.003", - "score": 1, - "comment": "Auditd: SYSTEM_RUNLEVEL, SYSTEM_SHUTDOWN, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1546.003", - "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1497.002", - "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1041", - "score": 1, - "comment": "Auditd: ANOM_LINK, MAC_UNLBL_ALLOW, USER_AVC, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1059.001", - "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1546.001", - "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1546.014", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1547.001", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1069.001", - "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1098", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CHAUTHTOK, USER_CMD, USER_ROLE_CHANGE, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1048", - "score": 1, - "comment": "Auditd: ANOM_LINK, MAC_UNLBL_ALLOW, USER_AVC, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1547.006", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1056.002", - "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1052.001", - "score": 1, - "comment": "Auditd: ANOM_LINK, USER_AVC, USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1053.006", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1218.001", - "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1070.005", - "score": 1, - "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, MAC_UNLBL_ALLOW, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1110", - "score": 1, - "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1059.004", - "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1137.003", - "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1562.001", - "score": 1, - "comment": "Auditd: ANOM_ABEND, DAEMON_ABORT, DAEMON_END, DAEMON_RESUME, DAEMON_ROTATE, SELINUX_ERR, SYSTEM_RUNLEVEL, SYSTEM_SHUTDOWN, USER_TTY, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1039", - "score": 1, - "comment": "Auditd: ANOM_LINK, MAC_UNLBL_ALLOW, USER_AVC, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1574", - "score": 1, - "comment": "Auditd: DAEMON_ABORT, DAEMON_END, DAEMON_RESUME, DAEMON_ROTATE, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, SELINUX_ERR, USER_CMD, USER_TTY, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1204.003", - "score": 1, - "comment": "Auditd: USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1564.009", - "score": 1, - "comment": "Auditd: USER_CMD, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1027", - "score": 1, - "comment": "Auditd: USER_CMD, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1114.002", - "score": 1, - "comment": "Auditd: CRYPTO_SESSION, USER_LOGIN, USER_START, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1505.004", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1564.006", - "score": 1, - "comment": "Auditd: DAEMON_START, MAC_POLICY_LOAD, USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1201", - "score": 1, - "comment": "Auditd: CRED_ACQ, CRED_DISP, USER_CHAUTHTOK, USER_CMD, USER_ERR, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1546", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1546.004", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1486", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1553", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1547.002", - "score": 1, - "comment": "Auditd: USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1218.010", - "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1546.015", - "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1036.003", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1137.004", - "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1567.002", - "score": 1, - "comment": "Auditd: ANOM_LINK, MAC_UNLBL_ALLOW, USER_AVC, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1570", - "score": 1, - "comment": "Auditd: MAC_UNLBL_ALLOW, USER_CMD, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1037.005", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1614.001", - "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1012", - "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1218.009", - "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1553.004", - "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1037.003", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1027.004", - "score": 1, - "comment": "Auditd: USER_CMD, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1614", - "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1197", - "score": 1, - "comment": "Auditd: DAEMON_ABORT, DAEMON_END, DAEMON_RESUME, DAEMON_ROTATE, SELINUX_ERR, USER_CMD, USER_TTY, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1127.001", - "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1518.001", - "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1564.003", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1059.006", - "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1546.010", - "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1496", - "score": 1, - "comment": "Auditd: SYSTEM_RUNLEVEL, SYSTEM_SHUTDOWN, USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1546.002", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1003.008", - "score": 1, - "comment": "Auditd: ANOM_LINK, USER_AVC, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1543.001", - "score": 1, - "comment": "Auditd: ANOM_PROMISCUOUS, CONFIG_CHANGE, DAEMON_CONFIG, DAEMON_START, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_CIPSOV4_ADD, MAC_CIPSOV4_DEL, MAC_CONFIG_CHANGE, MAC_MAP_ADD, MAC_MAP_DEL, MAC_POLICY_LOAD, MAC_STATUS, ROLE_ASSIGN, ROLE_REMOVE, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1569", - "score": 1, - "comment": "Auditd: DAEMON_START, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_POLICY_LOAD, USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1059.003", - "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1070.009", - "score": 1, - "comment": "Auditd: ANOM_DEL_ACCOUNT, DEL_USER, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CHAUTHTOK, USER_CMD, USER_ROLE_CHANGE, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1555.004", - "score": 1, - "comment": "Auditd: ANOM_LINK, USER_AVC, USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1485", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CHAUTHTOK, USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1556.005", - "score": 1, - "comment": "Auditd: CRED_ACQ, CRED_DISP, USER_CHAUTHTOK, USER_ERR, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1027.010", - "score": 1, - "comment": "Auditd: USER_LABELED_EXPORT, USER_UNLABELED_EXPORT, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1070.004", - "score": 1, - "comment": "Auditd: USER_CHAUTHTOK, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1651", - "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1546.016", - "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1037.004", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1134", - "score": 1, - "comment": "Auditd: CRED_ACQ, CRED_DISP, USER_CHAUTHTOK, USER_CMD, USER_ERR, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1059.005", - "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1543.002", - "score": 1, - "comment": "Auditd: ANOM_PROMISCUOUS, CONFIG_CHANGE, DAEMON_CONFIG, DAEMON_START, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_CIPSOV4_ADD, MAC_CIPSOV4_DEL, MAC_CONFIG_CHANGE, MAC_MAP_ADD, MAC_MAP_DEL, MAC_POLICY_LOAD, MAC_STATUS, ROLE_ASSIGN, ROLE_REMOVE, USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1563.002", - "score": 1, - "comment": "Auditd: CRYPTO_SESSION, MAC_UNLBL_ALLOW, USER_CMD, USER_LOGIN, USER_START, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1136", - "score": 1, - "comment": "Auditd: ADD_USER, ANOM_ADD_ACCOUNT, USER_CMD, USER_ROLE_CHANGE, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1547.013", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1018", - "score": 1, - "comment": "Auditd: ANOM_LINK, USER_AVC, USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1046", - "score": 1, - "comment": "Auditd: USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1518", - "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1622", - "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1547.007", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1052", - "score": 1, - "comment": "Auditd: ANOM_LINK, USER_AVC, USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1037.001", - "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1484", - "score": 1, - "comment": "Auditd: USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1564.001", - "score": 1, - "comment": "Auditd: USER_CMD, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1137.002", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1003.003", - "score": 1, - "comment": "Auditd: ANOM_LINK, USER_AVC, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1569.002", - "score": 1, - "comment": "Auditd: DAEMON_START, MAC_POLICY_LOAD, USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1480.001", - "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1564.004", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1124", - "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1053.002", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1490", - "score": 1, - "comment": "Auditd: DAEMON_ABORT, DAEMON_END, DAEMON_RESUME, DAEMON_ROTATE, SELINUX_ERR, USER_CHAUTHTOK, USER_CMD, USER_TTY, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1546.007", - "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1216", - "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1552.007", - "score": 1, - "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1561.001", - "score": 1, - "comment": "Auditd: FS_RELABEL, USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1048.003", - "score": 1, - "comment": "Auditd: ANOM_LINK, MAC_UNLBL_ALLOW, USER_AVC, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1127", - "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1529", - "score": 1, - "comment": "Auditd: SYSTEM_RUNLEVEL, SYSTEM_SHUTDOWN, USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1218.014", - "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1574.012", - "score": 1, - "comment": "Auditd: USER_CMD, USYS_CONFIG", - "color": "#79709F" - }, - { - "techniqueID": "T1014", - "score": 1, - "comment": "Auditd: FS_RELABEL, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE", - "color": "#79709F" - }, - { - "techniqueID": "T1542.003", - "score": 1, - "comment": "Auditd: FS_RELABEL", - "color": "#79709F" - }, - { - "techniqueID": "T1539", - "score": 1, - "comment": "Auditd: ANOM_LINK, TTY, USER_AVC", - "color": "#79709F" - }, - { - "techniqueID": "T1091", - "score": 1, - "comment": "Auditd: ANOM_LINK, USER_AVC, USER_CMD", - "color": "#79709F" - }, - { - "techniqueID": "T1187", - "score": 1, - "comment": "Auditd: ANOM_LINK, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_UNLBL_ALLOW, USER_AVC", - "color": "#79709F" - }, - { - "techniqueID": "T1565.001", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CHAUTHTOK", - "color": "#79709F" - }, - { - "techniqueID": "T1565.003", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CHAUTHTOK, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT", - "color": "#79709F" - }, - { - "techniqueID": "T1554", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CHAUTHTOK, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT", - "color": "#79709F" - }, - { - "techniqueID": "T1565", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_UNLBL_ALLOW, USER_CHAUTHTOK, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT", - "color": "#79709F" - }, - { - "techniqueID": "T1027.009", - "score": 1, - "comment": "Auditd: USER_LABELED_EXPORT, USER_UNLABELED_EXPORT", - "color": "#79709F" - }, - { - "techniqueID": "T1036.007", - "score": 1, - "comment": "Auditd: USER_LABELED_EXPORT, USER_UNLABELED_EXPORT", - "color": "#79709F" - }, - { - "techniqueID": "T1195.001", - "score": 1, - "comment": "Auditd: USER_LABELED_EXPORT, USER_UNLABELED_EXPORT", - "color": "#79709F" - }, - { - "techniqueID": "T1036.005", - "score": 1, - "comment": "Auditd: USER_LABELED_EXPORT, USER_UNLABELED_EXPORT", - "color": "#79709F" - }, - { - "techniqueID": "T1027.008", - "score": 1, - "comment": "Auditd: USER_LABELED_EXPORT, USER_UNLABELED_EXPORT", - "color": "#79709F" - }, - { - "techniqueID": "T1553.002", - "score": 1, - "comment": "Auditd: USER_LABELED_EXPORT, USER_UNLABELED_EXPORT", - "color": "#79709F" - }, - { - "techniqueID": "T1195", - "score": 1, - "comment": "Auditd: SYSTEM_RUNLEVEL, SYSTEM_SHUTDOWN, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT", - "color": "#79709F" - }, - { - "techniqueID": "T1055", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, TTY, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT", - "color": "#79709F" - }, - { - "techniqueID": "T1070.006", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT", - "color": "#79709F" - }, - { - "techniqueID": "T1027.001", - "score": 1, - "comment": "Auditd: USER_LABELED_EXPORT, USER_UNLABELED_EXPORT", - "color": "#79709F" - }, - { - "techniqueID": "T1055.013", - "score": 1, - "comment": "Auditd: USER_LABELED_EXPORT, USER_UNLABELED_EXPORT", - "color": "#79709F" - }, - { - "techniqueID": "T1036.002", - "score": 1, - "comment": "Auditd: USER_LABELED_EXPORT, USER_UNLABELED_EXPORT", - "color": "#79709F" - }, - { - "techniqueID": "T1553.005", - "score": 1, - "comment": "Auditd: USER_LABELED_EXPORT, USER_UNLABELED_EXPORT", - "color": "#79709F" - }, - { - "techniqueID": "T1036.001", - "score": 1, - "comment": "Auditd: USER_LABELED_EXPORT, USER_UNLABELED_EXPORT", - "color": "#79709F" - }, - { - "techniqueID": "T1195.002", - "score": 1, - "comment": "Auditd: USER_LABELED_EXPORT, USER_UNLABELED_EXPORT", - "color": "#79709F" - }, - { - "techniqueID": "T1027.003", - "score": 1, - "comment": "Auditd: USER_LABELED_EXPORT, USER_UNLABELED_EXPORT", - "color": "#79709F" - }, - { - "techniqueID": "T1564.007", - "score": 1, - "comment": "Auditd: USER_LABELED_EXPORT, USER_UNLABELED_EXPORT", - "color": "#79709F" - }, - { - "techniqueID": "T1027.002", - "score": 1, - "comment": "Auditd: USER_LABELED_EXPORT, USER_UNLABELED_EXPORT", - "color": "#79709F" - }, - { - "techniqueID": "T1036.006", - "score": 1, - "comment": "Auditd: USER_LABELED_EXPORT, USER_UNLABELED_EXPORT", - "color": "#79709F" - }, - { - "techniqueID": "T1027.007", - "score": 1, - "comment": "Auditd: USER_LABELED_EXPORT, USER_UNLABELED_EXPORT", - "color": "#79709F" - }, - { - "techniqueID": "T1556.003", - "score": 1, - "comment": "Auditd: CRYPTO_SESSION, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_LOGIN, USER_START", - "color": "#79709F" - }, - { - "techniqueID": "T1491.002", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_UNLBL_ALLOW", - "color": "#79709F" - }, - { - "techniqueID": "T1600", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE", - "color": "#79709F" - }, - { - "techniqueID": "T1080", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD", - "color": "#79709F" - }, - { - "techniqueID": "T1574.001", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE", - "color": "#79709F" - }, - { - "techniqueID": "T1600.001", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE", - "color": "#79709F" - }, - { - "techniqueID": "T1140", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD", - "color": "#79709F" - }, - { - "techniqueID": "T1547.009", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD", - "color": "#79709F" - }, - { - "techniqueID": "T1553.003", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE", - "color": "#79709F" - }, - { - "techniqueID": "T1556.007", - "score": 1, - "comment": "Auditd: CRYPTO_SESSION, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_LOGIN, USER_START", - "color": "#79709F" - }, - { - "techniqueID": "T1574.008", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD", - "color": "#79709F" - }, - { - "techniqueID": "T1491", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_UNLBL_ALLOW", - "color": "#79709F" - }, - { - "techniqueID": "T1505.003", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_UNLBL_ALLOW, USER_CMD", - "color": "#79709F" - }, - { - "techniqueID": "T1056.003", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE", - "color": "#79709F" - }, - { - "techniqueID": "T1574.005", - "score": 1, - "comment": "Auditd: DAEMON_ABORT, DAEMON_END, DAEMON_RESUME, DAEMON_ROTATE, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, SELINUX_ERR, USER_CMD, USER_TTY", - "color": "#79709F" - }, - { - "techniqueID": "T1600.002", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE", - "color": "#79709F" - }, - { - "techniqueID": "T1547.015", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD", - "color": "#79709F" - }, - { - "techniqueID": "T1491.001", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_UNLBL_ALLOW", - "color": "#79709F" - }, - { - "techniqueID": "T1574.010", - "score": 1, - "comment": "Auditd: DAEMON_ABORT, DAEMON_END, DAEMON_RESUME, DAEMON_ROTATE, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, SELINUX_ERR, USER_CMD, USER_TTY", - "color": "#79709F" - }, - { - "techniqueID": "T1601", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE", - "color": "#79709F" - }, - { - "techniqueID": "T1056", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD", - "color": "#79709F" - }, - { - "techniqueID": "T1574.009", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD", - "color": "#79709F" - }, - { - "techniqueID": "T1055.009", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE", - "color": "#79709F" - }, - { - "techniqueID": "T1601.001", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE", - "color": "#79709F" - }, - { - "techniqueID": "T1505", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_UNLBL_ALLOW, USER_CMD", - "color": "#79709F" - }, - { - "techniqueID": "T1556.001", - "score": 1, - "comment": "Auditd: CRYPTO_SESSION, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, TTY, USER_LOGIN, USER_START", - "color": "#79709F" - }, - { - "techniqueID": "T1564.005", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE", - "color": "#79709F" - }, - { - "techniqueID": "T1574.002", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD", - "color": "#79709F" - }, - { - "techniqueID": "T1547.008", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE", - "color": "#79709F" - }, - { - "techniqueID": "T1556", - "score": 1, - "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, CRYPTO_SESSION, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, TTY, USER_ACCT, USER_AUTH, USER_CHAUTHTOK, USER_LOGIN, USER_ROLE_CHANGE, USER_START", - "color": "#79709F" - }, - { - "techniqueID": "T1556.004", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE", - "color": "#79709F" - }, - { - "techniqueID": "T1574.004", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE", - "color": "#79709F" - }, - { - "techniqueID": "T1601.002", - "score": 1, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE", - "color": "#79709F" - }, - { - "techniqueID": "T1562.007", - "score": 1, - "comment": "Auditd: NETFILTER_CFG", - "color": "#79709F" - }, - { - "techniqueID": "T1498.001", - "score": 1, - "comment": "Auditd: SYSTEM_RUNLEVEL, SYSTEM_SHUTDOWN", - "color": "#79709F" - }, - { - "techniqueID": "T1499.001", - "score": 1, - "comment": "Auditd: MAC_UNLBL_ALLOW, SYSTEM_RUNLEVEL, SYSTEM_SHUTDOWN", - "color": "#79709F" - }, - { - "techniqueID": "T1499.003", - "score": 1, - "comment": "Auditd: MAC_UNLBL_ALLOW, SYSTEM_RUNLEVEL, SYSTEM_SHUTDOWN", - "color": "#79709F" - }, - { - "techniqueID": "T1499.004", - "score": 1, - "comment": "Auditd: MAC_UNLBL_ALLOW, SYSTEM_RUNLEVEL, SYSTEM_SHUTDOWN", - "color": "#79709F" - }, - { - "techniqueID": "T1498.002", - "score": 1, - "comment": "Auditd: SYSTEM_RUNLEVEL, SYSTEM_SHUTDOWN", - "color": "#79709F" - }, - { - "techniqueID": "T1499.002", - "score": 1, - "comment": "Auditd: MAC_UNLBL_ALLOW, SYSTEM_RUNLEVEL, SYSTEM_SHUTDOWN", - "color": "#79709F" - }, - { - "techniqueID": "T1195.003", - "score": 1, - "comment": "Auditd: SYSTEM_RUNLEVEL, SYSTEM_SHUTDOWN", - "color": "#79709F" - }, - { - "techniqueID": "T1562.011", - "score": 1, - "comment": "Auditd: SYSTEM_RUNLEVEL, SYSTEM_SHUTDOWN, USER_CMD", - "color": "#79709F" - }, - { - "techniqueID": "T1499", - "score": 1, - "comment": "Auditd: MAC_UNLBL_ALLOW, SYSTEM_RUNLEVEL, SYSTEM_SHUTDOWN", - "color": "#79709F" - }, - { - "techniqueID": "T1498", - "score": 1, - "comment": "Auditd: SYSTEM_RUNLEVEL, SYSTEM_SHUTDOWN", - "color": "#79709F" - }, - { - "techniqueID": "T1021.005", - "score": 1, - "comment": "Auditd: CRYPTO_SESSION, USER_CMD, USER_LOGIN, USER_START", - "color": "#79709F" - }, - { - "techniqueID": "T1213.002", - "score": 1, - "comment": "Auditd: CRYPTO_SESSION, USER_LOGIN, USER_START", - "color": "#79709F" - }, - { - "techniqueID": "T1606.002", - "score": 1, - "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, CRYPTO_KEY_USER, CRYPTO_SESSION, LOGIN, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USER_END, USER_LOGIN, USER_LOGOUT, USER_START", - "color": "#79709F" - }, - { - "techniqueID": "T1021.004", - "score": 1, - "comment": "Auditd: CRYPTO_SESSION, USER_CMD, USER_LOGIN, USER_START", - "color": "#79709F" - }, - { - "techniqueID": "T1550", - "score": 1, - "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, CRYPTO_SESSION, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USER_LOGIN, USER_START", - "color": "#79709F" - }, - { - "techniqueID": "T1185", - "score": 1, - "comment": "Auditd: CRYPTO_SESSION, TTY, USER_LOGIN, USER_START", - "color": "#79709F" - }, - { - "techniqueID": "T1078.001", - "score": 1, - "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, CRYPTO_SESSION, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USER_LOGIN, USER_START", - "color": "#79709F" - }, - { - "techniqueID": "T1213.001", - "score": 1, - "comment": "Auditd: CRYPTO_SESSION, USER_LOGIN, USER_START", - "color": "#79709F" - }, - { - "techniqueID": "T1550.003", - "score": 1, - "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, CRYPTO_SESSION, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USER_LOGIN, USER_START", - "color": "#79709F" - }, - { - "techniqueID": "T1606.001", - "score": 1, - "comment": "Auditd: CRYPTO_SESSION, USER_LOGIN, USER_START", - "color": "#79709F" - }, - { - "techniqueID": "T1021.007", - "score": 1, - "comment": "Auditd: CRYPTO_SESSION, USER_LOGIN, USER_START", - "color": "#79709F" - }, - { - "techniqueID": "T1606", - "score": 1, - "comment": "Auditd: CRYPTO_SESSION, USER_LOGIN, USER_START", - "color": "#79709F" - }, - { - "techniqueID": "T1621", - "score": 1, - "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, CRYPTO_KEY_USER, CRYPTO_SESSION, LOGIN, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USER_END, USER_LOGIN, USER_LOGOUT, USER_START", - "color": "#79709F" - }, - { - "techniqueID": "T1199", - "score": 1, - "comment": "Auditd: CRYPTO_KEY_USER, CRYPTO_SESSION, LOGIN, MAC_UNLBL_ALLOW, USER_END, USER_LOGIN, USER_LOGOUT, USER_START", - "color": "#79709F" - }, - { - "techniqueID": "T1078", - "score": 1, - "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, CRYPTO_KEY_USER, CRYPTO_SESSION, LOGIN, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USER_END, USER_LOGIN, USER_LOGOUT, USER_START", - "color": "#79709F" - }, - { - "techniqueID": "T1556.006", - "score": 1, - "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, CRYPTO_SESSION, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USER_CHAUTHTOK, USER_LOGIN, USER_ROLE_CHANGE, USER_START", - "color": "#79709F" - }, - { - "techniqueID": "T1078.002", - "score": 1, - "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, CRYPTO_KEY_USER, CRYPTO_SESSION, LOGIN, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USER_END, USER_LOGIN, USER_LOGOUT, USER_START", - "color": "#79709F" - }, - { - "techniqueID": "T1213.003", - "score": 1, - "comment": "Auditd: CRYPTO_SESSION, USER_LOGIN, USER_START", - "color": "#79709F" - }, - { - "techniqueID": "T1213", - "score": 1, - "comment": "Auditd: CRYPTO_SESSION, USER_LOGIN, USER_START", - "color": "#79709F" - }, - { - "techniqueID": "T1538", - "score": 1, - "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, CRYPTO_SESSION, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USER_LOGIN, USER_START", - "color": "#79709F" - }, - { - "techniqueID": "T1550.002", - "score": 1, - "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, CRYPTO_SESSION, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USER_LOGIN, USER_START", - "color": "#79709F" - }, - { - "techniqueID": "T1021.001", - "score": 1, - "comment": "Auditd: CRYPTO_SESSION, USER_CMD, USER_LOGIN, USER_START", - "color": "#79709F" - }, - { - "techniqueID": "T1078.004", - "score": 1, - "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, CRYPTO_KEY_USER, CRYPTO_SESSION, LOGIN, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USER_END, USER_LOGIN, USER_LOGOUT, USER_START", - "color": "#79709F" - }, - { - "techniqueID": "T1078.003", - "score": 1, - "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, CRYPTO_KEY_USER, CRYPTO_SESSION, LOGIN, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USER_END, USER_LOGIN, USER_LOGOUT, USER_START", - "color": "#79709F" - }, - { - "techniqueID": "T1133", - "score": 1, - "comment": "Auditd: CRYPTO_KEY_USER, LOGIN, MAC_UNLBL_ALLOW, USER_END, USER_LOGOUT", - "color": "#79709F" - }, - { - "techniqueID": "T1558.001", - "score": 1, - "comment": "Auditd: CRYPTO_KEY_USER, LOGIN, USER_END, USER_LOGOUT", - "color": "#79709F" - }, - { - "techniqueID": "T1558.002", - "score": 1, - "comment": "Auditd: CRYPTO_KEY_USER, LOGIN, USER_END, USER_LOGOUT", - "color": "#79709F" - }, - { - "techniqueID": "T1557", - "score": 1, - "comment": "Auditd: DAEMON_START, MAC_POLICY_LOAD, MAC_UNLBL_ALLOW", - "color": "#79709F" - }, - { - "techniqueID": "T1132.001", - "score": 1, - "comment": "Auditd: MAC_UNLBL_ALLOW", - "color": "#79709F" - }, - { - "techniqueID": "T1602", - "score": 1, - "comment": "Auditd: MAC_UNLBL_ALLOW", - "color": "#79709F" - }, - { - "techniqueID": "T1071.004", - "score": 1, - "comment": "Auditd: MAC_UNLBL_ALLOW", - "color": "#79709F" - }, - { - "techniqueID": "T1573.001", - "score": 1, - "comment": "Auditd: MAC_UNLBL_ALLOW", - "color": "#79709F" - }, - { - "techniqueID": "T1586.001", - "score": 1, - "comment": "Auditd: MAC_UNLBL_ALLOW", - "color": "#79709F" - }, - { - "techniqueID": "T1566.002", - "score": 1, - "comment": "Auditd: MAC_UNLBL_ALLOW", - "color": "#79709F" - }, - { - "techniqueID": "T1598.003", - "score": 1, - "comment": "Auditd: MAC_UNLBL_ALLOW", - "color": "#79709F" - }, - { - "techniqueID": "T1566.001", - "score": 1, - "comment": "Auditd: MAC_UNLBL_ALLOW", - "color": "#79709F" - }, - { - "techniqueID": "T1071", - "score": 1, - "comment": "Auditd: MAC_UNLBL_ALLOW", - "color": "#79709F" - }, - { - "techniqueID": "T1190", - "score": 1, - "comment": "Auditd: MAC_UNLBL_ALLOW", - "color": "#79709F" - }, - { - "techniqueID": "T1219", - "score": 1, - "comment": "Auditd: MAC_UNLBL_ALLOW, USER_CMD", - "color": "#79709F" - }, - { - "techniqueID": "T1205", - "score": 1, - "comment": "Auditd: MAC_UNLBL_ALLOW, USER_CMD", - "color": "#79709F" - }, - { - "techniqueID": "T1572", - "score": 1, - "comment": "Auditd: MAC_UNLBL_ALLOW", - "color": "#79709F" - }, - { - "techniqueID": "T1599.001", + "techniqueID": "T1136", "score": 1, - "comment": "Auditd: MAC_UNLBL_ALLOW", - "color": "#79709F" + "comment": "Auditd: ADD_USER, ANOM_ADD_ACCOUNT, USER_CMD, USER_ROLE_CHANGE, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1602.002", + "techniqueID": "T1018", "score": 1, - "comment": "Auditd: MAC_UNLBL_ALLOW", - "color": "#79709F" + "comment": "Auditd: ANOM_LINK, USER_AVC, USER_CMD, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1589", + "techniqueID": "T1046", "score": 1, - "comment": "Auditd: MAC_UNLBL_ALLOW", - "color": "#79709F" + "comment": "Auditd: USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1071.003", + "techniqueID": "T1518", "score": 1, - "comment": "Auditd: MAC_UNLBL_ALLOW", - "color": "#79709F" + "comment": "Auditd: USER_CMD, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1595.002", + "techniqueID": "T1622", "score": 1, - "comment": "Auditd: MAC_UNLBL_ALLOW", - "color": "#79709F" + "comment": "Auditd: USER_CMD, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1207", + "techniqueID": "T1052", "score": 1, - "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, MAC_UNLBL_ALLOW, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH", - "color": "#79709F" + "comment": "Auditd: ANOM_LINK, USER_AVC, USER_CMD, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1557.003", + "techniqueID": "T1484", "score": 1, - "comment": "Auditd: MAC_UNLBL_ALLOW", - "color": "#79709F" + "comment": "Auditd: USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1557.001", + "techniqueID": "T1124", "score": 1, - "comment": "Auditd: DAEMON_START, MAC_POLICY_LOAD, MAC_UNLBL_ALLOW", - "color": "#79709F" + "comment": "Auditd: USER_CMD, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1595", + "techniqueID": "T1490", "score": 1, - "comment": "Auditd: MAC_UNLBL_ALLOW", - "color": "#79709F" + "comment": "Auditd: DAEMON_ABORT, DAEMON_END, DAEMON_RESUME, DAEMON_ROTATE, SELINUX_ERR, USER_CHAUTHTOK, USER_CMD, USER_TTY, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1090.002", + "techniqueID": "T1216", "score": 1, - "comment": "Auditd: MAC_UNLBL_ALLOW", - "color": "#79709F" + "comment": "Auditd: USER_CMD, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1589.002", + "techniqueID": "T1127", "score": 1, - "comment": "Auditd: MAC_UNLBL_ALLOW", - "color": "#79709F" + "comment": "Auditd: USER_CMD, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1090", + "techniqueID": "T1529", "score": 1, - "comment": "Auditd: MAC_UNLBL_ALLOW", - "color": "#79709F" + "comment": "Auditd: SYSTEM_RUNLEVEL, SYSTEM_SHUTDOWN, USER_CMD, USYS_CONFIG", + "color": "#ed0858" }, { - "techniqueID": "T1568", + "techniqueID": "T1014", "score": 1, - "comment": "Auditd: MAC_UNLBL_ALLOW", - "color": "#79709F" + "comment": "Auditd: FS_RELABEL, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE", + "color": "#ed0858" }, { - "techniqueID": "T1612", + "techniqueID": "T1539", "score": 1, - "comment": "Auditd: MAC_UNLBL_ALLOW", - "color": "#79709F" + "comment": "Auditd: ANOM_LINK, TTY, USER_AVC", + "color": "#ed0858" }, { - "techniqueID": "T1586", + "techniqueID": "T1091", "score": 1, - "comment": "Auditd: MAC_UNLBL_ALLOW", - "color": "#79709F" + "comment": "Auditd: ANOM_LINK, USER_AVC, USER_CMD", + "color": "#ed0858" }, { - "techniqueID": "T1102", + "techniqueID": "T1187", "score": 1, - "comment": "Auditd: MAC_UNLBL_ALLOW", - "color": "#79709F" + "comment": "Auditd: ANOM_LINK, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_UNLBL_ALLOW, USER_AVC", + "color": "#ed0858" }, { - "techniqueID": "T1568.003", + "techniqueID": "T1554", "score": 1, - "comment": "Auditd: MAC_UNLBL_ALLOW", - "color": "#79709F" + "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CHAUTHTOK, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT", + "color": "#ed0858" }, { - "techniqueID": "T1598.002", + "techniqueID": "T1565", "score": 1, - "comment": "Auditd: MAC_UNLBL_ALLOW", - "color": "#79709F" + "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_UNLBL_ALLOW, USER_CHAUTHTOK, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT", + "color": "#ed0858" }, { - "techniqueID": "T1071.002", + "techniqueID": "T1195", "score": 1, - "comment": "Auditd: MAC_UNLBL_ALLOW", - "color": "#79709F" + "comment": "Auditd: SYSTEM_RUNLEVEL, SYSTEM_SHUTDOWN, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT", + "color": "#ed0858" }, { - "techniqueID": "T1102.003", + "techniqueID": "T1055", "score": 1, - "comment": "Auditd: MAC_UNLBL_ALLOW", - "color": "#79709F" + "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, TTY, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT", + "color": "#ed0858" }, { - "techniqueID": "T1210", + "techniqueID": "T1600", "score": 1, - "comment": "Auditd: MAC_UNLBL_ALLOW", - "color": "#79709F" + "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE", + "color": "#ed0858" }, { - "techniqueID": "T1534", + "techniqueID": "T1080", "score": 1, - "comment": "Auditd: MAC_UNLBL_ALLOW", - "color": "#79709F" + "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD", + "color": "#ed0858" }, { - "techniqueID": "T1566", + "techniqueID": "T1140", "score": 1, - "comment": "Auditd: MAC_UNLBL_ALLOW", - "color": "#79709F" + "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD", + "color": "#ed0858" }, { - "techniqueID": "T1090.003", + "techniqueID": "T1491", "score": 1, - "comment": "Auditd: MAC_UNLBL_ALLOW", - "color": "#79709F" + "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_UNLBL_ALLOW", + "color": "#ed0858" }, { - "techniqueID": "T1001", + "techniqueID": "T1601", "score": 1, - "comment": "Auditd: MAC_UNLBL_ALLOW", - "color": "#79709F" + "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE", + "color": "#ed0858" }, { - "techniqueID": "T1571", + "techniqueID": "T1056", "score": 1, - "comment": "Auditd: MAC_UNLBL_ALLOW", - "color": "#79709F" + "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD", + "color": "#ed0858" }, { - "techniqueID": "T1585.001", + "techniqueID": "T1505", "score": 1, - "comment": "Auditd: MAC_UNLBL_ALLOW", - "color": "#79709F" + "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_UNLBL_ALLOW, USER_CMD", + "color": "#ed0858" }, { - "techniqueID": "T1599", + "techniqueID": "T1556", "score": 1, - "comment": "Auditd: MAC_UNLBL_ALLOW", - "color": "#79709F" + "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, CRYPTO_SESSION, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, TTY, USER_ACCT, USER_AUTH, USER_CHAUTHTOK, USER_LOGIN, USER_ROLE_CHANGE, USER_START", + "color": "#ed0858" }, { - "techniqueID": "T1573", + "techniqueID": "T1499", "score": 1, - "comment": "Auditd: MAC_UNLBL_ALLOW", - "color": "#79709F" + "comment": "Auditd: MAC_UNLBL_ALLOW, SYSTEM_RUNLEVEL, SYSTEM_SHUTDOWN", + "color": "#ed0858" }, { - "techniqueID": "T1567.003", + "techniqueID": "T1498", "score": 1, - "comment": "Auditd: MAC_UNLBL_ALLOW", - "color": "#79709F" + "comment": "Auditd: SYSTEM_RUNLEVEL, SYSTEM_SHUTDOWN", + "color": "#ed0858" }, { - "techniqueID": "T1102.002", + "techniqueID": "T1550", "score": 1, - "comment": "Auditd: MAC_UNLBL_ALLOW", - "color": "#79709F" + "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, CRYPTO_SESSION, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USER_LOGIN, USER_START", + "color": "#ed0858" }, { - "techniqueID": "T1595.003", + "techniqueID": "T1185", "score": 1, - "comment": "Auditd: MAC_UNLBL_ALLOW", - "color": "#79709F" + "comment": "Auditd: CRYPTO_SESSION, TTY, USER_LOGIN, USER_START", + "color": "#ed0858" }, { - "techniqueID": "T1573.002", + "techniqueID": "T1606", "score": 1, - "comment": "Auditd: MAC_UNLBL_ALLOW", - "color": "#79709F" + "comment": "Auditd: CRYPTO_SESSION, USER_LOGIN, USER_START", + "color": "#ed0858" }, { - "techniqueID": "T1095", + "techniqueID": "T1621", "score": 1, - "comment": "Auditd: MAC_UNLBL_ALLOW", - "color": "#79709F" + "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, CRYPTO_KEY_USER, CRYPTO_SESSION, LOGIN, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USER_END, USER_LOGIN, USER_LOGOUT, USER_START", + "color": "#ed0858" }, { - "techniqueID": "T1001.003", + "techniqueID": "T1199", "score": 1, - "comment": "Auditd: MAC_UNLBL_ALLOW", - "color": "#79709F" + "comment": "Auditd: CRYPTO_KEY_USER, CRYPTO_SESSION, LOGIN, MAC_UNLBL_ALLOW, USER_END, USER_LOGIN, USER_LOGOUT, USER_START", + "color": "#ed0858" }, { - "techniqueID": "T1090.004", + "techniqueID": "T1078", "score": 1, - "comment": "Auditd: MAC_UNLBL_ALLOW", - "color": "#79709F" + "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, CRYPTO_KEY_USER, CRYPTO_SESSION, LOGIN, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USER_END, USER_LOGIN, USER_LOGOUT, USER_START", + "color": "#ed0858" }, { - "techniqueID": "T1557.002", + "techniqueID": "T1213", "score": 1, - "comment": "Auditd: MAC_UNLBL_ALLOW", - "color": "#79709F" + "comment": "Auditd: CRYPTO_SESSION, USER_LOGIN, USER_START", + "color": "#ed0858" }, { - "techniqueID": "T1132", + "techniqueID": "T1538", "score": 1, - "comment": "Auditd: MAC_UNLBL_ALLOW", - "color": "#79709F" + "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, CRYPTO_SESSION, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USER_LOGIN, USER_START", + "color": "#ed0858" }, { - "techniqueID": "T1598", + "techniqueID": "T1133", "score": 1, - "comment": "Auditd: MAC_UNLBL_ALLOW", - "color": "#79709F" + "comment": "Auditd: CRYPTO_KEY_USER, LOGIN, MAC_UNLBL_ALLOW, USER_END, USER_LOGOUT", + "color": "#ed0858" }, { - "techniqueID": "T1585", + "techniqueID": "T1557", "score": 1, - "comment": "Auditd: MAC_UNLBL_ALLOW", - "color": "#79709F" + "comment": "Auditd: DAEMON_START, MAC_POLICY_LOAD, MAC_UNLBL_ALLOW", + "color": "#ed0858" }, { - "techniqueID": "T1565.002", + "techniqueID": "T1602", "score": 1, "comment": "Auditd: MAC_UNLBL_ALLOW", - "color": "#79709F" + "color": "#ed0858" }, { - "techniqueID": "T1132.002", + "techniqueID": "T1071", "score": 1, "comment": "Auditd: MAC_UNLBL_ALLOW", - "color": "#79709F" + "color": "#ed0858" }, { - "techniqueID": "T1537", + "techniqueID": "T1190", "score": 1, "comment": "Auditd: MAC_UNLBL_ALLOW", - "color": "#79709F" + "color": "#ed0858" }, { - "techniqueID": "T1189", + "techniqueID": "T1219", "score": 1, "comment": "Auditd: MAC_UNLBL_ALLOW, USER_CMD", - "color": "#79709F" + "color": "#ed0858" }, { - "techniqueID": "T1221", + "techniqueID": "T1205", "score": 1, "comment": "Auditd: MAC_UNLBL_ALLOW, USER_CMD", - "color": "#79709F" + "color": "#ed0858" }, { - "techniqueID": "T1071.001", + "techniqueID": "T1572", "score": 1, "comment": "Auditd: MAC_UNLBL_ALLOW", - "color": "#79709F" + "color": "#ed0858" }, { - "techniqueID": "T1105", + "techniqueID": "T1589", "score": 1, "comment": "Auditd: MAC_UNLBL_ALLOW", - "color": "#79709F" + "color": "#ed0858" }, { - "techniqueID": "T1602.001", + "techniqueID": "T1207", "score": 1, - "comment": "Auditd: MAC_UNLBL_ALLOW", - "color": "#79709F" + "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, MAC_UNLBL_ALLOW, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH", + "color": "#ed0858" }, { - "techniqueID": "T1001.002", + "techniqueID": "T1595", "score": 1, "comment": "Auditd: MAC_UNLBL_ALLOW", - "color": "#79709F" + "color": "#ed0858" }, { - "techniqueID": "T1204.001", + "techniqueID": "T1090", "score": 1, "comment": "Auditd: MAC_UNLBL_ALLOW", - "color": "#79709F" + "color": "#ed0858" }, { - "techniqueID": "T1003.006", + "techniqueID": "T1568", "score": 1, "comment": "Auditd: MAC_UNLBL_ALLOW", - "color": "#79709F" + "color": "#ed0858" }, { - "techniqueID": "T1566.003", + "techniqueID": "T1612", "score": 1, "comment": "Auditd: MAC_UNLBL_ALLOW", - "color": "#79709F" + "color": "#ed0858" }, { - "techniqueID": "T1090.001", + "techniqueID": "T1586", "score": 1, "comment": "Auditd: MAC_UNLBL_ALLOW", - "color": "#79709F" + "color": "#ed0858" }, { - "techniqueID": "T1102.001", + "techniqueID": "T1102", "score": 1, "comment": "Auditd: MAC_UNLBL_ALLOW", - "color": "#79709F" + "color": "#ed0858" }, { - "techniqueID": "T1001.001", + "techniqueID": "T1210", "score": 1, "comment": "Auditd: MAC_UNLBL_ALLOW", - "color": "#79709F" + "color": "#ed0858" }, { - "techniqueID": "T1598.001", + "techniqueID": "T1534", "score": 1, "comment": "Auditd: MAC_UNLBL_ALLOW", - "color": "#79709F" + "color": "#ed0858" }, { - "techniqueID": "T1055.003", + "techniqueID": "T1566", "score": 1, - "comment": "Auditd: TTY", - "color": "#79709F" + "comment": "Auditd: MAC_UNLBL_ALLOW", + "color": "#ed0858" }, { - "techniqueID": "T1055.004", + "techniqueID": "T1001", "score": 1, - "comment": "Auditd: TTY", - "color": "#79709F" + "comment": "Auditd: MAC_UNLBL_ALLOW", + "color": "#ed0858" }, { - "techniqueID": "T1055.002", + "techniqueID": "T1571", "score": 1, - "comment": "Auditd: TTY", - "color": "#79709F" + "comment": "Auditd: MAC_UNLBL_ALLOW", + "color": "#ed0858" }, { - "techniqueID": "T1559.003", + "techniqueID": "T1599", "score": 1, - "comment": "Auditd: TTY", - "color": "#79709F" + "comment": "Auditd: MAC_UNLBL_ALLOW", + "color": "#ed0858" }, { - "techniqueID": "T1559", + "techniqueID": "T1573", "score": 1, - "comment": "Auditd: TTY, USER_CMD", - "color": "#79709F" + "comment": "Auditd: MAC_UNLBL_ALLOW", + "color": "#ed0858" }, { - "techniqueID": "T1055.012", + "techniqueID": "T1095", "score": 1, - "comment": "Auditd: TTY", - "color": "#79709F" + "comment": "Auditd: MAC_UNLBL_ALLOW", + "color": "#ed0858" }, { - "techniqueID": "T1055.005", + "techniqueID": "T1132", "score": 1, - "comment": "Auditd: TTY", - "color": "#79709F" + "comment": "Auditd: MAC_UNLBL_ALLOW", + "color": "#ed0858" }, { - "techniqueID": "T1055.008", + "techniqueID": "T1598", "score": 1, - "comment": "Auditd: TTY", - "color": "#79709F" + "comment": "Auditd: MAC_UNLBL_ALLOW", + "color": "#ed0858" }, { - "techniqueID": "T1055.001", + "techniqueID": "T1585", "score": 1, - "comment": "Auditd: TTY", - "color": "#79709F" + "comment": "Auditd: MAC_UNLBL_ALLOW", + "color": "#ed0858" }, { - "techniqueID": "T1205.002", + "techniqueID": "T1537", "score": 1, - "comment": "Auditd: USER_CMD", - "color": "#79709F" + "comment": "Auditd: MAC_UNLBL_ALLOW", + "color": "#ed0858" }, { - "techniqueID": "T1574.007", + "techniqueID": "T1189", "score": 1, - "comment": "Auditd: USER_CMD", - "color": "#79709F" + "comment": "Auditd: MAC_UNLBL_ALLOW, USER_CMD", + "color": "#ed0858" }, { - "techniqueID": "T1559.002", + "techniqueID": "T1221", "score": 1, - "comment": "Auditd: USER_CMD", - "color": "#79709F" + "comment": "Auditd: MAC_UNLBL_ALLOW, USER_CMD", + "color": "#ed0858" }, { - "techniqueID": "T1204.002", + "techniqueID": "T1105", "score": 1, - "comment": "Auditd: USER_CMD", - "color": "#79709F" + "comment": "Auditd: MAC_UNLBL_ALLOW", + "color": "#ed0858" }, { - "techniqueID": "T1559.001", + "techniqueID": "T1559", "score": 1, - "comment": "Auditd: USER_CMD", - "color": "#79709F" + "comment": "Auditd: TTY, USER_CMD", + "color": "#ed0858" }, { "techniqueID": "T1611", "score": 1, "comment": "Auditd: USER_CMD", - "color": "#79709F" - }, - { - "techniqueID": "T1021.003", - "score": 1, - "comment": "Auditd: USER_CMD", - "color": "#79709F" + "color": "#ed0858" }, { "techniqueID": "T1072", "score": 1, "comment": "Auditd: USER_CMD", - "color": "#79709F" - }, - { - "techniqueID": "T1134.004", - "score": 1, - "comment": "Auditd: USER_CMD", - "color": "#79709F" + "color": "#ed0858" }, { "techniqueID": "T1212", "score": 1, "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USER_CMD", - "color": "#79709F" + "color": "#ed0858" }, { "techniqueID": "T1068", "score": 1, "comment": "Auditd: USER_CMD", - "color": "#79709F" - }, - { - "techniqueID": "T1548.004", - "score": 1, - "comment": "Auditd: USER_CMD", - "color": "#79709F" + "color": "#ed0858" }, { "techniqueID": "T1203", "score": 1, "comment": "Auditd: USER_CMD", - "color": "#79709F" + "color": "#ed0858" }, { "techniqueID": "T1220", "score": 1, "comment": "Auditd: USER_CMD", - "color": "#79709F" + "color": "#ed0858" }, { "techniqueID": "T1211", "score": 1, "comment": "Auditd: USER_CMD", - "color": "#79709F" - }, - { - "techniqueID": "T1564.010", - "score": 1, - "comment": "Auditd: USER_CMD", - "color": "#79709F" - }, - { - "techniqueID": "T1110.001", - "score": 1, - "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH", - "color": "#79709F" - }, - { - "techniqueID": "T1552.005", - "score": 1, - "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH", - "color": "#79709F" - }, - { - "techniqueID": "T1110.002", - "score": 1, - "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH", - "color": "#79709F" - }, - { - "techniqueID": "T1110.003", - "score": 1, - "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH", - "color": "#79709F" - }, - { - "techniqueID": "T1110.004", - "score": 1, - "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH", - "color": "#79709F" - }, - { - "techniqueID": "T1136.003", - "score": 1, - "comment": "Auditd: ADD_USER, ANOM_ADD_ACCOUNT, USER_ROLE_CHANGE", - "color": "#79709F" + "color": "#ed0858" }, { "techniqueID": "T1531", "score": 1, "comment": "Auditd: ANOM_DEL_ACCOUNT, DEL_USER, USER_CHAUTHTOK, USER_ROLE_CHANGE", - "color": "#79709F" - }, - { - "techniqueID": "T1134.005", - "score": 1, - "comment": "Auditd: CRED_ACQ, CRED_DISP, USER_CHAUTHTOK, USER_ERR", - "color": "#79709F" - }, - { - "techniqueID": "T1098.003", - "score": 1, - "comment": "Auditd: USER_CHAUTHTOK, USER_ROLE_CHANGE", - "color": "#79709F" - }, - { - "techniqueID": "T1098.005", - "score": 1, - "comment": "Auditd: USER_CHAUTHTOK, USER_ROLE_CHANGE", - "color": "#79709F" + "color": "#ed0858" }, { "techniqueID": "T1528", "score": 1, "comment": "Auditd: USER_CHAUTHTOK, USER_ROLE_CHANGE", - "color": "#79709F" - }, - { - "techniqueID": "T1098.001", - "score": 1, - "comment": "Auditd: USER_CHAUTHTOK, USER_ROLE_CHANGE", - "color": "#79709F" - }, - { - "techniqueID": "T1562.008", - "score": 1, - "comment": "Auditd: USER_CHAUTHTOK, USER_ROLE_CHANGE", - "color": "#79709F" - }, - { - "techniqueID": "T1098.002", - "score": 1, - "comment": "Auditd: USER_CHAUTHTOK, USER_ROLE_CHANGE", - "color": "#79709F" + "color": "#ed0858" } ], "gradient": { @@ -2883,7 +993,7 @@ "legendItems": [ { "label": "Auditd", - "color": "#79709F" + "color": "#ed0858" } ] } \ No newline at end of file diff --git a/mappings/layers/enterprise/CloudTrail-heatmap.json b/mappings/layers/enterprise/CloudTrail-heatmap.json index 7aaed37..a70f728 100644 --- a/mappings/layers/enterprise/CloudTrail-heatmap.json +++ b/mappings/layers/enterprise/CloudTrail-heatmap.json @@ -13,607 +13,253 @@ "techniqueID": "T1033", "score": 1, "comment": "CloudTrail: GetOpenIDConnectProvider", - "color": "#BC5627" + "color": "#5d053f" }, { "techniqueID": "T1003", "score": 1, "comment": "CloudTrail: GetOpenIDConnectProvider", - "color": "#BC5627" + "color": "#5d053f" }, { "techniqueID": "T1615", "score": 1, "comment": "CloudTrail: GetOpenIDConnectProvider", - "color": "#BC5627" - }, - { - "techniqueID": "T1003.006", - "score": 1, - "comment": "CloudTrail: GetOpenIDConnectProvider", - "color": "#BC5627" - }, - { - "techniqueID": "T1484.002", - "score": 1, - "comment": "CloudTrail: AddClientIDToOpenIDConnectProvider, CreateOpenIDConnectProvider, RemoveClientIDFromOpenIDConnectProvider, TagOpenIDConnectProvider, TagSAMLProvider, UntagOpenIDConnectProvider, UntagSAMLProvider, UpdateOpenIDConnectProviderThumbprint, UpdateSAMLProvider", - "color": "#BC5627" + "color": "#5d053f" }, { "techniqueID": "T1207", "score": 1, "comment": "CloudTrail: AddClientIDToOpenIDConnectProvider, CreateOpenIDConnectProvider, CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, RemoveClientIDFromOpenIDConnectProvider, ResyncMFADevice, TagMFADevice, TagOpenIDConnectProvider, TagSAMLProvider, UntagMFADevice, UntagOpenIDConnectProvider, UntagSAMLProvider, UpdateOpenIDConnectProviderThumbprint, UpdateSAMLProvider", - "color": "#BC5627" - }, - { - "techniqueID": "T1484.001", - "score": 1, - "comment": "CloudTrail: AddClientIDToOpenIDConnectProvider, CreateOpenIDConnectProvider, DeleteOpenIDConnectProvider, DeleteSAMLProvider, RemoveClientIDFromOpenIDConnectProvider, TagOpenIDConnectProvider, TagSAMLProvider, UntagOpenIDConnectProvider, UntagSAMLProvider, UpdateOpenIDConnectProviderThumbprint, UpdateSAMLProvider", - "color": "#BC5627" - }, - { - "techniqueID": "T1098.005", - "score": 1, - "comment": "CloudTrail: CreateOpenIDConnectProvider, SetSecurityTokenPreferences, TagUser, UntagUser, UpdateAccessKey, UpdateSSHPublicKey, UpdateServiceSpecificCredential, UpdateSigningCertificate, UpdateUser, UploadSSHPublicKey, UploadServerCertificate, UploadSigningCertificate", - "color": "#BC5627" + "color": "#5d053f" }, { "techniqueID": "T1484", "score": 1, "comment": "CloudTrail: AddClientIDToOpenIDConnectProvider, CreateOpenIDConnectProvider, DeleteOpenIDConnectProvider, DeleteSAMLProvider, RemoveClientIDFromOpenIDConnectProvider, TagOpenIDConnectProvider, TagSAMLProvider, UntagOpenIDConnectProvider, UntagSAMLProvider, UpdateOpenIDConnectProviderThumbprint, UpdateSAMLProvider", - "color": "#BC5627" + "color": "#5d053f" }, { "techniqueID": "T1037", "score": 1, "comment": "CloudTrail: AddClientIDToOpenIDConnectProvider, RemoveClientIDFromOpenIDConnectProvider, TagOpenIDConnectProvider, TagSAMLProvider, UntagOpenIDConnectProvider, UntagSAMLProvider, UpdateOpenIDConnectProviderThumbprint, UpdateSAMLProvider", - "color": "#BC5627" - }, - { - "techniqueID": "T1222.001", - "score": 1, - "comment": "CloudTrail: AddClientIDToOpenIDConnectProvider, RemoveClientIDFromOpenIDConnectProvider, TagOpenIDConnectProvider, TagSAMLProvider, UntagOpenIDConnectProvider, UntagSAMLProvider, UpdateOpenIDConnectProviderThumbprint, UpdateSAMLProvider", - "color": "#BC5627" + "color": "#5d053f" }, { "techniqueID": "T1222", "score": 1, "comment": "CloudTrail: AddClientIDToOpenIDConnectProvider, RemoveClientIDFromOpenIDConnectProvider, TagOpenIDConnectProvider, TagSAMLProvider, UntagOpenIDConnectProvider, UntagSAMLProvider, UpdateOpenIDConnectProviderThumbprint, UpdateSAMLProvider", - "color": "#BC5627" + "color": "#5d053f" }, { "techniqueID": "T1649", "score": 1, "comment": "CloudTrail: AddClientIDToOpenIDConnectProvider, ConsoleLogin, RemoveClientIDFromOpenIDConnectProvider, TagOpenIDConnectProvider, TagSAMLProvider, UntagOpenIDConnectProvider, UntagSAMLProvider, UpdateOpenIDConnectProviderThumbprint, UpdateSAMLProvider", - "color": "#BC5627" + "color": "#5d053f" }, { "techniqueID": "T1098", "score": 1, "comment": "CloudTrail: AddClientIDToOpenIDConnectProvider, AddUserToGroup, AttachGroupPolicy, RemoveClientIDFromOpenIDConnectProvider, RemoveUserFromGroup, SetSecurityTokenPreferences, TagOpenIDConnectProvider, TagSAMLProvider, TagUser, UntagOpenIDConnectProvider, UntagSAMLProvider, UntagUser, UpdateAccessKey, UpdateGroup, UpdateOpenIDConnectProviderThumbprint, UpdateSAMLProvider, UpdateSSHPublicKey, UpdateServiceSpecificCredential, UpdateSigningCertificate, UpdateUser, UploadSSHPublicKey, UploadServerCertificate, UploadSigningCertificate", - "color": "#BC5627" + "color": "#5d053f" }, { "techniqueID": "T1531", "score": 1, "comment": "CloudTrail: AddClientIDToOpenIDConnectProvider, DeleteUser, RemoveClientIDFromOpenIDConnectProvider, SetSecurityTokenPreferences, TagOpenIDConnectProvider, TagSAMLProvider, TagUser, UntagOpenIDConnectProvider, UntagSAMLProvider, UntagUser, UpdateAccessKey, UpdateOpenIDConnectProviderThumbprint, UpdateSAMLProvider, UpdateSSHPublicKey, UpdateServiceSpecificCredential, UpdateSigningCertificate, UpdateUser, UploadSSHPublicKey, UploadServerCertificate, UploadSigningCertificate", - "color": "#BC5627" - }, - { - "techniqueID": "T1556.006", - "score": 1, - "comment": "CloudTrail: AddClientIDToOpenIDConnectProvider, ConsoleLogin, CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, RemoveClientIDFromOpenIDConnectProvider, ResyncMFADevice, SetSecurityTokenPreferences, TagMFADevice, TagOpenIDConnectProvider, TagSAMLProvider, TagUser, UntagMFADevice, UntagOpenIDConnectProvider, UntagSAMLProvider, UntagUser, UpdateAccessKey, UpdateOpenIDConnectProviderThumbprint, UpdateSAMLProvider, UpdateSSHPublicKey, UpdateServiceSpecificCredential, UpdateSigningCertificate, UpdateUser, UploadSSHPublicKey, UploadServerCertificate, UploadSigningCertificate", - "color": "#BC5627" - }, - { - "techniqueID": "T1134.005", - "score": 1, - "comment": "CloudTrail: AddClientIDToOpenIDConnectProvider, AttachRolePolicy, AttachUserPolicy, ChangePassword, CreateAccessKey, CreateAccountAlias, CreateLoginProfile, CreatePolicy, CreatePolicyVersion, CreateRole, CreateServiceLinkedRole, CreateServiceSpecificCredential, DeleteAccessKey, DeleteAccountAlias, DeleteAccountPasswordPolicy, DeleteLoginProfile, DeletePolicyVersion, DeleteRole, DeleteRolePermissionsBoundary, DeleteRolePolicy, DeleteSSHPublicKey, DeleteServiceSpecificCredential, DeleteSigningCertificate, DeleteUserPermissionsBoundary, DeleteUserPolicy, DetachRolePolicy, DetachUserPolicy, GenerateCredentialReport, GetAccountAuthorizationDetails, GetAccountPasswordPolicy, GetContextKeysForCustomPolicy, GetContextKeysForPrincipalPolicy, GetCredentialReport, GetLoginprofile, GetPolicy, GetPolicyVersion, GetRole, GetRolePolicy, GetUserPolicy, ListAttachedRolePolicies, ListEntitiesForPolicy, ListPoliciesGrantingServiceAccess, ListPolicyTags, ListPolicyVersions, ListRolePolicies, ListRoleTags, ListRoles, PutRolePermissionsBoundary, PutRolePolicy, PutUserPermissionsBoundary, PutUserPolicy, RemoveClientIDFromOpenIDConnectProvider, SetDefaultPolicyVersion, SimulateCustomPolicy, SimulatePrincipalPolicy, TagOpenIDConnectProvider, TagPolicy, TagRole, TagSAMLProvider, Untag Policy, UntagOpenIDConnectProvider, UntagRole, UntagSAMLProvider, UpdateAccountPasswordPolicy, UpdateAssumeRolePolicy, UpdateLoginProfile, UpdateOpenIDConnectProviderThumbprint, UpdateRole, UpdateSAMLProvider", - "color": "#BC5627" - }, - { - "techniqueID": "T1037.003", - "score": 1, - "comment": "CloudTrail: AddClientIDToOpenIDConnectProvider, RemoveClientIDFromOpenIDConnectProvider, TagOpenIDConnectProvider, TagSAMLProvider, UntagOpenIDConnectProvider, UntagSAMLProvider, UpdateOpenIDConnectProviderThumbprint, UpdateSAMLProvider", - "color": "#BC5627" - }, - { - "techniqueID": "T1556.005", - "score": 1, - "comment": "CloudTrail: AddClientIDToOpenIDConnectProvider, AttachRolePolicy, AttachUserPolicy, ChangePassword, CreateAccessKey, CreateAccountAlias, CreateLoginProfile, CreatePolicy, CreatePolicyVersion, CreateRole, CreateServiceLinkedRole, CreateServiceSpecificCredential, DeleteAccessKey, DeleteAccountAlias, DeleteAccountPasswordPolicy, DeleteLoginProfile, DeletePolicyVersion, DeleteRole, DeleteRolePermissionsBoundary, DeleteRolePolicy, DeleteSSHPublicKey, DeleteServiceSpecificCredential, DeleteSigningCertificate, DeleteUserPermissionsBoundary, DeleteUserPolicy, DetachRolePolicy, DetachUserPolicy, GenerateCredentialReport, GetAccountAuthorizationDetails, GetAccountPasswordPolicy, GetContextKeysForCustomPolicy, GetContextKeysForPrincipalPolicy, GetCredentialReport, GetLoginprofile, GetPolicy, GetPolicyVersion, GetRole, GetRolePolicy, GetUserPolicy, ListAttachedRolePolicies, ListEntitiesForPolicy, ListPoliciesGrantingServiceAccess, ListPolicyTags, ListPolicyVersions, ListRolePolicies, ListRoleTags, ListRoles, PutRolePermissionsBoundary, PutRolePolicy, PutUserPermissionsBoundary, PutUserPolicy, RemoveClientIDFromOpenIDConnectProvider, SetDefaultPolicyVersion, SimulateCustomPolicy, SimulatePrincipalPolicy, TagOpenIDConnectProvider, TagPolicy, TagRole, TagSAMLProvider, Untag Policy, UntagOpenIDConnectProvider, UntagRole, UntagSAMLProvider, UpdateAccountPasswordPolicy, UpdateAssumeRolePolicy, UpdateLoginProfile, UpdateOpenIDConnectProviderThumbprint, UpdateRole, UpdateSAMLProvider", - "color": "#BC5627" + "color": "#5d053f" }, { "techniqueID": "T1134", "score": 1, "comment": "CloudTrail: AddClientIDToOpenIDConnectProvider, AttachRolePolicy, AttachUserPolicy, ChangePassword, CreateAccessKey, CreateAccountAlias, CreateLoginProfile, CreatePolicy, CreatePolicyVersion, CreateRole, CreateServiceLinkedRole, CreateServiceSpecificCredential, DeleteAccessKey, DeleteAccountAlias, DeleteAccountPasswordPolicy, DeleteLoginProfile, DeletePolicyVersion, DeleteRole, DeleteRolePermissionsBoundary, DeleteRolePolicy, DeleteSSHPublicKey, DeleteServiceSpecificCredential, DeleteSigningCertificate, DeleteUserPermissionsBoundary, DeleteUserPolicy, DetachRolePolicy, DetachUserPolicy, GenerateCredentialReport, GetAccountAuthorizationDetails, GetAccountPasswordPolicy, GetContextKeysForCustomPolicy, GetContextKeysForPrincipalPolicy, GetCredentialReport, GetLoginprofile, GetPolicy, GetPolicyVersion, GetRole, GetRolePolicy, GetUserPolicy, ListAttachedRolePolicies, ListEntitiesForPolicy, ListPoliciesGrantingServiceAccess, ListPolicyTags, ListPolicyVersions, ListRolePolicies, ListRoleTags, ListRoles, PutRolePermissionsBoundary, PutRolePolicy, PutUserPermissionsBoundary, PutUserPolicy, RemoveClientIDFromOpenIDConnectProvider, SetDefaultPolicyVersion, SimulateCustomPolicy, SimulatePrincipalPolicy, TagOpenIDConnectProvider, TagPolicy, TagRole, TagSAMLProvider, Untag Policy, UntagOpenIDConnectProvider, UntagRole, UntagSAMLProvider, UpdateAccountPasswordPolicy, UpdateAssumeRolePolicy, UpdateLoginProfile, UpdateOpenIDConnectProviderThumbprint, UpdateRole, UpdateSAMLProvider", - "color": "#BC5627" + "color": "#5d053f" }, { "techniqueID": "T1556", "score": 1, "comment": "CloudTrail: AddClientIDToOpenIDConnectProvider, ConsoleLogin, CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, RemoveClientIDFromOpenIDConnectProvider, ResyncMFADevice, SetSecurityTokenPreferences, TagMFADevice, TagOpenIDConnectProvider, TagSAMLProvider, TagUser, UntagMFADevice, UntagOpenIDConnectProvider, UntagSAMLProvider, UntagUser, UpdateAccessKey, UpdateOpenIDConnectProviderThumbprint, UpdateSAMLProvider, UpdateSSHPublicKey, UpdateServiceSpecificCredential, UpdateSigningCertificate, UpdateUser, UploadSSHPublicKey, UploadServerCertificate, UploadSigningCertificate", - "color": "#BC5627" + "color": "#5d053f" }, { "techniqueID": "T1562", "score": 1, "comment": "CloudTrail: SetSecurityTokenPreferences, StopLogging, TagUser, UntagUser, UpdateAccessKey, UpdateSSHPublicKey, UpdateServiceSpecificCredential, UpdateSigningCertificate, UpdateUser, UploadSSHPublicKey, UploadServerCertificate, UploadSigningCertificate", - "color": "#BC5627" - }, - { - "techniqueID": "T1562.008", - "score": 1, - "comment": "CloudTrail: SetSecurityTokenPreferences, StopLogging, TagUser, UntagUser, UpdateAccessKey, UpdateSSHPublicKey, UpdateServiceSpecificCredential, UpdateSigningCertificate, UpdateUser, UploadSSHPublicKey, UploadServerCertificate, UploadSigningCertificate", - "color": "#BC5627" + "color": "#5d053f" }, { "techniqueID": "T1069", "score": 1, "comment": "CloudTrail: DeleteGroupPolicy, DetachGroupPolicy, GetContextKeysForPrincipalPolicy, GetGroupPolicy, ListAttachedGroupPolicies, ListEntitiesForPolicy, ListGroupPolicies, ListGroups, ListGroupsForUser, ListPoliciesGrantingServiceAccess, PutGroupPolicy", - "color": "#BC5627" - }, - { - "techniqueID": "T1069.003", - "score": 1, - "comment": "CloudTrail: DeleteGroupPolicy, DetachGroupPolicy, GetContextKeysForPrincipalPolicy, GetGroupPolicy, ListAttachedGroupPolicies, ListEntitiesForPolicy, ListGroupPolicies, ListGroups, ListGroupsForUser, ListPoliciesGrantingServiceAccess, PutGroupPolicy", - "color": "#BC5627" - }, - { - "techniqueID": "T1087.002", - "score": 1, - "comment": "CloudTrail: ListAttachedGroupPolicies, ListGroupPolicies, ListGroups, ListGroupsForUser", - "color": "#BC5627" - }, - { - "techniqueID": "T1087.001", - "score": 1, - "comment": "CloudTrail: ListAttachedGroupPolicies, ListGroupPolicies, ListGroups, ListGroupsForUser", - "color": "#BC5627" - }, - { - "techniqueID": "T1069.002", - "score": 1, - "comment": "CloudTrail: ListAttachedGroupPolicies, ListGroupPolicies, ListGroups, ListGroupsForUser", - "color": "#BC5627" - }, - { - "techniqueID": "T1069.001", - "score": 1, - "comment": "CloudTrail: ListAttachedGroupPolicies, ListGroupPolicies, ListGroups, ListGroupsForUser", - "color": "#BC5627" - }, - { - "techniqueID": "T1098.002", - "score": 1, - "comment": "CloudTrail: AddUserToGroup, AttachGroupPolicy, RemoveUserFromGroup, SetSecurityTokenPreferences, TagUser, UntagUser, UpdateAccessKey, UpdateGroup, UpdateSSHPublicKey, UpdateServiceSpecificCredential, UpdateSigningCertificate, UpdateUser, UploadSSHPublicKey, UploadServerCertificate, UploadSigningCertificate", - "color": "#BC5627" + "color": "#5d053f" }, { "techniqueID": "T1525", "score": 1, "comment": "CloudTrail: CreateImage, ModifyImageAttribute", - "color": "#BC5627" + "color": "#5d053f" }, { "techniqueID": "T1612", "score": 1, "comment": "CloudTrail: CreateImage", - "color": "#BC5627" + "color": "#5d053f" }, { "techniqueID": "T1204", "score": 1, "comment": "CloudTrail: CreateImage, RunInstances, StartInstances", - "color": "#BC5627" - }, - { - "techniqueID": "T1204.003", - "score": 1, - "comment": "CloudTrail: CreateImage, RunInstances, StartInstances", - "color": "#BC5627" - }, - { - "techniqueID": "T1578.004", - "score": 1, - "comment": "CloudTrail: AddRoleToInstanceProfile, CreateInstanceProfile, DeleteInstanceProfile, GetInstanceProfile, ListInstanceProfileTags, ListInstanceProfiles, ListInstanceProfilesForRole, RemoveRoleFromInstanceProfile, RunInstances, StartInstances, StopInstances, TagInstanceProfile, UntagInstanceProfile", - "color": "#BC5627" + "color": "#5d053f" }, { "techniqueID": "T1578", "score": 1, "comment": "CloudTrail: AddRoleToInstanceProfile, CreateInstanceProfile, CreateSnapshot, CreateVolume, DeleteInstanceProfile, DeleteSnapshot, DetachVolume, GetInstanceProfile, ListInstanceProfileTags, ListInstanceProfiles, ListInstanceProfilesForRole, ModifySnapshotAttribute, ModifyVolume, RemoveRoleFromInstanceProfile, RunInstances, StartInstances, StopInstances, TagInstanceProfile, UntagInstanceProfile", - "color": "#BC5627" + "color": "#5d053f" }, { "techniqueID": "T1535", "score": 1, "comment": "CloudTrail: AddRoleToInstanceProfile, CreateInstanceProfile, DeleteInstanceProfile, GetInstanceProfile, ListInstanceProfileTags, ListInstanceProfiles, ListInstanceProfilesForRole, RemoveRoleFromInstanceProfile, TagInstanceProfile, UntagInstanceProfile", - "color": "#BC5627" - }, - { - "techniqueID": "T1578.003", - "score": 1, - "comment": "CloudTrail: AddRoleToInstanceProfile, CreateInstanceProfile, DeleteInstanceProfile, GetInstanceProfile, ListInstanceProfileTags, ListInstanceProfiles, ListInstanceProfilesForRole, RemoveRoleFromInstanceProfile, TagInstanceProfile, UntagInstanceProfile", - "color": "#BC5627" - }, - { - "techniqueID": "T1578.002", - "score": 1, - "comment": "CloudTrail: AddRoleToInstanceProfile, CreateInstanceProfile, DeleteInstanceProfile, GetInstanceProfile, ListInstanceProfileTags, ListInstanceProfiles, ListInstanceProfilesForRole, RemoveRoleFromInstanceProfile, TagInstanceProfile, UntagInstanceProfile", - "color": "#BC5627" - }, - { - "techniqueID": "T1021.005", - "score": 1, - "comment": "CloudTrail: ConsoleLogin", - "color": "#BC5627" - }, - { - "techniqueID": "T1556.003", - "score": 1, - "comment": "CloudTrail: ConsoleLogin", - "color": "#BC5627" - }, - { - "techniqueID": "T1213.002", - "score": 1, - "comment": "CloudTrail: ConsoleLogin", - "color": "#BC5627" + "color": "#5d053f" }, { "techniqueID": "T1114", "score": 1, "comment": "CloudTrail: ConsoleLogin", - "color": "#BC5627" - }, - { - "techniqueID": "T1606.002", - "score": 1, - "comment": "CloudTrail: ConsoleLogin, CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice", - "color": "#BC5627" - }, - { - "techniqueID": "T1021.004", - "score": 1, - "comment": "CloudTrail: ConsoleLogin", - "color": "#BC5627" - }, - { - "techniqueID": "T1563.001", - "score": 1, - "comment": "CloudTrail: ConsoleLogin", - "color": "#BC5627" - }, - { - "techniqueID": "T1021.002", - "score": 1, - "comment": "CloudTrail: ConsoleLogin", - "color": "#BC5627" + "color": "#5d053f" }, { "techniqueID": "T1550", "score": 1, "comment": "CloudTrail: ConsoleLogin, CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice", - "color": "#BC5627" + "color": "#5d053f" }, { "techniqueID": "T1185", "score": 1, "comment": "CloudTrail: ConsoleLogin", - "color": "#BC5627" + "color": "#5d053f" }, { "techniqueID": "T1021", "score": 1, "comment": "CloudTrail: ConsoleLogin", - "color": "#BC5627" - }, - { - "techniqueID": "T1556.007", - "score": 1, - "comment": "CloudTrail: ConsoleLogin", - "color": "#BC5627" + "color": "#5d053f" }, { "techniqueID": "T1563", "score": 1, "comment": "CloudTrail: ConsoleLogin", - "color": "#BC5627" - }, - { - "techniqueID": "T1021.006", - "score": 1, - "comment": "CloudTrail: ConsoleLogin", - "color": "#BC5627" - }, - { - "techniqueID": "T1078.001", - "score": 1, - "comment": "CloudTrail: ConsoleLogin, CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice", - "color": "#BC5627" - }, - { - "techniqueID": "T1213.001", - "score": 1, - "comment": "CloudTrail: ConsoleLogin", - "color": "#BC5627" - }, - { - "techniqueID": "T1550.003", - "score": 1, - "comment": "CloudTrail: ConsoleLogin, CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice", - "color": "#BC5627" - }, - { - "techniqueID": "T1606.001", - "score": 1, - "comment": "CloudTrail: ConsoleLogin", - "color": "#BC5627" - }, - { - "techniqueID": "T1021.007", - "score": 1, - "comment": "CloudTrail: ConsoleLogin", - "color": "#BC5627" + "color": "#5d053f" }, { "techniqueID": "T1606", "score": 1, "comment": "CloudTrail: ConsoleLogin", - "color": "#BC5627" + "color": "#5d053f" }, { "techniqueID": "T1621", "score": 1, "comment": "CloudTrail: ConsoleLogin, CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice", - "color": "#BC5627" + "color": "#5d053f" }, { "techniqueID": "T1199", "score": 1, "comment": "CloudTrail: ConsoleLogin", - "color": "#BC5627" + "color": "#5d053f" }, { "techniqueID": "T1078", "score": 1, "comment": "CloudTrail: ConsoleLogin, CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice", - "color": "#BC5627" - }, - { - "techniqueID": "T1114.002", - "score": 1, - "comment": "CloudTrail: ConsoleLogin", - "color": "#BC5627" - }, - { - "techniqueID": "T1078.002", - "score": 1, - "comment": "CloudTrail: ConsoleLogin, CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice", - "color": "#BC5627" - }, - { - "techniqueID": "T1213.003", - "score": 1, - "comment": "CloudTrail: ConsoleLogin", - "color": "#BC5627" + "color": "#5d053f" }, { "techniqueID": "T1213", "score": 1, "comment": "CloudTrail: ConsoleLogin", - "color": "#BC5627" - }, - { - "techniqueID": "T1556.001", - "score": 1, - "comment": "CloudTrail: ConsoleLogin", - "color": "#BC5627" - }, - { - "techniqueID": "T1563.002", - "score": 1, - "comment": "CloudTrail: ConsoleLogin", - "color": "#BC5627" + "color": "#5d053f" }, { "techniqueID": "T1538", "score": 1, "comment": "CloudTrail: ConsoleLogin, CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice", - "color": "#BC5627" - }, - { - "techniqueID": "T1550.002", - "score": 1, - "comment": "CloudTrail: ConsoleLogin, CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice", - "color": "#BC5627" - }, - { - "techniqueID": "T1021.001", - "score": 1, - "comment": "CloudTrail: ConsoleLogin", - "color": "#BC5627" - }, - { - "techniqueID": "T1078.004", - "score": 1, - "comment": "CloudTrail: ConsoleLogin, CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice", - "color": "#BC5627" - }, - { - "techniqueID": "T1078.003", - "score": 1, - "comment": "CloudTrail: ConsoleLogin, CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice", - "color": "#BC5627" + "color": "#5d053f" }, { "techniqueID": "T1537", "score": 1, "comment": "CloudTrail: CreateSnapshot, ModifySnapshotAttribute", - "color": "#BC5627" - }, - { - "techniqueID": "T1578.001", - "score": 1, - "comment": "CloudTrail: CreateSnapshot", - "color": "#BC5627" + "color": "#5d053f" }, { "techniqueID": "T1485", "score": 1, "comment": "CloudTrail: DeleteSnapshot", - "color": "#BC5627" + "color": "#5d053f" }, { "techniqueID": "T1490", "score": 1, "comment": "CloudTrail: DeleteSnapshot", - "color": "#BC5627" - }, - { - "techniqueID": "T1110.001", - "score": 1, - "comment": "CloudTrail: CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice", - "color": "#BC5627" - }, - { - "techniqueID": "T1552.005", - "score": 1, - "comment": "CloudTrail: CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice", - "color": "#BC5627" - }, - { - "techniqueID": "T1110.002", - "score": 1, - "comment": "CloudTrail: CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice", - "color": "#BC5627" - }, - { - "techniqueID": "T1070.003", - "score": 1, - "comment": "CloudTrail: CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice", - "color": "#BC5627" + "color": "#5d053f" }, { "techniqueID": "T1552", "score": 1, "comment": "CloudTrail: CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice", - "color": "#BC5627" - }, - { - "techniqueID": "T1110.003", - "score": 1, - "comment": "CloudTrail: CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice", - "color": "#BC5627" + "color": "#5d053f" }, { "techniqueID": "T1070", "score": 1, "comment": "CloudTrail: CreateVirtualMFADevice, DeactivateMFADevice, DeleteUser, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice", - "color": "#BC5627" + "color": "#5d053f" }, { "techniqueID": "T1212", "score": 1, "comment": "CloudTrail: CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice", - "color": "#BC5627" - }, - { - "techniqueID": "T1070.005", - "score": 1, - "comment": "CloudTrail: CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice", - "color": "#BC5627" + "color": "#5d053f" }, { "techniqueID": "T1110", "score": 1, "comment": "CloudTrail: CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice", - "color": "#BC5627" - }, - { - "techniqueID": "T1110.004", - "score": 1, - "comment": "CloudTrail: CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice", - "color": "#BC5627" - }, - { - "techniqueID": "T1552.007", - "score": 1, - "comment": "CloudTrail: CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice", - "color": "#BC5627" + "color": "#5d053f" }, { "techniqueID": "T1564", "score": 1, "comment": "CloudTrail: AttachRolePolicy, AttachUserPolicy, ChangePassword, CreateAccessKey, CreateAccountAlias, CreateLoginProfile, CreatePolicy, CreatePolicyVersion, CreateRole, CreateServiceLinkedRole, CreateServiceSpecificCredential, CreateUser, DeleteAccessKey, DeleteAccountAlias, DeleteAccountPasswordPolicy, DeleteLoginProfile, DeletePolicyVersion, DeleteRole, DeleteRolePermissionsBoundary, DeleteRolePolicy, DeleteSSHPublicKey, DeleteServiceSpecificCredential, DeleteSigningCertificate, DeleteUserPermissionsBoundary, DeleteUserPolicy, DetachRolePolicy, DetachUserPolicy, GenerateCredentialReport, GetAccountAuthorizationDetails, GetAccountPasswordPolicy, GetContextKeysForCustomPolicy, GetContextKeysForPrincipalPolicy, GetCredentialReport, GetLoginprofile, GetPolicy, GetPolicyVersion, GetRole, GetRolePolicy, GetUserPolicy, ListAttachedRolePolicies, ListEntitiesForPolicy, ListPoliciesGrantingServiceAccess, ListPolicyTags, ListPolicyVersions, ListRolePolicies, ListRoleTags, ListRoles, PutRolePermissionsBoundary, PutRolePolicy, PutUserPermissionsBoundary, PutUserPolicy, SetDefaultPolicyVersion, SimulateCustomPolicy, SimulatePrincipalPolicy, TagPolicy, TagRole, Untag Policy, UntagRole, UpdateAccountPasswordPolicy, UpdateAssumeRolePolicy, UpdateLoginProfile, UpdateRole", - "color": "#BC5627" - }, - { - "techniqueID": "T1136.001", - "score": 1, - "comment": "CloudTrail: CreateUser", - "color": "#BC5627" - }, - { - "techniqueID": "T1136.002", - "score": 1, - "comment": "CloudTrail: CreateUser", - "color": "#BC5627" - }, - { - "techniqueID": "T1564.002", - "score": 1, - "comment": "CloudTrail: AttachRolePolicy, AttachUserPolicy, ChangePassword, CreateAccessKey, CreateAccountAlias, CreateLoginProfile, CreatePolicy, CreatePolicyVersion, CreateRole, CreateServiceLinkedRole, CreateServiceSpecificCredential, CreateUser, DeleteAccessKey, DeleteAccountAlias, DeleteAccountPasswordPolicy, DeleteLoginProfile, DeletePolicyVersion, DeleteRole, DeleteRolePermissionsBoundary, DeleteRolePolicy, DeleteSSHPublicKey, DeleteServiceSpecificCredential, DeleteSigningCertificate, DeleteUserPermissionsBoundary, DeleteUserPolicy, DetachRolePolicy, DetachUserPolicy, GenerateCredentialReport, GetAccountAuthorizationDetails, GetAccountPasswordPolicy, GetContextKeysForCustomPolicy, GetContextKeysForPrincipalPolicy, GetCredentialReport, GetLoginprofile, GetPolicy, GetPolicyVersion, GetRole, GetRolePolicy, GetUserPolicy, ListAttachedRolePolicies, ListEntitiesForPolicy, ListPoliciesGrantingServiceAccess, ListPolicyTags, ListPolicyVersions, ListRolePolicies, ListRoleTags, ListRoles, PutRolePermissionsBoundary, PutRolePolicy, PutUserPermissionsBoundary, PutUserPolicy, SetDefaultPolicyVersion, SimulateCustomPolicy, SimulatePrincipalPolicy, TagPolicy, TagRole, Untag Policy, UntagRole, UpdateAccountPasswordPolicy, UpdateAssumeRolePolicy, UpdateLoginProfile, UpdateRole", - "color": "#BC5627" - }, - { - "techniqueID": "T1136.003", - "score": 1, - "comment": "CloudTrail: CreateUser", - "color": "#BC5627" + "color": "#5d053f" }, { "techniqueID": "T1136", "score": 1, "comment": "CloudTrail: CreateUser", - "color": "#BC5627" - }, - { - "techniqueID": "T1070.009", - "score": 1, - "comment": "CloudTrail: DeleteUser", - "color": "#BC5627" + "color": "#5d053f" }, { "techniqueID": "T1201", "score": 1, "comment": "CloudTrail: AttachRolePolicy, AttachUserPolicy, ChangePassword, CreateAccessKey, CreateAccountAlias, CreateLoginProfile, CreatePolicy, CreatePolicyVersion, CreateRole, CreateServiceLinkedRole, CreateServiceSpecificCredential, DeleteAccessKey, DeleteAccountAlias, DeleteAccountPasswordPolicy, DeleteLoginProfile, DeletePolicyVersion, DeleteRole, DeleteRolePermissionsBoundary, DeleteRolePolicy, DeleteSSHPublicKey, DeleteServiceSpecificCredential, DeleteSigningCertificate, DeleteUserPermissionsBoundary, DeleteUserPolicy, DetachRolePolicy, DetachUserPolicy, GenerateCredentialReport, GetAccountAuthorizationDetails, GetAccountPasswordPolicy, GetContextKeysForCustomPolicy, GetContextKeysForPrincipalPolicy, GetCredentialReport, GetLoginprofile, GetPolicy, GetPolicyVersion, GetRole, GetRolePolicy, GetUserPolicy, ListAttachedRolePolicies, ListEntitiesForPolicy, ListPoliciesGrantingServiceAccess, ListPolicyTags, ListPolicyVersions, ListRolePolicies, ListRoleTags, ListRoles, PutRolePermissionsBoundary, PutRolePolicy, PutUserPermissionsBoundary, PutUserPolicy, SetDefaultPolicyVersion, SimulateCustomPolicy, SimulatePrincipalPolicy, TagPolicy, TagRole, Untag Policy, UntagRole, UpdateAccountPasswordPolicy, UpdateAssumeRolePolicy, UpdateLoginProfile, UpdateRole", - "color": "#BC5627" - }, - { - "techniqueID": "T1098.003", - "score": 1, - "comment": "CloudTrail: SetSecurityTokenPreferences, TagUser, UntagUser, UpdateAccessKey, UpdateSSHPublicKey, UpdateServiceSpecificCredential, UpdateSigningCertificate, UpdateUser, UploadSSHPublicKey, UploadServerCertificate, UploadSigningCertificate", - "color": "#BC5627" + "color": "#5d053f" }, { "techniqueID": "T1528", "score": 1, "comment": "CloudTrail: SetSecurityTokenPreferences, TagUser, UntagUser, UpdateAccessKey, UpdateSSHPublicKey, UpdateServiceSpecificCredential, UpdateSigningCertificate, UpdateUser, UploadSSHPublicKey, UploadServerCertificate, UploadSigningCertificate", - "color": "#BC5627" - }, - { - "techniqueID": "T1098.001", - "score": 1, - "comment": "CloudTrail: SetSecurityTokenPreferences, TagUser, UntagUser, UpdateAccessKey, UpdateSSHPublicKey, UpdateServiceSpecificCredential, UpdateSigningCertificate, UpdateUser, UploadSSHPublicKey, UploadServerCertificate, UploadSigningCertificate", - "color": "#BC5627" + "color": "#5d053f" }, { "techniqueID": "T1611", "score": 1, "comment": "CloudTrail: DetachVolume, ModifyVolume", - "color": "#BC5627" + "color": "#5d053f" } ], "gradient": { @@ -627,7 +273,7 @@ "legendItems": [ { "label": "CloudTrail", - "color": "#BC5627" + "color": "#5d053f" } ] } \ No newline at end of file diff --git a/mappings/layers/enterprise/OSQuery-heatmap.json b/mappings/layers/enterprise/OSQuery-heatmap.json index 73d3cce..9cb80af 100644 --- a/mappings/layers/enterprise/OSQuery-heatmap.json +++ b/mappings/layers/enterprise/OSQuery-heatmap.json @@ -13,2785 +13,961 @@ "techniqueID": "T1033", "score": 1, "comment": "OSQuery: appcompat_shims, augeas, autoexec, managed_policies, office_mru, plist, registry, running_apps, socket_events, startup_items, userassist", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1003", "score": 1, "comment": "OSQuery: appcompat_shims, augeas, autoexec, managed_policies, office_mru, plist, registry, running_apps, socket_events, startup_items, userassist", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1615", "score": 1, "comment": "OSQuery: managed_policies, powershell_events, running_apps, socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1003.006", - "score": 1, - "comment": "OSQuery: managed_policies, socket_events", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1557", "score": 1, "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1110.001", - "score": 1, - "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, user_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1213.002", - "score": 1, - "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions", - "color": "#B03FD6" - }, - { - "techniqueID": "T1564.008", - "score": 1, - "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, file_events, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions", - "color": "#B03FD6" - }, - { - "techniqueID": "T1491.002", - "score": 1, - "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, file_events, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, socket_events", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1133", "score": 1, "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, last, logged_in_users, logon_sessions, opera_extensions, safari_extensions, socket_events", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1069", "score": 1, "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, groups, homebrew_packages, ie_extensions, opera_extensions, running_apps, safari_extensions, user_groups", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1114", "score": 1, "comment": "OSQuery: augeas, browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, office_mru, opera_extensions, plist, safari_extensions", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1594", "score": 1, "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions", - "color": "#B03FD6" - }, - { - "techniqueID": "T1069.003", - "score": 1, - "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, groups, homebrew_packages, ie_extensions, opera_extensions, running_apps, safari_extensions, user_groups", - "color": "#B03FD6" - }, - { - "techniqueID": "T1499.003", - "score": 1, - "comment": "OSQuery: app_schemes, apparmor_events, apparmor_profiles, apps, apt_sources, asl, battery, block_devices, browser_plugins, chassis_info, chrome_extension_content_scripts, chrome_extensions, connectivity, cpu_info, cpu_time, cpuid, crashes, cups_destinations, cups_jobs, deb_packages, default_environment, device_firmware, event_taps, fan_speed_sensors, firefox_addons, hardware_events, homebrew_packages, hvci_status, ibridge_info, ie_extensions, intel_me_info, kernel_panics, keychain_acls, keychain_items, memory_error_info, memory_info, memory_map, npm_packages, ntdomains, opera_extensions, os_version, patches, portage_keywords, portage_packages, portage_use, preferences, programs, python_packages, rpm_package_files, rpm_packages, safari_extensions, selinux_events, selinux_settings, shared_resources, sip_config, socket_events, sudoers, syslog_events, system_controls, system_info, ulimit_info, video_info, winbaseobj, windows_crashes, windows_optional_features, windows_security_center, windows_security_products, xprotect_entries, xprotect_meta, xprotect_reports", - "color": "#B03FD6" - }, - { - "techniqueID": "T1110.002", - "score": 1, - "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, user_events", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1564", "score": 1, "comment": "OSQuery: account_policy_data, authenticode, authorizations, authorized_keys, browser_plugins, chrome_extension_content_scripts, chrome_extensions, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, firefox_addons, homebrew_packages, ie_extensions, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, opera_extensions, package_bom, powershell_events, process_file_events, quicklook_cache, running_apps, safari_extensions, shadow, shimcache, signature, suid_bin, user_ssh_keys", - "color": "#B03FD6" - }, - { - "techniqueID": "T1566.002", - "score": 1, - "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1499.004", - "score": 1, - "comment": "OSQuery: app_schemes, apparmor_events, apparmor_profiles, apps, apt_sources, asl, battery, block_devices, browser_plugins, chassis_info, chrome_extension_content_scripts, chrome_extensions, connectivity, cpu_info, cpu_time, cpuid, crashes, cups_destinations, cups_jobs, deb_packages, default_environment, device_firmware, event_taps, fan_speed_sensors, firefox_addons, hardware_events, homebrew_packages, hvci_status, ibridge_info, ie_extensions, intel_me_info, kernel_panics, keychain_acls, keychain_items, memory_error_info, memory_info, memory_map, npm_packages, ntdomains, opera_extensions, os_version, patches, portage_keywords, portage_packages, portage_use, preferences, programs, python_packages, rpm_package_files, rpm_packages, safari_extensions, selinux_events, selinux_settings, shared_resources, sip_config, socket_events, sudoers, syslog_events, system_controls, system_info, ulimit_info, video_info, winbaseobj, windows_crashes, windows_optional_features, windows_security_center, windows_security_products, xprotect_entries, xprotect_meta, xprotect_reports", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1137", "score": 1, "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, file_events, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, running_apps, safari_extensions", - "color": "#B03FD6" - }, - { - "techniqueID": "T1598.003", - "score": 1, - "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1566.001", - "score": 1, - "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, file_events, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1505.002", - "score": 1, - "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, file_events, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions", - "color": "#B03FD6" - }, - { - "techniqueID": "T1499.002", - "score": 1, - "comment": "OSQuery: app_schemes, apparmor_events, apparmor_profiles, apps, apt_sources, asl, battery, block_devices, browser_plugins, chassis_info, chrome_extension_content_scripts, chrome_extensions, connectivity, cpu_info, cpu_time, cpuid, crashes, cups_destinations, cups_jobs, deb_packages, default_environment, device_firmware, event_taps, fan_speed_sensors, firefox_addons, hardware_events, homebrew_packages, hvci_status, ibridge_info, ie_extensions, intel_me_info, kernel_panics, keychain_acls, keychain_items, memory_error_info, memory_info, memory_map, npm_packages, ntdomains, opera_extensions, os_version, patches, portage_keywords, portage_packages, portage_use, preferences, programs, python_packages, rpm_package_files, rpm_packages, safari_extensions, selinux_events, selinux_settings, shared_resources, sip_config, socket_events, sudoers, syslog_events, system_controls, system_info, ulimit_info, video_info, winbaseobj, windows_crashes, windows_optional_features, windows_security_center, windows_security_products, xprotect_entries, xprotect_meta, xprotect_reports", - "color": "#B03FD6" - }, - { - "techniqueID": "T1137.005", - "score": 1, - "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, running_apps, safari_extensions", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1190", "score": 1, "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, socket_events", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1552", "score": 1, "comment": "OSQuery: appcompat_shims, augeas, autoexec, browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, office_mru, opera_extensions, plist, registry, running_apps, safari_extensions, startup_items, user_events, userassist", - "color": "#B03FD6" - }, - { - "techniqueID": "T1070.008", - "score": 1, - "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, file_events, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, running_apps, safari_extensions", - "color": "#B03FD6" - }, - { - "techniqueID": "T1562.002", - "score": 1, - "comment": "OSQuery: app_schemes, apparmor_events, apparmor_profiles, apps, apt_sources, asl, battery, block_devices, browser_plugins, chassis_info, chrome_extension_content_scripts, chrome_extensions, connectivity, cpu_info, cpu_time, cpuid, crashes, cups_destinations, cups_jobs, deb_packages, default_environment, device_firmware, event_taps, fan_speed_sensors, firefox_addons, hardware_events, homebrew_packages, hvci_status, ibridge_info, ie_extensions, intel_me_info, kernel_panics, keychain_acls, keychain_items, memory_error_info, memory_info, memory_map, npm_packages, ntdomains, opera_extensions, os_version, patches, portage_keywords, portage_packages, portage_use, powershell_events, preferences, programs, python_packages, rpm_package_files, rpm_packages, running_apps, safari_extensions, selinux_events, selinux_settings, shared_resources, sip_config, sudoers, syslog_events, system_controls, system_info, ulimit_info, video_info, winbaseobj, windows_crashes, windows_optional_features, windows_security_center, windows_security_products, xprotect_entries, xprotect_meta, xprotect_reports", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1550", "score": 1, "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, user_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1556.007", - "score": 1, - "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, file_events, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1610", "score": 1, "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1491", "score": 1, "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, file_events, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1557.003", - "score": 1, - "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1505.003", - "score": 1, - "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, file_events, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, running_apps, safari_extensions, socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1110.003", - "score": 1, - "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, user_events", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1070", "score": 1, "comment": "OSQuery: alf_exceptions, authenticode, browser_plugins, chrome_extension_content_scripts, chrome_extensions, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, firefox_addons, homebrew_packages, ie_extensions, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, opera_extensions, package_bom, process_file_events, quicklook_cache, running_apps, safari_extensions, shimcache, signature, socket_events, suid_bin, user_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1213.001", - "score": 1, - "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions", - "color": "#B03FD6" - }, - { - "techniqueID": "T1114.003", - "score": 1, - "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1649", "score": 1, "comment": "OSQuery: appcompat_shims, augeas, autoexec, browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, office_mru, opera_extensions, plist, registry, safari_extensions, startup_items, userassist", - "color": "#B03FD6" - }, - { - "techniqueID": "T1098.005", - "score": 1, - "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions", - "color": "#B03FD6" - }, - { - "techniqueID": "T1598.002", - "score": 1, - "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, socket_events", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1204", "score": 1, "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, file_events, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, running_apps, safari_extensions, socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1491.001", - "score": 1, - "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, file_events, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, socket_events", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1072", "score": 1, "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, running_apps, safari_extensions", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1621", "score": 1, "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, last, logged_in_users, logon_sessions, opera_extensions, safari_extensions, user_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1552.008", - "score": 1, - "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1212", "score": 1, "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, running_apps, safari_extensions, user_events", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1210", "score": 1, "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, socket_events", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1534", "score": 1, "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, socket_events", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1199", "score": 1, "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, last, logged_in_users, logon_sessions, opera_extensions, safari_extensions, socket_events", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1048", "score": 1, "comment": "OSQuery: augeas, browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, office_mru, opera_extensions, plist, safari_extensions, socket_events", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1566", "score": 1, "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, file_events, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, socket_events", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1110", "score": 1, "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, user_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1137.003", - "score": 1, - "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, running_apps, safari_extensions", - "color": "#B03FD6" - }, - { - "techniqueID": "T1027.005", - "score": 1, - "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions", - "color": "#B03FD6" - }, - { - "techniqueID": "T1204.003", - "score": 1, - "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions", - "color": "#B03FD6" - }, - { - "techniqueID": "T1110.004", - "score": 1, - "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, user_events", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1203", "score": 1, "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, running_apps, safari_extensions", - "color": "#B03FD6" - }, - { - "techniqueID": "T1137.004", - "score": 1, - "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, running_apps, safari_extensions", - "color": "#B03FD6" - }, - { - "techniqueID": "T1550.004", - "score": 1, - "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1499", "score": 1, "comment": "OSQuery: app_schemes, apparmor_events, apparmor_profiles, apps, apt_sources, asl, battery, block_devices, browser_plugins, chassis_info, chrome_extension_content_scripts, chrome_extensions, connectivity, cpu_info, cpu_time, cpuid, crashes, cups_destinations, cups_jobs, deb_packages, default_environment, device_firmware, event_taps, fan_speed_sensors, firefox_addons, hardware_events, homebrew_packages, hvci_status, ibridge_info, ie_extensions, intel_me_info, kernel_panics, keychain_acls, keychain_items, memory_error_info, memory_info, memory_map, npm_packages, ntdomains, opera_extensions, os_version, patches, portage_keywords, portage_packages, portage_use, preferences, programs, python_packages, rpm_package_files, rpm_packages, safari_extensions, selinux_events, selinux_settings, shared_resources, sip_config, socket_events, sudoers, syslog_events, system_controls, system_info, ulimit_info, video_info, winbaseobj, windows_crashes, windows_optional_features, windows_security_center, windows_security_products, xprotect_entries, xprotect_meta, xprotect_reports", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1598", "score": 1, "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1213.003", - "score": 1, - "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1213", "score": 1, "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1200", "score": 1, "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, usb_devices", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1505", "score": 1, "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, file_events, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, running_apps, safari_extensions, socket_events", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1189", "score": 1, "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, file_events, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, running_apps, safari_extensions, socket_events", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1622", "score": 1, "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, running_apps, safari_extensions", - "color": "#B03FD6" - }, - { - "techniqueID": "T1098.002", - "score": 1, - "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1648", "score": 1, "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1556", "score": 1, "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, file_events, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, user_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1566.003", - "score": 1, - "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1598.001", - "score": 1, - "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1505.001", - "score": 1, - "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1211", "score": 1, "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, running_apps, safari_extensions", - "color": "#B03FD6" - }, - { - "techniqueID": "T1588.004", - "score": 1, - "comment": "OSQuery: certificates", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1588", "score": 1, "comment": "OSQuery: certificates", - "color": "#B03FD6" - }, - { - "techniqueID": "T1561.002", - "score": 1, - "comment": "OSQuery: device_file, device_partitions, disk_encryption, disk_events, disk_info, logical_drives, running_apps, time_machine_backups", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1006", "score": 1, "comment": "OSQuery: device_file, device_partitions, disk_encryption, disk_events, disk_info, logical_drives", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1561", "score": 1, "comment": "OSQuery: device_file, device_partitions, disk_encryption, disk_events, disk_info, logical_drives, running_apps, time_machine_backups", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1092", "score": 1, "comment": "OSQuery: device_file, device_partitions, disk_encryption, disk_events, disk_info, logical_drives, usb_devices", - "color": "#B03FD6" - }, - { - "techniqueID": "T1561.001", - "score": 1, - "comment": "OSQuery: device_file, device_partitions, disk_encryption, disk_events, disk_info, logical_drives, running_apps, time_machine_backups", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1091", "score": 1, "comment": "OSQuery: augeas, file_events, office_mru, plist, running_apps, usb_devices", - "color": "#B03FD6" - }, - { - "techniqueID": "T1052.001", - "score": 1, - "comment": "OSQuery: augeas, office_mru, plist, running_apps, usb_devices", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1052", "score": 1, "comment": "OSQuery: augeas, office_mru, plist, running_apps, usb_devices", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1014", "score": 1, "comment": "OSQuery: file_events, time_machine_backups", - "color": "#B03FD6" - }, - { - "techniqueID": "T1542.003", - "score": 1, - "comment": "OSQuery: time_machine_backups", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1542", "score": 1, "comment": "OSQuery: bitlocker_info, drivers, iokit_devicetree, iokit_registry, time_machine_backups", - "color": "#B03FD6" - }, - { - "techniqueID": "T1542.002", - "score": 1, - "comment": "OSQuery: bitlocker_info, drivers, iokit_devicetree, iokit_registry", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1539", "score": 1, "comment": "OSQuery: augeas, office_mru, plist", - "color": "#B03FD6" - }, - { - "techniqueID": "T1003.002", - "score": 1, - "comment": "OSQuery: appcompat_shims, augeas, autoexec, office_mru, plist, registry, startup_items, userassist", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1025", "score": 1, "comment": "OSQuery: augeas, office_mru, plist", - "color": "#B03FD6" - }, - { - "techniqueID": "T1074.001", - "score": 1, - "comment": "OSQuery: augeas, file_events, office_mru, plist", - "color": "#B03FD6" - }, - { - "techniqueID": "T1114.001", - "score": 1, - "comment": "OSQuery: augeas, office_mru, plist", - "color": "#B03FD6" - }, - { - "techniqueID": "T1555.001", - "score": 1, - "comment": "OSQuery: augeas, office_mru, plist, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1087.001", - "score": 1, - "comment": "OSQuery: augeas, office_mru, plist, running_apps", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1119", "score": 1, "comment": "OSQuery: augeas, office_mru, plist, powershell_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1003.007", - "score": 1, - "comment": "OSQuery: augeas, office_mru, plist", - "color": "#B03FD6" - }, - { - "techniqueID": "T1555.005", - "score": 1, - "comment": "OSQuery: augeas, office_mru, plist", - "color": "#B03FD6" - }, - { - "techniqueID": "T1074.002", - "score": 1, - "comment": "OSQuery: augeas, file_events, office_mru, plist", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1005", "score": 1, "comment": "OSQuery: augeas, office_mru, plist, powershell_events, running_apps", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1558", "score": 1, "comment": "OSQuery: augeas, last, logged_in_users, logon_sessions, office_mru, plist", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1555", "score": 1, "comment": "OSQuery: augeas, office_mru, plist, running_apps", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1567", "score": 1, "comment": "OSQuery: augeas, office_mru, plist, socket_events", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1011", "score": 1, "comment": "OSQuery: augeas, office_mru, plist, socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1555.003", - "score": 1, - "comment": "OSQuery: augeas, office_mru, plist", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1217", "score": 1, "comment": "OSQuery: augeas, office_mru, plist, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1552.004", - "score": 1, - "comment": "OSQuery: augeas, office_mru, plist", - "color": "#B03FD6" - }, - { - "techniqueID": "T1011.001", - "score": 1, - "comment": "OSQuery: augeas, office_mru, plist, socket_events", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1087", "score": 1, "comment": "OSQuery: augeas, office_mru, plist, running_apps", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1020", "score": 1, "comment": "OSQuery: augeas, office_mru, plist, powershell_events, socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1048.001", - "score": 1, - "comment": "OSQuery: augeas, office_mru, plist, socket_events", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1074", "score": 1, "comment": "OSQuery: augeas, file_events, office_mru, plist", - "color": "#B03FD6" - }, - { - "techniqueID": "T1552.003", - "score": 1, - "comment": "OSQuery: augeas, office_mru, plist", - "color": "#B03FD6" - }, - { - "techniqueID": "T1552.001", - "score": 1, - "comment": "OSQuery: augeas, office_mru, plist", - "color": "#B03FD6" - }, - { - "techniqueID": "T1567.001", - "score": 1, - "comment": "OSQuery: augeas, office_mru, plist, socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1552.006", - "score": 1, - "comment": "OSQuery: augeas, office_mru, plist", - "color": "#B03FD6" - }, - { - "techniqueID": "T1048.002", - "score": 1, - "comment": "OSQuery: augeas, office_mru, plist, socket_events", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1041", "score": 1, "comment": "OSQuery: augeas, office_mru, plist, socket_events", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1039", "score": 1, "comment": "OSQuery: augeas, mounts, nfs_shares, office_mru, plist, shared_folders, sharing_preferences, socket_events", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1187", "score": 1, "comment": "OSQuery: augeas, file_events, office_mru, plist, socket_events", - "color": "#B03FD6" + "color": "#be158b" }, { - "techniqueID": "T1567.002", + "techniqueID": "T1018", "score": 1, - "comment": "OSQuery: augeas, office_mru, plist, socket_events", - "color": "#B03FD6" + "comment": "OSQuery: augeas, office_mru, plist, running_apps", + "color": "#be158b" }, { - "techniqueID": "T1003.008", + "techniqueID": "T1037", "score": 1, - "comment": "OSQuery: augeas, office_mru, plist", - "color": "#B03FD6" + "comment": "OSQuery: file_events, running_apps", + "color": "#be158b" }, { - "techniqueID": "T1555.004", + "techniqueID": "T1543", "score": 1, - "comment": "OSQuery: augeas, office_mru, plist, running_apps", - "color": "#B03FD6" + "comment": "OSQuery: file_events, running_apps", + "color": "#be158b" }, { - "techniqueID": "T1018", + "techniqueID": "T1547", "score": 1, - "comment": "OSQuery: augeas, office_mru, plist, running_apps", - "color": "#B03FD6" + "comment": "OSQuery: authorization_mechanisms, fbsd_kmods, file_events, kernel_modules, running_apps", + "color": "#be158b" }, { - "techniqueID": "T1003.003", + "techniqueID": "T1080", "score": 1, - "comment": "OSQuery: augeas, office_mru, plist", - "color": "#B03FD6" + "comment": "OSQuery: file_events, mounts, nfs_shares, running_apps, shared_folders, sharing_preferences", + "color": "#be158b" }, { - "techniqueID": "T1048.003", + "techniqueID": "T1053", "score": 1, - "comment": "OSQuery: augeas, office_mru, plist, socket_events", - "color": "#B03FD6" + "comment": "OSQuery: file_events, running_apps", + "color": "#be158b" }, { - "techniqueID": "T1560.001", + "techniqueID": "T1176", "score": 1, "comment": "OSQuery: file_events, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1037", - "score": 1, - "comment": "OSQuery: file_events, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1027.009", - "score": 1, - "comment": "OSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, shimcache, signature, suid_bin", - "color": "#B03FD6" - }, - { - "techniqueID": "T1574.007", - "score": 1, - "comment": "OSQuery: file_events, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1546.013", - "score": 1, - "comment": "OSQuery: file_events, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1543", - "score": 1, - "comment": "OSQuery: file_events, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1053.007", - "score": 1, - "comment": "OSQuery: file_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1036.007", - "score": 1, - "comment": "OSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, shimcache, signature, suid_bin", - "color": "#B03FD6" - }, - { - "techniqueID": "T1560.003", - "score": 1, - "comment": "OSQuery: file_events, powershell_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1565.001", - "score": 1, - "comment": "OSQuery: file_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1547", - "score": 1, - "comment": "OSQuery: authorization_mechanisms, fbsd_kmods, file_events, kernel_modules, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1204.002", - "score": 1, - "comment": "OSQuery: file_events, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1080", - "score": 1, - "comment": "OSQuery: file_events, mounts, nfs_shares, running_apps, shared_folders, sharing_preferences", - "color": "#B03FD6" - }, - { - "techniqueID": "T1547.012", - "score": 1, - "comment": "OSQuery: file_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1574.001", - "score": 1, - "comment": "OSQuery: file_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1565.003", - "score": 1, - "comment": "OSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, shimcache, signature, suid_bin", - "color": "#B03FD6" - }, - { - "techniqueID": "T1137.006", - "score": 1, - "comment": "OSQuery: file_events, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1053", - "score": 1, - "comment": "OSQuery: file_events, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1556.002", - "score": 1, - "comment": "OSQuery: file_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1176", - "score": 1, - "comment": "OSQuery: file_events, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1560.002", - "score": 1, - "comment": "OSQuery: file_events, powershell_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1547.010", - "score": 1, - "comment": "OSQuery: file_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1037.002", - "score": 1, - "comment": "OSQuery: file_events, running_apps", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1218", "score": 1, "comment": "OSQuery: file_events, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1547.009", - "score": 1, - "comment": "OSQuery: file_events, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1218.002", - "score": 1, - "comment": "OSQuery: file_events, running_apps", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1560", "score": 1, "comment": "OSQuery: file_events, powershell_events, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1543.004", - "score": 1, - "comment": "OSQuery: file_events, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1574.008", - "score": 1, - "comment": "OSQuery: file_events, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1546.005", - "score": 1, - "comment": "OSQuery: file_events, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1574.006", - "score": 1, - "comment": "OSQuery: file_events, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1574.005", - "score": 1, - "comment": "OSQuery: file_events, gatekeeper, gatekeeper_apps, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1546.008", - "score": 1, - "comment": "OSQuery: file_events, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1137.001", - "score": 1, - "comment": "OSQuery: file_events, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1553.005", - "score": 1, - "comment": "OSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, shimcache, signature, suid_bin", - "color": "#B03FD6" - }, - { - "techniqueID": "T1218.005", - "score": 1, - "comment": "OSQuery: file_events, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1547.015", - "score": 1, - "comment": "OSQuery: file_events, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1556.008", - "score": 1, - "comment": "OSQuery: file_events", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1554", "score": 1, "comment": "OSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, shimcache, signature, suid_bin", - "color": "#B03FD6" - }, - { - "techniqueID": "T1546.014", - "score": 1, - "comment": "OSQuery: file_events, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1574.010", - "score": 1, - "comment": "OSQuery: file_events, gatekeeper, gatekeeper_apps, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1547.006", - "score": 1, - "comment": "OSQuery: authorization_mechanisms, fbsd_kmods, file_events, kernel_modules, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1218.001", - "score": 1, - "comment": "OSQuery: file_events, running_apps", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1565", "score": 1, "comment": "OSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, shimcache, signature, socket_events, suid_bin", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1574", "score": 1, "comment": "OSQuery: file_events, gatekeeper, gatekeeper_apps, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1564.009", - "score": 1, - "comment": "OSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, running_apps, shimcache, signature, suid_bin", - "color": "#B03FD6" + "color": "#be158b" }, { "techniqueID": "T1027", "score": 1, - "comment": "OSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, powershell_events, process_file_events, quicklook_cache, running_apps, shimcache, signature, suid_bin, wmi_cli_event_consumers, wmi_script_event_consumers", - "color": "#B03FD6" - }, - { - "techniqueID": "T1505.004", - "score": 1, - "comment": "OSQuery: file_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1564.006", - "score": 1, - "comment": "OSQuery: file_events, running_apps, sandboxes", - "color": "#B03FD6" - }, - { - "techniqueID": "T1546", - "score": 1, - "comment": "OSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, running_apps, shimcache, signature, suid_bin, wmi_cli_event_consumers, wmi_script_event_consumers", - "color": "#B03FD6" - }, - { - "techniqueID": "T1546.004", - "score": 1, - "comment": "OSQuery: file_events, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1486", - "score": 1, - "comment": "OSQuery: file_events, mounts, nfs_shares, running_apps, shared_folders, sharing_preferences", - "color": "#B03FD6" - }, - { - "techniqueID": "T1570", - "score": 1, - "comment": "OSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, mounts, nfs_shares, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, running_apps, shared_folders, sharing_preferences, shimcache, signature, socket_events, suid_bin", - "color": "#B03FD6" - }, - { - "techniqueID": "T1574.009", - "score": 1, - "comment": "OSQuery: file_events, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1037.005", - "score": 1, - "comment": "OSQuery: file_events, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1037.003", - "score": 1, - "comment": "OSQuery: file_events, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1027.004", - "score": 1, - "comment": "OSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, running_apps, shimcache, signature, suid_bin", - "color": "#B03FD6" - }, - { - "techniqueID": "T1496", - "score": 1, - "comment": "OSQuery: app_schemes, apparmor_events, apparmor_profiles, apps, apt_sources, asl, battery, block_devices, chassis_info, connectivity, cpu_info, cpu_time, cpuid, crashes, cups_destinations, cups_jobs, deb_packages, default_environment, device_firmware, event_taps, fan_speed_sensors, file_events, hardware_events, hvci_status, ibridge_info, intel_me_info, kernel_panics, keychain_acls, keychain_items, memory_error_info, memory_info, memory_map, npm_packages, ntdomains, os_version, patches, portage_keywords, portage_packages, portage_use, preferences, programs, python_packages, rpm_package_files, rpm_packages, running_apps, selinux_events, selinux_settings, shared_resources, sip_config, sudoers, syslog_events, system_controls, system_info, ulimit_info, video_info, winbaseobj, windows_crashes, windows_optional_features, windows_security_center, windows_security_products, xprotect_entries, xprotect_meta, xprotect_reports", - "color": "#B03FD6" - }, - { - "techniqueID": "T1546.002", - "score": 1, - "comment": "OSQuery: file_events, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1543.001", - "score": 1, - "comment": "OSQuery: file_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1027.006", - "score": 1, - "comment": "OSQuery: file_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1546.016", - "score": 1, - "comment": "OSQuery: file_events, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1037.004", - "score": 1, - "comment": "OSQuery: file_events, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1543.002", - "score": 1, - "comment": "OSQuery: file_events, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1547.013", - "score": 1, - "comment": "OSQuery: file_events, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1574.002", - "score": 1, - "comment": "OSQuery: file_events, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1105", - "score": 1, - "comment": "OSQuery: file_events, socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1564.001", - "score": 1, - "comment": "OSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, running_apps, shimcache, signature, suid_bin", - "color": "#B03FD6" - }, - { - "techniqueID": "T1137.002", - "score": 1, - "comment": "OSQuery: file_events, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1204.001", - "score": 1, - "comment": "OSQuery: file_events, socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1547.008", - "score": 1, - "comment": "OSQuery: file_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1574.004", - "score": 1, - "comment": "OSQuery: file_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1218.014", - "score": 1, - "comment": "OSQuery: file_events, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1070.002", - "score": 1, - "comment": "OSQuery: file_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1070.003", - "score": 1, - "comment": "OSQuery: file_events, user_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1070.001", - "score": 1, - "comment": "OSQuery: file_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1070.009", - "score": 1, - "comment": "OSQuery: file_events, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1485", - "score": 1, - "comment": "OSQuery: file_events, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1070.004", - "score": 1, - "comment": "OSQuery: file_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1490", - "score": 1, - "comment": "OSQuery: file_events, gatekeeper, gatekeeper_apps, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1218.011", - "score": 1, - "comment": "OSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, running_apps, shimcache, signature, suid_bin", - "color": "#B03FD6" - }, - { - "techniqueID": "T1222.002", - "score": 1, - "comment": "OSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, running_apps, shimcache, signature, suid_bin", - "color": "#B03FD6" - }, - { - "techniqueID": "T1546.006", - "score": 1, - "comment": "OSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, running_apps, shimcache, signature, suid_bin", - "color": "#B03FD6" - }, - { - "techniqueID": "T1195.001", - "score": 1, - "comment": "OSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, shimcache, signature, suid_bin", - "color": "#B03FD6" - }, - { - "techniqueID": "T1036.005", - "score": 1, - "comment": "OSQuery: authenticode, background_activities_moderator, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, package_receipts, process_envs, process_events, process_file_events, process_memory_map, process_namespaces, process_open_files, process_open_pipes, process_open_sockets, quicklook_cache, sandboxes, shimcache, signature, suid_bin", - "color": "#B03FD6" - }, - { - "techniqueID": "T1027.008", - "score": 1, - "comment": "OSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, shimcache, signature, suid_bin", - "color": "#B03FD6" - }, - { - "techniqueID": "T1553.001", - "score": 1, - "comment": "OSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, running_apps, shimcache, signature, suid_bin", - "color": "#B03FD6" - }, - { - "techniqueID": "T1553.002", - "score": 1, - "comment": "OSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, shimcache, signature, suid_bin", - "color": "#B03FD6" - }, - { - "techniqueID": "T1222.001", - "score": 1, - "comment": "OSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, running_apps, shimcache, signature, suid_bin", - "color": "#B03FD6" - }, - { - "techniqueID": "T1195", - "score": 1, - "comment": "OSQuery: app_schemes, apparmor_events, apparmor_profiles, apps, apt_sources, asl, authenticode, battery, block_devices, chassis_info, connectivity, cpu_info, cpu_time, cpuid, crashes, cups_destinations, cups_jobs, deb_packages, default_environment, device_firmware, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, event_taps, extended_attributes, fan_speed_sensors, file, hardware_events, hvci_status, ibridge_info, intel_me_info, kernel_panics, keychain_acls, keychain_items, magic, mdfind, mdls, memory_error_info, memory_info, memory_map, npm_packages, ntdomains, ntfs_acl_permissions, ntfs_journal_events, os_version, package_bom, patches, portage_keywords, portage_packages, portage_use, preferences, process_file_events, programs, python_packages, quicklook_cache, rpm_package_files, rpm_packages, selinux_events, selinux_settings, shared_resources, shimcache, signature, sip_config, sudoers, suid_bin, syslog_events, system_controls, system_info, ulimit_info, video_info, winbaseobj, windows_crashes, windows_optional_features, windows_security_center, windows_security_products, xprotect_entries, xprotect_meta, xprotect_reports", - "color": "#B03FD6" - }, - { - "techniqueID": "T1036", - "score": 1, - "comment": "OSQuery: authenticode, background_activities_moderator, crontab, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, gatekeeper, gatekeeper_apps, launchd, launchd_overrides, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, package_receipts, process_envs, process_events, process_file_events, process_memory_map, process_namespaces, process_open_files, process_open_pipes, process_open_sockets, quicklook_cache, sandboxes, shimcache, signature, suid_bin", - "color": "#B03FD6" - }, - { - "techniqueID": "T1055", - "score": 1, - "comment": "OSQuery: authenticode, background_activities_moderator, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, package_receipts, process_envs, process_events, process_file_events, process_memory_map, process_namespaces, process_open_files, process_open_pipes, process_open_sockets, quicklook_cache, shimcache, signature, suid_bin", - "color": "#B03FD6" - }, - { - "techniqueID": "T1070.006", - "score": 1, - "comment": "OSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, shimcache, signature, suid_bin", - "color": "#B03FD6" - }, - { - "techniqueID": "T1027.001", - "score": 1, - "comment": "OSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, shimcache, signature, suid_bin", - "color": "#B03FD6" - }, - { - "techniqueID": "T1222", - "score": 1, - "comment": "OSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, running_apps, shimcache, signature, suid_bin", - "color": "#B03FD6" - }, - { - "techniqueID": "T1548", - "score": 1, - "comment": "OSQuery: authenticode, background_activities_moderator, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, package_receipts, process_envs, process_events, process_file_events, process_memory_map, process_namespaces, process_open_files, process_open_pipes, process_open_sockets, quicklook_cache, running_apps, shimcache, signature, suid_bin", - "color": "#B03FD6" - }, - { - "techniqueID": "T1548.001", - "score": 1, - "comment": "OSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, shimcache, signature, suid_bin", - "color": "#B03FD6" - }, - { - "techniqueID": "T1055.013", - "score": 1, - "comment": "OSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, shimcache, signature, suid_bin", - "color": "#B03FD6" - }, - { - "techniqueID": "T1036.002", - "score": 1, - "comment": "OSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, shimcache, signature, suid_bin", - "color": "#B03FD6" - }, - { - "techniqueID": "T1036.001", - "score": 1, - "comment": "OSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, shimcache, signature, suid_bin", - "color": "#B03FD6" - }, - { - "techniqueID": "T1553", - "score": 1, - "comment": "OSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, running_apps, shimcache, signature, suid_bin", - "color": "#B03FD6" - }, - { - "techniqueID": "T1195.002", - "score": 1, - "comment": "OSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, shimcache, signature, suid_bin", - "color": "#B03FD6" - }, - { - "techniqueID": "T1036.003", - "score": 1, - "comment": "OSQuery: authenticode, background_activities_moderator, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, package_receipts, process_envs, process_events, process_file_events, process_memory_map, process_namespaces, process_open_files, process_open_pipes, process_open_sockets, quicklook_cache, shimcache, signature, suid_bin", - "color": "#B03FD6" - }, - { - "techniqueID": "T1027.003", - "score": 1, - "comment": "OSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, shimcache, signature, suid_bin", - "color": "#B03FD6" - }, - { - "techniqueID": "T1564.007", - "score": 1, - "comment": "OSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, powershell_events, process_file_events, quicklook_cache, shimcache, signature, suid_bin", - "color": "#B03FD6" - }, - { - "techniqueID": "T1027.010", - "score": 1, - "comment": "OSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, powershell_events, process_file_events, quicklook_cache, shimcache, signature, suid_bin", - "color": "#B03FD6" - }, - { - "techniqueID": "T1027.002", - "score": 1, - "comment": "OSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, shimcache, signature, suid_bin", - "color": "#B03FD6" - }, - { - "techniqueID": "T1036.006", - "score": 1, - "comment": "OSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, shimcache, signature, suid_bin", - "color": "#B03FD6" - }, - { - "techniqueID": "T1027.007", - "score": 1, - "comment": "OSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, shimcache, signature, suid_bin", - "color": "#B03FD6" - }, - { - "techniqueID": "T1564.004", - "score": 1, - "comment": "OSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, shimcache, signature, suid_bin", - "color": "#B03FD6" - }, - { - "techniqueID": "T1053.005", - "score": 1, - "comment": "OSQuery: file_events, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1556.003", - "score": 1, - "comment": "OSQuery: file_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1548.003", - "score": 1, - "comment": "OSQuery: background_activities_moderator, file_events, package_receipts, process_envs, process_events, process_memory_map, process_namespaces, process_open_files, process_open_pipes, process_open_sockets, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1600", - "score": 1, - "comment": "OSQuery: file_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1036.008", - "score": 1, - "comment": "OSQuery: file_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1489", - "score": 1, - "comment": "OSQuery: file_events, gatekeeper, gatekeeper_apps, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1053.003", - "score": 1, - "comment": "OSQuery: file_events, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1505.005", - "score": 1, - "comment": "OSQuery: file_events, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1070.007", - "score": 1, - "comment": "OSQuery: alf_exceptions, file_events, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1600.001", - "score": 1, - "comment": "OSQuery: file_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1140", - "score": 1, - "comment": "OSQuery: file_events, powershell_events, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1546.011", - "score": 1, - "comment": "OSQuery: file_events, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1553.003", - "score": 1, - "comment": "OSQuery: file_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1056.003", - "score": 1, - "comment": "OSQuery: file_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1098.004", - "score": 1, - "comment": "OSQuery: file_events, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1647", - "score": 1, - "comment": "OSQuery: file_events, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1600.002", - "score": 1, - "comment": "OSQuery: file_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1569.001", - "score": 1, - "comment": "OSQuery: file_events, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1564.002", - "score": 1, - "comment": "OSQuery: account_policy_data, authorizations, authorized_keys, file_events, running_apps, shadow, user_ssh_keys", - "color": "#B03FD6" - }, - { - "techniqueID": "T1547.001", - "score": 1, - "comment": "OSQuery: file_events, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1098", - "score": 1, - "comment": "OSQuery: file_events, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1053.006", - "score": 1, - "comment": "OSQuery: file_events, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1601", - "score": 1, - "comment": "OSQuery: file_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1056", - "score": 1, - "comment": "OSQuery: background_activities_moderator, file_events, package_receipts, process_envs, process_events, process_memory_map, process_namespaces, process_open_files, process_open_pipes, process_open_sockets, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1564.003", - "score": 1, - "comment": "OSQuery: file_events, powershell_events, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1569", - "score": 1, - "comment": "OSQuery: file_events, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1055.009", - "score": 1, - "comment": "OSQuery: file_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1601.001", - "score": 1, - "comment": "OSQuery: file_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1556.001", - "score": 1, - "comment": "OSQuery: file_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1564.005", - "score": 1, - "comment": "OSQuery: file_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1547.007", - "score": 1, - "comment": "OSQuery: file_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1053.002", - "score": 1, - "comment": "OSQuery: file_events, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1556.004", - "score": 1, - "comment": "OSQuery: file_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1601.002", - "score": 1, - "comment": "OSQuery: file_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1518.001", - "score": 1, - "comment": "OSQuery: alf, alf_explicit_auths, iptables, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1518", - "score": 1, - "comment": "OSQuery: alf, alf_explicit_auths, iptables, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1562", - "score": 1, - "comment": "OSQuery: alf_exceptions, app_schemes, apparmor_events, apparmor_profiles, apps, apt_sources, asl, battery, block_devices, chassis_info, connectivity, cpu_info, cpu_time, cpuid, crashes, cups_destinations, cups_jobs, deb_packages, default_environment, device_firmware, event_taps, fan_speed_sensors, gatekeeper, gatekeeper_apps, hardware_events, hvci_status, ibridge_info, intel_me_info, kernel_panics, keychain_acls, keychain_items, memory_error_info, memory_info, memory_map, npm_packages, ntdomains, os_version, patches, portage_keywords, portage_packages, portage_use, powershell_events, preferences, programs, python_packages, rpm_package_files, rpm_packages, running_apps, selinux_events, selinux_settings, shared_resources, sip_config, sudoers, syslog_events, system_controls, system_info, ulimit_info, video_info, winbaseobj, windows_crashes, windows_optional_features, windows_security_center, windows_security_products, xprotect_entries, xprotect_meta, xprotect_reports", - "color": "#B03FD6" - }, - { - "techniqueID": "T1562.004", - "score": 1, - "comment": "OSQuery: alf_exceptions", - "color": "#B03FD6" - }, - { - "techniqueID": "T1562.007", - "score": 1, - "comment": "OSQuery: alf_exceptions", - "color": "#B03FD6" - }, - { - "techniqueID": "T1498.001", - "score": 1, - "comment": "OSQuery: app_schemes, apparmor_events, apparmor_profiles, apps, apt_sources, asl, battery, block_devices, chassis_info, connectivity, cpu_info, cpu_time, cpuid, crashes, cups_destinations, cups_jobs, deb_packages, default_environment, device_firmware, event_taps, fan_speed_sensors, hardware_events, hvci_status, ibridge_info, intel_me_info, kernel_panics, keychain_acls, keychain_items, memory_error_info, memory_info, memory_map, npm_packages, ntdomains, os_version, patches, portage_keywords, portage_packages, portage_use, preferences, programs, python_packages, rpm_package_files, rpm_packages, selinux_events, selinux_settings, shared_resources, sip_config, sudoers, syslog_events, system_controls, system_info, ulimit_info, video_info, winbaseobj, windows_crashes, windows_optional_features, windows_security_center, windows_security_products, xprotect_entries, xprotect_meta, xprotect_reports", - "color": "#B03FD6" - }, - { - "techniqueID": "T1499.001", - "score": 1, - "comment": "OSQuery: app_schemes, apparmor_events, apparmor_profiles, apps, apt_sources, asl, battery, block_devices, chassis_info, connectivity, cpu_info, cpu_time, cpuid, crashes, cups_destinations, cups_jobs, deb_packages, default_environment, device_firmware, event_taps, fan_speed_sensors, hardware_events, hvci_status, ibridge_info, intel_me_info, kernel_panics, keychain_acls, keychain_items, memory_error_info, memory_info, memory_map, npm_packages, ntdomains, os_version, patches, portage_keywords, portage_packages, portage_use, preferences, programs, python_packages, rpm_package_files, rpm_packages, selinux_events, selinux_settings, shared_resources, sip_config, socket_events, sudoers, syslog_events, system_controls, system_info, ulimit_info, video_info, winbaseobj, windows_crashes, windows_optional_features, windows_security_center, windows_security_products, xprotect_entries, xprotect_meta, xprotect_reports", - "color": "#B03FD6" - }, - { - "techniqueID": "T1498.002", - "score": 1, - "comment": "OSQuery: app_schemes, apparmor_events, apparmor_profiles, apps, apt_sources, asl, battery, block_devices, chassis_info, connectivity, cpu_info, cpu_time, cpuid, crashes, cups_destinations, cups_jobs, deb_packages, default_environment, device_firmware, event_taps, fan_speed_sensors, hardware_events, hvci_status, ibridge_info, intel_me_info, kernel_panics, keychain_acls, keychain_items, memory_error_info, memory_info, memory_map, npm_packages, ntdomains, os_version, patches, portage_keywords, portage_packages, portage_use, preferences, programs, python_packages, rpm_package_files, rpm_packages, selinux_events, selinux_settings, shared_resources, sip_config, sudoers, syslog_events, system_controls, system_info, ulimit_info, video_info, winbaseobj, windows_crashes, windows_optional_features, windows_security_center, windows_security_products, xprotect_entries, xprotect_meta, xprotect_reports", - "color": "#B03FD6" - }, - { - "techniqueID": "T1195.003", - "score": 1, - "comment": "OSQuery: app_schemes, apparmor_events, apparmor_profiles, apps, apt_sources, asl, battery, block_devices, chassis_info, connectivity, cpu_info, cpu_time, cpuid, crashes, cups_destinations, cups_jobs, deb_packages, default_environment, device_firmware, event_taps, fan_speed_sensors, hardware_events, hvci_status, ibridge_info, intel_me_info, kernel_panics, keychain_acls, keychain_items, memory_error_info, memory_info, memory_map, npm_packages, ntdomains, os_version, patches, portage_keywords, portage_packages, portage_use, preferences, programs, python_packages, rpm_package_files, rpm_packages, selinux_events, selinux_settings, shared_resources, sip_config, sudoers, syslog_events, system_controls, system_info, ulimit_info, video_info, winbaseobj, windows_crashes, windows_optional_features, windows_security_center, windows_security_products, xprotect_entries, xprotect_meta, xprotect_reports", - "color": "#B03FD6" - }, - { - "techniqueID": "T1562.006", - "score": 1, - "comment": "OSQuery: app_schemes, apparmor_events, apparmor_profiles, apps, apt_sources, asl, battery, block_devices, chassis_info, connectivity, cpu_info, cpu_time, cpuid, crashes, cups_destinations, cups_jobs, deb_packages, default_environment, device_firmware, event_taps, fan_speed_sensors, hardware_events, hvci_status, ibridge_info, intel_me_info, kernel_panics, keychain_acls, keychain_items, memory_error_info, memory_info, memory_map, npm_packages, ntdomains, os_version, patches, portage_keywords, portage_packages, portage_use, preferences, programs, python_packages, rpm_package_files, rpm_packages, selinux_events, selinux_settings, shared_resources, sip_config, sudoers, syslog_events, system_controls, system_info, ulimit_info, video_info, winbaseobj, windows_crashes, windows_optional_features, windows_security_center, windows_security_products, xprotect_entries, xprotect_meta, xprotect_reports", - "color": "#B03FD6" - }, - { - "techniqueID": "T1562.003", - "score": 1, - "comment": "OSQuery: app_schemes, apparmor_events, apparmor_profiles, apps, apt_sources, asl, battery, block_devices, chassis_info, connectivity, cpu_info, cpu_time, cpuid, crashes, cups_destinations, cups_jobs, deb_packages, default_environment, device_firmware, event_taps, fan_speed_sensors, hardware_events, hvci_status, ibridge_info, intel_me_info, kernel_panics, keychain_acls, keychain_items, memory_error_info, memory_info, memory_map, npm_packages, ntdomains, os_version, patches, portage_keywords, portage_packages, portage_use, preferences, programs, python_packages, rpm_package_files, rpm_packages, selinux_events, selinux_settings, shared_resources, sip_config, sudoers, syslog_events, system_controls, system_info, ulimit_info, video_info, winbaseobj, windows_crashes, windows_optional_features, windows_security_center, windows_security_products, xprotect_entries, xprotect_meta, xprotect_reports", - "color": "#B03FD6" - }, - { - "techniqueID": "T1562.001", - "score": 1, - "comment": "OSQuery: app_schemes, apparmor_events, apparmor_profiles, apps, apt_sources, asl, battery, block_devices, chassis_info, connectivity, cpu_info, cpu_time, cpuid, crashes, cups_destinations, cups_jobs, deb_packages, default_environment, device_firmware, event_taps, fan_speed_sensors, gatekeeper, gatekeeper_apps, hardware_events, hvci_status, ibridge_info, intel_me_info, kernel_panics, keychain_acls, keychain_items, memory_error_info, memory_info, memory_map, npm_packages, ntdomains, os_version, patches, portage_keywords, portage_packages, portage_use, preferences, programs, python_packages, rpm_package_files, rpm_packages, selinux_events, selinux_settings, shared_resources, sip_config, sudoers, syslog_events, system_controls, system_info, ulimit_info, video_info, winbaseobj, windows_crashes, windows_optional_features, windows_security_center, windows_security_products, xprotect_entries, xprotect_meta, xprotect_reports", - "color": "#B03FD6" - }, - { - "techniqueID": "T1562.011", - "score": 1, - "comment": "OSQuery: app_schemes, apparmor_events, apparmor_profiles, apps, apt_sources, asl, battery, block_devices, chassis_info, connectivity, cpu_info, cpu_time, cpuid, crashes, cups_destinations, cups_jobs, deb_packages, default_environment, device_firmware, event_taps, fan_speed_sensors, hardware_events, hvci_status, ibridge_info, intel_me_info, kernel_panics, keychain_acls, keychain_items, memory_error_info, memory_info, memory_map, npm_packages, ntdomains, os_version, patches, portage_keywords, portage_packages, portage_use, preferences, programs, python_packages, rpm_package_files, rpm_packages, running_apps, selinux_events, selinux_settings, shared_resources, sip_config, sudoers, syslog_events, system_controls, system_info, ulimit_info, video_info, winbaseobj, windows_crashes, windows_optional_features, windows_security_center, windows_security_products, xprotect_entries, xprotect_meta, xprotect_reports", - "color": "#B03FD6" - }, - { - "techniqueID": "T1498", - "score": 1, - "comment": "OSQuery: app_schemes, apparmor_events, apparmor_profiles, apps, apt_sources, asl, battery, block_devices, chassis_info, connectivity, cpu_info, cpu_time, cpuid, crashes, cups_destinations, cups_jobs, deb_packages, default_environment, device_firmware, event_taps, fan_speed_sensors, hardware_events, hvci_status, ibridge_info, intel_me_info, kernel_panics, keychain_acls, keychain_items, memory_error_info, memory_info, memory_map, npm_packages, ntdomains, os_version, patches, portage_keywords, portage_packages, portage_use, preferences, programs, python_packages, rpm_package_files, rpm_packages, selinux_events, selinux_settings, shared_resources, sip_config, sudoers, syslog_events, system_controls, system_info, ulimit_info, video_info, winbaseobj, windows_crashes, windows_optional_features, windows_security_center, windows_security_products, xprotect_entries, xprotect_meta, xprotect_reports", - "color": "#B03FD6" - }, - { - "techniqueID": "T1529", - "score": 1, - "comment": "OSQuery: app_schemes, apparmor_events, apparmor_profiles, apps, apt_sources, asl, battery, block_devices, chassis_info, connectivity, cpu_info, cpu_time, cpuid, crashes, cups_destinations, cups_jobs, deb_packages, default_environment, device_firmware, event_taps, fan_speed_sensors, hardware_events, hvci_status, ibridge_info, intel_me_info, kernel_panics, keychain_acls, keychain_items, memory_error_info, memory_info, memory_map, npm_packages, ntdomains, os_version, patches, portage_keywords, portage_packages, portage_use, preferences, programs, python_packages, rpm_package_files, rpm_packages, running_apps, selinux_events, selinux_settings, shared_resources, sip_config, sudoers, syslog_events, system_controls, system_info, ulimit_info, video_info, winbaseobj, windows_crashes, windows_optional_features, windows_security_center, windows_security_products, xprotect_entries, xprotect_meta, xprotect_reports", - "color": "#B03FD6" - }, - { - "techniqueID": "T1525", - "score": 1, - "comment": "OSQuery: sandboxes", - "color": "#B03FD6" - }, - { - "techniqueID": "T1611", - "score": 1, - "comment": "OSQuery: authorization_mechanisms, fbsd_kmods, kernel_modules, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1606.002", - "score": 1, - "comment": "OSQuery: last, logged_in_users, logon_sessions, user_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1558.001", - "score": 1, - "comment": "OSQuery: last, logged_in_users, logon_sessions", - "color": "#B03FD6" - }, - { - "techniqueID": "T1078", - "score": 1, - "comment": "OSQuery: last, logged_in_users, logon_sessions, user_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1078.002", - "score": 1, - "comment": "OSQuery: last, logged_in_users, logon_sessions, user_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1558.002", - "score": 1, - "comment": "OSQuery: last, logged_in_users, logon_sessions", - "color": "#B03FD6" - }, - { - "techniqueID": "T1078.004", - "score": 1, - "comment": "OSQuery: last, logged_in_users, logon_sessions, user_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1078.003", - "score": 1, - "comment": "OSQuery: last, logged_in_users, logon_sessions, user_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1021.002", - "score": 1, - "comment": "OSQuery: mounts, nfs_shares, shared_folders, sharing_preferences", - "color": "#B03FD6" - }, - { - "techniqueID": "T1021", - "score": 1, - "comment": "OSQuery: mounts, nfs_shares, running_apps, shared_folders, sharing_preferences", - "color": "#B03FD6" - }, - { - "techniqueID": "T1132.001", - "score": 1, - "comment": "OSQuery: socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1602", - "score": 1, - "comment": "OSQuery: socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1071.004", - "score": 1, - "comment": "OSQuery: socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1087.002", - "score": 1, - "comment": "OSQuery: running_apps, socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1573.001", - "score": 1, - "comment": "OSQuery: socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1586.001", - "score": 1, - "comment": "OSQuery: socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1071", - "score": 1, - "comment": "OSQuery: socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1219", - "score": 1, - "comment": "OSQuery: running_apps, socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1205", - "score": 1, - "comment": "OSQuery: running_apps, socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1563.001", - "score": 1, - "comment": "OSQuery: running_apps, socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1572", - "score": 1, - "comment": "OSQuery: socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1599.001", - "score": 1, - "comment": "OSQuery: socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1602.002", - "score": 1, - "comment": "OSQuery: socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1589", - "score": 1, - "comment": "OSQuery: socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1071.003", - "score": 1, - "comment": "OSQuery: socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1595.002", - "score": 1, - "comment": "OSQuery: socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1207", - "score": 1, - "comment": "OSQuery: socket_events, user_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1563", - "score": 1, - "comment": "OSQuery: running_apps, socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1557.001", - "score": 1, - "comment": "OSQuery: socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1595", - "score": 1, - "comment": "OSQuery: socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1090.002", - "score": 1, - "comment": "OSQuery: socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1589.002", - "score": 1, - "comment": "OSQuery: socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1090", - "score": 1, - "comment": "OSQuery: socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1482", - "score": 1, - "comment": "OSQuery: powershell_events, running_apps, socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1568", - "score": 1, - "comment": "OSQuery: socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1612", - "score": 1, - "comment": "OSQuery: socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1586", - "score": 1, - "comment": "OSQuery: socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1102", - "score": 1, - "comment": "OSQuery: socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1568.003", - "score": 1, - "comment": "OSQuery: socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1071.002", - "score": 1, - "comment": "OSQuery: socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1102.003", - "score": 1, - "comment": "OSQuery: socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1070.005", - "score": 1, - "comment": "OSQuery: running_apps, socket_events, user_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1090.003", - "score": 1, - "comment": "OSQuery: socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1001", - "score": 1, - "comment": "OSQuery: socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1571", - "score": 1, - "comment": "OSQuery: socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1585.001", - "score": 1, - "comment": "OSQuery: socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1599", - "score": 1, - "comment": "OSQuery: socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1573", - "score": 1, - "comment": "OSQuery: socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1567.003", - "score": 1, - "comment": "OSQuery: socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1102.002", - "score": 1, - "comment": "OSQuery: socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1595.003", - "score": 1, - "comment": "OSQuery: socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1573.002", - "score": 1, - "comment": "OSQuery: socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1095", - "score": 1, - "comment": "OSQuery: socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1001.003", - "score": 1, - "comment": "OSQuery: socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1090.004", - "score": 1, - "comment": "OSQuery: socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1557.002", - "score": 1, - "comment": "OSQuery: socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1132", - "score": 1, - "comment": "OSQuery: socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1585", - "score": 1, - "comment": "OSQuery: socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1565.002", - "score": 1, - "comment": "OSQuery: socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1132.002", - "score": 1, - "comment": "OSQuery: socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1537", - "score": 1, - "comment": "OSQuery: socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1221", - "score": 1, - "comment": "OSQuery: running_apps, socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1071.001", - "score": 1, - "comment": "OSQuery: socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1563.002", - "score": 1, - "comment": "OSQuery: running_apps, socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1602.001", - "score": 1, - "comment": "OSQuery: socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1001.002", - "score": 1, - "comment": "OSQuery: socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1090.001", - "score": 1, - "comment": "OSQuery: socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1102.001", - "score": 1, - "comment": "OSQuery: socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1001.001", - "score": 1, - "comment": "OSQuery: socket_events", - "color": "#B03FD6" - }, - { - "techniqueID": "T1205.002", - "score": 1, - "comment": "OSQuery: running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1021.005", - "score": 1, - "comment": "OSQuery: running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1047", - "score": 1, - "comment": "OSQuery: running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1216.001", - "score": 1, - "comment": "OSQuery: powershell_events, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1059.007", - "score": 1, - "comment": "OSQuery: powershell_events, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1548.002", - "score": 1, - "comment": "OSQuery: background_activities_moderator, package_receipts, process_envs, process_events, process_memory_map, process_namespaces, process_open_files, process_open_pipes, process_open_sockets, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1016.001", - "score": 1, - "comment": "OSQuery: running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1574.011", - "score": 1, - "comment": "OSQuery: running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1218.013", - "score": 1, - "comment": "OSQuery: running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1652", - "score": 1, - "comment": "OSQuery: appcompat_shims, autoexec, registry, running_apps, startup_items, userassist", - "color": "#B03FD6" - }, - { - "techniqueID": "T1547.014", - "score": 1, - "comment": "OSQuery: running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1559.002", - "score": 1, - "comment": "OSQuery: powershell_events, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1562.009", - "score": 1, - "comment": "OSQuery: running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1543.003", - "score": 1, - "comment": "OSQuery: running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1497.001", - "score": 1, - "comment": "OSQuery: running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1069.002", - "score": 1, - "comment": "OSQuery: running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1218.004", - "score": 1, - "comment": "OSQuery: running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1021.004", - "score": 1, - "comment": "OSQuery: running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1559.001", - "score": 1, - "comment": "OSQuery: powershell_events, running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1007", - "score": 1, - "comment": "OSQuery: running_apps", - "color": "#B03FD6" - }, - { - "techniqueID": "T1040", - "score": 1, - "comment": "OSQuery: running_apps", - "color": "#B03FD6" + "comment": "OSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, powershell_events, process_file_events, quicklook_cache, running_apps, shimcache, signature, suid_bin, wmi_cli_event_consumers, wmi_script_event_consumers", + "color": "#be158b" }, { - "techniqueID": "T1552.002", + "techniqueID": "T1546", "score": 1, - "comment": "OSQuery: appcompat_shims, autoexec, registry, running_apps, startup_items, userassist", - "color": "#B03FD6" + "comment": "OSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, running_apps, shimcache, signature, suid_bin, wmi_cli_event_consumers, wmi_script_event_consumers", + "color": "#be158b" }, { - "techniqueID": "T1135", + "techniqueID": "T1486", "score": 1, - "comment": "OSQuery: running_apps", - "color": "#B03FD6" + "comment": "OSQuery: file_events, mounts, nfs_shares, running_apps, shared_folders, sharing_preferences", + "color": "#be158b" }, { - "techniqueID": "T1120", + "techniqueID": "T1570", "score": 1, - "comment": "OSQuery: running_apps", - "color": "#B03FD6" + "comment": "OSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, mounts, nfs_shares, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, running_apps, shared_folders, sharing_preferences, shimcache, signature, socket_events, suid_bin", + "color": "#be158b" }, { - "techniqueID": "T1082", + "techniqueID": "T1496", "score": 1, - "comment": "OSQuery: running_apps", - "color": "#B03FD6" + "comment": "OSQuery: app_schemes, apparmor_events, apparmor_profiles, apps, apt_sources, asl, battery, block_devices, chassis_info, connectivity, cpu_info, cpu_time, cpuid, crashes, cups_destinations, cups_jobs, deb_packages, default_environment, device_firmware, event_taps, fan_speed_sensors, file_events, hardware_events, hvci_status, ibridge_info, intel_me_info, kernel_panics, keychain_acls, keychain_items, memory_error_info, memory_info, memory_map, npm_packages, ntdomains, os_version, patches, portage_keywords, portage_packages, portage_use, preferences, programs, python_packages, rpm_package_files, rpm_packages, running_apps, selinux_events, selinux_settings, shared_resources, sip_config, sudoers, syslog_events, system_controls, system_info, ulimit_info, video_info, winbaseobj, windows_crashes, windows_optional_features, windows_security_center, windows_security_products, xprotect_entries, xprotect_meta, xprotect_reports", + "color": "#be158b" }, { - "techniqueID": "T1218.007", + "techniqueID": "T1105", "score": 1, - "comment": "OSQuery: running_apps", - "color": "#B03FD6" + "comment": "OSQuery: file_events, socket_events", + "color": "#be158b" }, { - "techniqueID": "T1059.002", + "techniqueID": "T1485", "score": 1, - "comment": "OSQuery: running_apps", - "color": "#B03FD6" + "comment": "OSQuery: file_events, running_apps", + "color": "#be158b" }, { - "techniqueID": "T1202", + "techniqueID": "T1490", "score": 1, - "comment": "OSQuery: running_apps", - "color": "#B03FD6" + "comment": "OSQuery: file_events, gatekeeper, gatekeeper_apps, running_apps", + "color": "#be158b" }, { - "techniqueID": "T1010", + "techniqueID": "T1195", "score": 1, - "comment": "OSQuery: running_apps", - "color": "#B03FD6" + "comment": "OSQuery: app_schemes, apparmor_events, apparmor_profiles, apps, apt_sources, asl, authenticode, battery, block_devices, chassis_info, connectivity, cpu_info, cpu_time, cpuid, crashes, cups_destinations, cups_jobs, deb_packages, default_environment, device_firmware, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, event_taps, extended_attributes, fan_speed_sensors, file, hardware_events, hvci_status, ibridge_info, intel_me_info, kernel_panics, keychain_acls, keychain_items, magic, mdfind, mdls, memory_error_info, memory_info, memory_map, npm_packages, ntdomains, ntfs_acl_permissions, ntfs_journal_events, os_version, package_bom, patches, portage_keywords, portage_packages, portage_use, preferences, process_file_events, programs, python_packages, quicklook_cache, rpm_package_files, rpm_packages, selinux_events, selinux_settings, shared_resources, shimcache, signature, sip_config, sudoers, suid_bin, syslog_events, system_controls, system_info, ulimit_info, video_info, winbaseobj, windows_crashes, windows_optional_features, windows_security_center, windows_security_products, xprotect_entries, xprotect_meta, xprotect_reports", + "color": "#be158b" }, { - "techniqueID": "T1087.003", + "techniqueID": "T1036", "score": 1, - "comment": "OSQuery: running_apps", - "color": "#B03FD6" + "comment": "OSQuery: authenticode, background_activities_moderator, crontab, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, gatekeeper, gatekeeper_apps, launchd, launchd_overrides, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, package_receipts, process_envs, process_events, process_file_events, process_memory_map, process_namespaces, process_open_files, process_open_pipes, process_open_sockets, quicklook_cache, sandboxes, shimcache, signature, suid_bin", + "color": "#be158b" }, { - "techniqueID": "T1497.003", + "techniqueID": "T1055", "score": 1, - "comment": "OSQuery: running_apps", - "color": "#B03FD6" + "comment": "OSQuery: authenticode, background_activities_moderator, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, package_receipts, process_envs, process_events, process_file_events, process_memory_map, process_namespaces, process_open_files, process_open_pipes, process_open_sockets, quicklook_cache, shimcache, signature, suid_bin", + "color": "#be158b" }, { - "techniqueID": "T1218.003", + "techniqueID": "T1222", "score": 1, - "comment": "OSQuery: running_apps", - "color": "#B03FD6" + "comment": "OSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, running_apps, shimcache, signature, suid_bin", + "color": "#be158b" }, { - "techniqueID": "T1553.006", + "techniqueID": "T1548", "score": 1, - "comment": "OSQuery: running_apps", - "color": "#B03FD6" + "comment": "OSQuery: authenticode, background_activities_moderator, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, package_receipts, process_envs, process_events, process_file_events, process_memory_map, process_namespaces, process_open_files, process_open_pipes, process_open_sockets, quicklook_cache, running_apps, shimcache, signature, suid_bin", + "color": "#be158b" }, { - "techniqueID": "T1112", + "techniqueID": "T1553", "score": 1, - "comment": "OSQuery: running_apps", - "color": "#B03FD6" + "comment": "OSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, running_apps, shimcache, signature, suid_bin", + "color": "#be158b" }, { - "techniqueID": "T1021.006", + "techniqueID": "T1600", "score": 1, - "comment": "OSQuery: gatekeeper, gatekeeper_apps, running_apps", - "color": "#B03FD6" + "comment": "OSQuery: file_events", + "color": "#be158b" }, { - "techniqueID": "T1547.003", + "techniqueID": "T1489", "score": 1, - "comment": "OSQuery: running_apps", - "color": "#B03FD6" + "comment": "OSQuery: file_events, gatekeeper, gatekeeper_apps, running_apps", + "color": "#be158b" }, { - "techniqueID": "T1136.001", + "techniqueID": "T1140", "score": 1, - "comment": "OSQuery: running_apps", - "color": "#B03FD6" + "comment": "OSQuery: file_events, powershell_events, running_apps", + "color": "#be158b" }, { - "techniqueID": "T1003.001", + "techniqueID": "T1647", "score": 1, - "comment": "OSQuery: running_apps", - "color": "#B03FD6" + "comment": "OSQuery: file_events, running_apps", + "color": "#be158b" }, { - "techniqueID": "T1021.003", + "techniqueID": "T1098", "score": 1, - "comment": "OSQuery: running_apps", - "color": "#B03FD6" + "comment": "OSQuery: file_events, running_apps", + "color": "#be158b" }, { - "techniqueID": "T1546.012", + "techniqueID": "T1601", "score": 1, - "comment": "OSQuery: running_apps", - "color": "#B03FD6" + "comment": "OSQuery: file_events", + "color": "#be158b" }, { - "techniqueID": "T1218.008", + "techniqueID": "T1056", "score": 1, - "comment": "OSQuery: running_apps", - "color": "#B03FD6" + "comment": "OSQuery: background_activities_moderator, file_events, package_receipts, process_envs, process_events, process_memory_map, process_namespaces, process_open_files, process_open_pipes, process_open_sockets, running_apps", + "color": "#be158b" }, { - "techniqueID": "T1016", + "techniqueID": "T1569", "score": 1, - "comment": "OSQuery: powershell_events, running_apps", - "color": "#B03FD6" + "comment": "OSQuery: file_events, running_apps", + "color": "#be158b" }, { - "techniqueID": "T1059", + "techniqueID": "T1518", "score": 1, - "comment": "OSQuery: background_activities_moderator, package_receipts, powershell_events, process_envs, process_events, process_memory_map, process_namespaces, process_open_files, process_open_pipes, process_open_sockets, running_apps", - "color": "#B03FD6" + "comment": "OSQuery: alf, alf_explicit_auths, iptables, running_apps", + "color": "#be158b" }, { - "techniqueID": "T1136.002", + "techniqueID": "T1562", "score": 1, - "comment": "OSQuery: running_apps", - "color": "#B03FD6" + "comment": "OSQuery: alf_exceptions, app_schemes, apparmor_events, apparmor_profiles, apps, apt_sources, asl, battery, block_devices, chassis_info, connectivity, cpu_info, cpu_time, cpuid, crashes, cups_destinations, cups_jobs, deb_packages, default_environment, device_firmware, event_taps, fan_speed_sensors, gatekeeper, gatekeeper_apps, hardware_events, hvci_status, ibridge_info, intel_me_info, kernel_panics, keychain_acls, keychain_items, memory_error_info, memory_info, memory_map, npm_packages, ntdomains, os_version, patches, portage_keywords, portage_packages, portage_use, powershell_events, preferences, programs, python_packages, rpm_package_files, rpm_packages, running_apps, selinux_events, selinux_settings, shared_resources, sip_config, sudoers, syslog_events, system_controls, system_info, ulimit_info, video_info, winbaseobj, windows_crashes, windows_optional_features, windows_security_center, windows_security_products, xprotect_entries, xprotect_meta, xprotect_reports", + "color": "#be158b" }, { - "techniqueID": "T1609", + "techniqueID": "T1498", "score": 1, - "comment": "OSQuery: running_apps", - "color": "#B03FD6" + "comment": "OSQuery: app_schemes, apparmor_events, apparmor_profiles, apps, apt_sources, asl, battery, block_devices, chassis_info, connectivity, cpu_info, cpu_time, cpuid, crashes, cups_destinations, cups_jobs, deb_packages, default_environment, device_firmware, event_taps, fan_speed_sensors, hardware_events, hvci_status, ibridge_info, intel_me_info, kernel_panics, keychain_acls, keychain_items, memory_error_info, memory_info, memory_map, npm_packages, ntdomains, os_version, patches, portage_keywords, portage_packages, portage_use, preferences, programs, python_packages, rpm_package_files, rpm_packages, selinux_events, selinux_settings, shared_resources, sip_config, sudoers, syslog_events, system_controls, system_info, ulimit_info, video_info, winbaseobj, windows_crashes, windows_optional_features, windows_security_center, windows_security_products, xprotect_entries, xprotect_meta, xprotect_reports", + "color": "#be158b" }, { - "techniqueID": "T1083", + "techniqueID": "T1529", "score": 1, - "comment": "OSQuery: running_apps", - "color": "#B03FD6" + "comment": "OSQuery: app_schemes, apparmor_events, apparmor_profiles, apps, apt_sources, asl, battery, block_devices, chassis_info, connectivity, cpu_info, cpu_time, cpuid, crashes, cups_destinations, cups_jobs, deb_packages, default_environment, device_firmware, event_taps, fan_speed_sensors, hardware_events, hvci_status, ibridge_info, intel_me_info, kernel_panics, keychain_acls, keychain_items, memory_error_info, memory_info, memory_map, npm_packages, ntdomains, os_version, patches, portage_keywords, portage_packages, portage_use, preferences, programs, python_packages, rpm_package_files, rpm_packages, running_apps, selinux_events, selinux_settings, shared_resources, sip_config, sudoers, syslog_events, system_controls, system_info, ulimit_info, video_info, winbaseobj, windows_crashes, windows_optional_features, windows_security_center, windows_security_products, xprotect_entries, xprotect_meta, xprotect_reports", + "color": "#be158b" }, { - "techniqueID": "T1546.009", + "techniqueID": "T1525", "score": 1, - "comment": "OSQuery: running_apps", - "color": "#B03FD6" + "comment": "OSQuery: sandboxes", + "color": "#be158b" }, { - "techniqueID": "T1049", + "techniqueID": "T1611", "score": 1, - "comment": "OSQuery: running_apps", - "color": "#B03FD6" + "comment": "OSQuery: authorization_mechanisms, fbsd_kmods, kernel_modules, running_apps", + "color": "#be158b" }, { - "techniqueID": "T1218.012", + "techniqueID": "T1078", "score": 1, - "comment": "OSQuery: running_apps", - "color": "#B03FD6" + "comment": "OSQuery: last, logged_in_users, logon_sessions, user_events", + "color": "#be158b" }, { - "techniqueID": "T1562.010", + "techniqueID": "T1021", "score": 1, - "comment": "OSQuery: background_activities_moderator, package_receipts, process_envs, process_events, process_memory_map, process_namespaces, process_open_files, process_open_pipes, process_open_sockets, running_apps", - "color": "#B03FD6" + "comment": "OSQuery: mounts, nfs_shares, running_apps, shared_folders, sharing_preferences", + "color": "#be158b" }, { - "techniqueID": "T1497", + "techniqueID": "T1602", "score": 1, - "comment": "OSQuery: running_apps", - "color": "#B03FD6" + "comment": "OSQuery: socket_events", + "color": "#be158b" }, { - "techniqueID": "T1480", + "techniqueID": "T1071", "score": 1, - "comment": "OSQuery: running_apps", - "color": "#B03FD6" + "comment": "OSQuery: socket_events", + "color": "#be158b" }, { - "techniqueID": "T1057", + "techniqueID": "T1219", "score": 1, - "comment": "OSQuery: running_apps", - "color": "#B03FD6" + "comment": "OSQuery: running_apps, socket_events", + "color": "#be158b" }, { - "techniqueID": "T1546.003", + "techniqueID": "T1205", "score": 1, - "comment": "OSQuery: running_apps, wmi_cli_event_consumers, wmi_script_event_consumers", - "color": "#B03FD6" + "comment": "OSQuery: running_apps, socket_events", + "color": "#be158b" }, { - "techniqueID": "T1497.002", + "techniqueID": "T1572", "score": 1, - "comment": "OSQuery: running_apps", - "color": "#B03FD6" + "comment": "OSQuery: socket_events", + "color": "#be158b" }, { - "techniqueID": "T1134.004", + "techniqueID": "T1589", "score": 1, - "comment": "OSQuery: background_activities_moderator, package_receipts, process_envs, process_events, process_memory_map, process_namespaces, process_open_files, process_open_pipes, process_open_sockets, running_apps", - "color": "#B03FD6" + "comment": "OSQuery: socket_events", + "color": "#be158b" }, { - "techniqueID": "T1059.001", + "techniqueID": "T1207", "score": 1, - "comment": "OSQuery: background_activities_moderator, package_receipts, powershell_events, process_envs, process_events, process_memory_map, process_namespaces, process_open_files, process_open_pipes, process_open_sockets, running_apps", - "color": "#B03FD6" + "comment": "OSQuery: socket_events, user_events", + "color": "#be158b" }, { - "techniqueID": "T1546.001", + "techniqueID": "T1563", "score": 1, - "comment": "OSQuery: running_apps", - "color": "#B03FD6" + "comment": "OSQuery: running_apps, socket_events", + "color": "#be158b" }, { - "techniqueID": "T1069.001", + "techniqueID": "T1595", "score": 1, - "comment": "OSQuery: running_apps", - "color": "#B03FD6" + "comment": "OSQuery: socket_events", + "color": "#be158b" }, { - "techniqueID": "T1056.002", + "techniqueID": "T1090", "score": 1, - "comment": "OSQuery: powershell_events, running_apps", - "color": "#B03FD6" + "comment": "OSQuery: socket_events", + "color": "#be158b" }, { - "techniqueID": "T1059.004", + "techniqueID": "T1482", "score": 1, - "comment": "OSQuery: running_apps", - "color": "#B03FD6" + "comment": "OSQuery: powershell_events, running_apps, socket_events", + "color": "#be158b" }, { - "techniqueID": "T1559", + "techniqueID": "T1568", "score": 1, - "comment": "OSQuery: powershell_events, running_apps", - "color": "#B03FD6" + "comment": "OSQuery: socket_events", + "color": "#be158b" }, { - "techniqueID": "T1068", + "techniqueID": "T1612", "score": 1, - "comment": "OSQuery: running_apps", - "color": "#B03FD6" + "comment": "OSQuery: socket_events", + "color": "#be158b" }, { - "techniqueID": "T1201", + "techniqueID": "T1586", "score": 1, - "comment": "OSQuery: account_policy_data, authorizations, authorized_keys, running_apps, shadow, user_ssh_keys", - "color": "#B03FD6" + "comment": "OSQuery: socket_events", + "color": "#be158b" }, { - "techniqueID": "T1548.004", + "techniqueID": "T1102", "score": 1, - "comment": "OSQuery: running_apps", - "color": "#B03FD6" + "comment": "OSQuery: socket_events", + "color": "#be158b" }, { - "techniqueID": "T1218.010", + "techniqueID": "T1001", "score": 1, - "comment": "OSQuery: running_apps", - "color": "#B03FD6" + "comment": "OSQuery: socket_events", + "color": "#be158b" }, { - "techniqueID": "T1546.015", + "techniqueID": "T1571", "score": 1, - "comment": "OSQuery: running_apps", - "color": "#B03FD6" + "comment": "OSQuery: socket_events", + "color": "#be158b" }, { - "techniqueID": "T1614.001", + "techniqueID": "T1599", "score": 1, - "comment": "OSQuery: appcompat_shims, autoexec, registry, running_apps, startup_items, userassist", - "color": "#B03FD6" + "comment": "OSQuery: socket_events", + "color": "#be158b" }, { - "techniqueID": "T1012", + "techniqueID": "T1573", "score": 1, - "comment": "OSQuery: appcompat_shims, autoexec, registry, running_apps, startup_items, userassist", - "color": "#B03FD6" + "comment": "OSQuery: socket_events", + "color": "#be158b" }, { - "techniqueID": "T1218.009", + "techniqueID": "T1095", "score": 1, - "comment": "OSQuery: running_apps", - "color": "#B03FD6" + "comment": "OSQuery: socket_events", + "color": "#be158b" }, { - "techniqueID": "T1553.004", + "techniqueID": "T1132", "score": 1, - "comment": "OSQuery: running_apps", - "color": "#B03FD6" + "comment": "OSQuery: socket_events", + "color": "#be158b" }, { - "techniqueID": "T1614", + "techniqueID": "T1585", "score": 1, - "comment": "OSQuery: running_apps", - "color": "#B03FD6" + "comment": "OSQuery: socket_events", + "color": "#be158b" }, { - "techniqueID": "T1197", + "techniqueID": "T1537", "score": 1, - "comment": "OSQuery: gatekeeper, gatekeeper_apps, running_apps", - "color": "#B03FD6" + "comment": "OSQuery: socket_events", + "color": "#be158b" }, { - "techniqueID": "T1127.001", + "techniqueID": "T1221", "score": 1, - "comment": "OSQuery: running_apps", - "color": "#B03FD6" + "comment": "OSQuery: running_apps, socket_events", + "color": "#be158b" }, { - "techniqueID": "T1059.006", + "techniqueID": "T1047", "score": 1, "comment": "OSQuery: running_apps", - "color": "#B03FD6" + "color": "#be158b" }, { - "techniqueID": "T1546.010", + "techniqueID": "T1652", "score": 1, - "comment": "OSQuery: running_apps", - "color": "#B03FD6" + "comment": "OSQuery: appcompat_shims, autoexec, registry, running_apps, startup_items, userassist", + "color": "#be158b" }, { - "techniqueID": "T1059.003", + "techniqueID": "T1007", "score": 1, "comment": "OSQuery: running_apps", - "color": "#B03FD6" + "color": "#be158b" }, { - "techniqueID": "T1651", + "techniqueID": "T1040", "score": 1, - "comment": "OSQuery: powershell_events, running_apps", - "color": "#B03FD6" + "comment": "OSQuery: running_apps", + "color": "#be158b" }, { - "techniqueID": "T1134", + "techniqueID": "T1135", "score": 1, - "comment": "OSQuery: account_policy_data, authorizations, authorized_keys, background_activities_moderator, package_receipts, process_envs, process_events, process_memory_map, process_namespaces, process_open_files, process_open_pipes, process_open_sockets, running_apps, shadow, user_ssh_keys", - "color": "#B03FD6" + "comment": "OSQuery: running_apps", + "color": "#be158b" }, { - "techniqueID": "T1059.005", + "techniqueID": "T1120", "score": 1, - "comment": "OSQuery: powershell_events, running_apps", - "color": "#B03FD6" + "comment": "OSQuery: running_apps", + "color": "#be158b" }, { - "techniqueID": "T1136", + "techniqueID": "T1082", "score": 1, "comment": "OSQuery: running_apps", - "color": "#B03FD6" + "color": "#be158b" }, { - "techniqueID": "T1021.001", + "techniqueID": "T1202", "score": 1, "comment": "OSQuery: running_apps", - "color": "#B03FD6" + "color": "#be158b" }, { - "techniqueID": "T1037.001", + "techniqueID": "T1010", "score": 1, "comment": "OSQuery: running_apps", - "color": "#B03FD6" + "color": "#be158b" }, { - "techniqueID": "T1220", + "techniqueID": "T1112", "score": 1, "comment": "OSQuery: running_apps", - "color": "#B03FD6" + "color": "#be158b" }, { - "techniqueID": "T1569.002", + "techniqueID": "T1016", "score": 1, - "comment": "OSQuery: running_apps", - "color": "#B03FD6" + "comment": "OSQuery: powershell_events, running_apps", + "color": "#be158b" }, { - "techniqueID": "T1480.001", + "techniqueID": "T1059", "score": 1, - "comment": "OSQuery: running_apps", - "color": "#B03FD6" + "comment": "OSQuery: background_activities_moderator, package_receipts, powershell_events, process_envs, process_events, process_memory_map, process_namespaces, process_open_files, process_open_pipes, process_open_sockets, running_apps", + "color": "#be158b" }, { - "techniqueID": "T1124", + "techniqueID": "T1609", "score": 1, "comment": "OSQuery: running_apps", - "color": "#B03FD6" + "color": "#be158b" }, { - "techniqueID": "T1546.007", + "techniqueID": "T1083", "score": 1, "comment": "OSQuery: running_apps", - "color": "#B03FD6" + "color": "#be158b" }, { - "techniqueID": "T1216", + "techniqueID": "T1049", "score": 1, - "comment": "OSQuery: powershell_events, running_apps", - "color": "#B03FD6" + "comment": "OSQuery: running_apps", + "color": "#be158b" }, { - "techniqueID": "T1127", + "techniqueID": "T1497", "score": 1, "comment": "OSQuery: running_apps", - "color": "#B03FD6" + "color": "#be158b" }, { - "techniqueID": "T1564.010", + "techniqueID": "T1480", "score": 1, "comment": "OSQuery: running_apps", - "color": "#B03FD6" + "color": "#be158b" }, { - "techniqueID": "T1574.012", + "techniqueID": "T1057", "score": 1, "comment": "OSQuery: running_apps", - "color": "#B03FD6" + "color": "#be158b" }, { - "techniqueID": "T1055.001", + "techniqueID": "T1559", "score": 1, - "comment": "OSQuery: background_activities_moderator, package_receipts, process_envs, process_events, process_memory_map, process_namespaces, process_open_files, process_open_pipes, process_open_sockets", - "color": "#B03FD6" + "comment": "OSQuery: powershell_events, running_apps", + "color": "#be158b" }, { - "techniqueID": "T1056.004", + "techniqueID": "T1068", "score": 1, - "comment": "OSQuery: background_activities_moderator, package_receipts, process_envs, process_events, process_memory_map, process_namespaces, process_open_files, process_open_pipes, process_open_sockets", - "color": "#B03FD6" + "comment": "OSQuery: running_apps", + "color": "#be158b" }, { - "techniqueID": "T1036.004", + "techniqueID": "T1201", "score": 1, - "comment": "OSQuery: crontab, gatekeeper, gatekeeper_apps, launchd, launchd_overrides", - "color": "#B03FD6" + "comment": "OSQuery: account_policy_data, authorizations, authorized_keys, running_apps, shadow, user_ssh_keys", + "color": "#be158b" }, { - "techniqueID": "T1620", + "techniqueID": "T1012", "score": 1, - "comment": "OSQuery: powershell_events", - "color": "#B03FD6" + "comment": "OSQuery: appcompat_shims, autoexec, registry, running_apps, startup_items, userassist", + "color": "#be158b" }, { - "techniqueID": "T1556.005", + "techniqueID": "T1614", "score": 1, - "comment": "OSQuery: account_policy_data, authorizations, authorized_keys, powershell_events, shadow, user_ssh_keys", - "color": "#B03FD6" + "comment": "OSQuery: running_apps", + "color": "#be158b" }, { - "techniqueID": "T1552.005", + "techniqueID": "T1197", "score": 1, - "comment": "OSQuery: user_events", - "color": "#B03FD6" + "comment": "OSQuery: gatekeeper, gatekeeper_apps, running_apps", + "color": "#be158b" }, { - "techniqueID": "T1078.001", + "techniqueID": "T1651", "score": 1, - "comment": "OSQuery: user_events", - "color": "#B03FD6" + "comment": "OSQuery: powershell_events, running_apps", + "color": "#be158b" }, { - "techniqueID": "T1550.003", + "techniqueID": "T1134", "score": 1, - "comment": "OSQuery: user_events", - "color": "#B03FD6" + "comment": "OSQuery: account_policy_data, authorizations, authorized_keys, background_activities_moderator, package_receipts, process_envs, process_events, process_memory_map, process_namespaces, process_open_files, process_open_pipes, process_open_sockets, running_apps, shadow, user_ssh_keys", + "color": "#be158b" }, { - "techniqueID": "T1556.006", + "techniqueID": "T1136", "score": 1, - "comment": "OSQuery: user_events", - "color": "#B03FD6" + "comment": "OSQuery: running_apps", + "color": "#be158b" }, { - "techniqueID": "T1538", + "techniqueID": "T1220", "score": 1, - "comment": "OSQuery: user_events", - "color": "#B03FD6" + "comment": "OSQuery: running_apps", + "color": "#be158b" }, { - "techniqueID": "T1550.002", + "techniqueID": "T1124", "score": 1, - "comment": "OSQuery: user_events", - "color": "#B03FD6" + "comment": "OSQuery: running_apps", + "color": "#be158b" }, { - "techniqueID": "T1552.007", + "techniqueID": "T1216", "score": 1, - "comment": "OSQuery: user_events", - "color": "#B03FD6" + "comment": "OSQuery: powershell_events, running_apps", + "color": "#be158b" }, { - "techniqueID": "T1134.005", + "techniqueID": "T1127", "score": 1, - "comment": "OSQuery: account_policy_data, authorizations, authorized_keys, shadow, user_ssh_keys", - "color": "#B03FD6" + "comment": "OSQuery: running_apps", + "color": "#be158b" }, { - "techniqueID": "T1003.004", + "techniqueID": "T1620", "score": 1, - "comment": "OSQuery: appcompat_shims, autoexec, registry, startup_items, userassist", - "color": "#B03FD6" + "comment": "OSQuery: powershell_events", + "color": "#be158b" }, { - "techniqueID": "T1027.011", + "techniqueID": "T1538", "score": 1, - "comment": "OSQuery: wmi_cli_event_consumers, wmi_script_event_consumers", - "color": "#B03FD6" + "comment": "OSQuery: user_events", + "color": "#be158b" } ], "gradient": { @@ -2805,7 +981,7 @@ "legendItems": [ { "label": "OSQuery", - "color": "#B03FD6" + "color": "#be158b" } ] } \ No newline at end of file diff --git a/mappings/layers/enterprise/Sysmon-heatmap.json b/mappings/layers/enterprise/Sysmon-heatmap.json index 8ff4772..ca2e4d0 100644 --- a/mappings/layers/enterprise/Sysmon-heatmap.json +++ b/mappings/layers/enterprise/Sysmon-heatmap.json @@ -9,2231 +9,803 @@ "description": "", "domain": "enterprise-attack", "techniques": [ - { - "techniqueID": "T1056.001", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1561.002", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, { "techniqueID": "T1543", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { "techniqueID": "T1561", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { "techniqueID": "T1547", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1543.003", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1547.012", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { "techniqueID": "T1562", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1562.001", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { "techniqueID": "T1068", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { "techniqueID": "T1056", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { "techniqueID": "T1111", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1547.008", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1561.001", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { "techniqueID": "T1033", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { "techniqueID": "T1003", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { "techniqueID": "T1539", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { "techniqueID": "T1114", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1003.002", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { "techniqueID": "T1025", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1074.001", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1114.001", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1555.001", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1087.001", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { "techniqueID": "T1119", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1003.007", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1555.005", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1074.002", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { "techniqueID": "T1091", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { "techniqueID": "T1005", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { "techniqueID": "T1558", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { "techniqueID": "T1555", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { "techniqueID": "T1567", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { "techniqueID": "T1552", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { "techniqueID": "T1011", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1555.003", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { "techniqueID": "T1217", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1552.004", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1011.001", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { "techniqueID": "T1087", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { "techniqueID": "T1020", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1048.001", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { "techniqueID": "T1074", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { "techniqueID": "T1649", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1552.003", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1552.001", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1567.001", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1552.006", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1048.002", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { "techniqueID": "T1041", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { "techniqueID": "T1048", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1052.001", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { "techniqueID": "T1039", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { "techniqueID": "T1187", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1567.002", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1003.008", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1555.004", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { "techniqueID": "T1018", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { "techniqueID": "T1052", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1003.003", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1048.003", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1560.001", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { "techniqueID": "T1037", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1027.009", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1574.007", + "techniqueID": "T1564", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1491.002", + "techniqueID": "T1080", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1546.013", + "techniqueID": "T1137", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1053.007", + "techniqueID": "T1053", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1036.007", + "techniqueID": "T1176", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1560.003", + "techniqueID": "T1218", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1565.001", + "techniqueID": "T1560", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1564", + "techniqueID": "T1491", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1204.002", + "techniqueID": "T1204", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1080", + "techniqueID": "T1554", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1137", + "techniqueID": "T1566", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1566.001", + "techniqueID": "T1565", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1574.001", + "techniqueID": "T1574", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1565.003", + "techniqueID": "T1027", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1137.006", + "techniqueID": "T1546", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1505.002", + "techniqueID": "T1486", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1053", + "techniqueID": "T1570", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1556.002", + "techniqueID": "T1496", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1176", + "techniqueID": "T1505", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1560.002", + "techniqueID": "T1189", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1547.010", + "techniqueID": "T1105", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1037.002", + "techniqueID": "T1556", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1218", + "techniqueID": "T1070", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1547.009", + "techniqueID": "T1485", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1218.002", + "techniqueID": "T1490", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1560", + "techniqueID": "T1014", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1543.004", + "techniqueID": "T1600", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1574.008", + "techniqueID": "T1489", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1491", + "techniqueID": "T1140", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1505.003", + "techniqueID": "T1036", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1546.005", + "techniqueID": "T1055", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1574.006", + "techniqueID": "T1548", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1574.005", + "techniqueID": "T1647", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1546.008", + "techniqueID": "T1098", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1137.001", + "techniqueID": "T1601", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1553.005", + "techniqueID": "T1553", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1218.005", + "techniqueID": "T1569", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1547.015", + "techniqueID": "T1129", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1204", + "techniqueID": "T1106", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1491.001", + "techniqueID": "T1620", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1556.008", + "techniqueID": "T1021", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1554", + "techniqueID": "T1059", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1546.014", + "techniqueID": "T1559", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1574.010", + "techniqueID": "T1220", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1547.006", + "techniqueID": "T1047", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1566", + "techniqueID": "T1602", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1218.001", + "techniqueID": "T1133", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1565", + "techniqueID": "T1219", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1574", + "techniqueID": "T1205", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1564.009", + "techniqueID": "T1029", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1027", + "techniqueID": "T1572", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1505.004", + "techniqueID": "T1090", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1564.006", + "techniqueID": "T1568", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1546", + "techniqueID": "T1542", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1546.004", + "techniqueID": "T1612", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1486", + "techniqueID": "T1102", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1570", + "techniqueID": "T1104", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1574.009", + "techniqueID": "T1030", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1037.005", + "techniqueID": "T1197", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1037.003", + "techniqueID": "T1221", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1027.004", + "techniqueID": "T1008", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1496", + "techniqueID": "T1185", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1546.002", + "techniqueID": "T1069", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1543.001", + "techniqueID": "T1615", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1505", + "techniqueID": "T1652", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1027.006", + "techniqueID": "T1007", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1189", + "techniqueID": "T1040", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1546.016", + "techniqueID": "T1135", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1037.004", + "techniqueID": "T1120", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1543.002", + "techniqueID": "T1082", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1547.013", + "techniqueID": "T1202", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1574.002", + "techniqueID": "T1611", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1105", + "techniqueID": "T1010", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1564.001", + "techniqueID": "T1112", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1137.002", + "techniqueID": "T1563", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1204.001", + "techniqueID": "T1222", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1556", + "techniqueID": "T1016", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1574.004", + "techniqueID": "T1482", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1218.014", + "techniqueID": "T1609", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1070.002", + "techniqueID": "T1083", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1070.003", + "techniqueID": "T1049", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1070.008", + "techniqueID": "T1497", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1070.001", + "techniqueID": "T1480", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1070", + "techniqueID": "T1057", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1070.009", + "techniqueID": "T1072", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1485", + "techniqueID": "T1212", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1070.004", + "techniqueID": "T1201", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1490", + "techniqueID": "T1203", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1053.005", + "techniqueID": "T1012", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1556.003", + "techniqueID": "T1614", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1564.008", + "techniqueID": "T1651", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1014", + "techniqueID": "T1134", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1546.006", + "techniqueID": "T1136", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1548.003", + "techniqueID": "T1518", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1600", + "techniqueID": "T1622", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1036.008", + "techniqueID": "T1124", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1489", + "techniqueID": "T1216", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1053.003", + "techniqueID": "T1211", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1553.001", + "techniqueID": "T1127", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { - "techniqueID": "T1505.005", + "techniqueID": "T1529", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1070.007", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1600.001", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1140", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1036", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1546.011", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1055", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1070.006", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1553.003", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1556.007", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1548", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1548.001", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1056.003", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1098.004", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1647", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1600.002", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1569.001", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1564.002", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1547.001", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1098", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1053.006", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1601", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1553", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1036.003", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1564.003", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1569", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1055.009", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1601.001", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1556.001", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1564.005", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1547.007", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1564.004", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1053.002", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1556.004", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1601.002", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1218.011", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1129", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1059.007", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1559.002", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1559.001", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1218.007", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1106", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1620", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1547.005", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1021", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1547.003", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1547.004", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1021.003", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1218.008", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1059", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1546.009", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1059.001", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1055.014", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1559", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1547.002", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1218.010", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1546.015", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1546.010", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1059.005", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1027.007", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1220", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1055.001", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1546.007", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1574.012", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1205.002", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1021.005", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1047", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1602", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1133", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1542.005", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1568.001", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1021.004", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1219", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1205", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1218.003", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1029", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1021.002", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1572", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1602.002", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1021.006", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1090.002", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1090", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1568", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1020.001", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1542", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1612", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1102", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1104", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1205.001", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1102.003", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1090.003", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1114.002", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1102.002", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1030", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1197", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1221", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1021.001", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1602.001", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1008", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1090.001", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1555.002", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1055.003", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1185", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1003.001", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1055.004", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1055.002", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1559.003", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1055.012", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1055.005", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1055.008", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1222.002", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1216.001", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1548.002", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1016.001", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1069", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1069.003", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1574.011", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1615", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1218.013", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1652", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1087.002", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1547.014", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1562.009", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1497.001", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1069.002", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1218.004", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1007", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1040", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1552.002", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1135", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1120", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1222.001", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1082", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1059.002", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1202", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1137.005", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1611", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1010", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1087.003", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1497.003", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1563.001", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1562.002", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1553.006", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1112", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1563", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1136.001", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1222", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1546.012", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1016", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1136.002", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1482", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1609", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1083", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1049", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1218.012", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1562.010", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1497", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1480", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1057", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1546.003", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1497.002", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1072", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1134.004", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1546.001", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1212", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1069.001", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1056.002", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1070.005", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1059.004", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1137.003", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1201", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1548.004", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1203", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1562.011", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1137.004", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1614.001", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1012", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1218.009", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1553.004", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1614", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1127.001", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1518.001", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1059.006", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1059.003", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1651", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1134", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1563.002", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1136", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1518", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1622", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1037.001", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1569.002", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1480.001", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1124", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1216", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1211", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1127", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1529", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1564.010", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1036.005", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1056.004", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1055.015", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1036.004", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1027.011", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" }, { "techniqueID": "T1557", "score": 1, "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1562.004", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1557.001", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1562.006", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" + "color": "#ea31de" } ], "gradient": { @@ -2247,7 +819,7 @@ "legendItems": [ { "label": "Sysmon", - "color": "#636AD2" + "color": "#ea31de" } ] } \ No newline at end of file diff --git a/mappings/layers/enterprise/WinEvtx-heatmap.json b/mappings/layers/enterprise/WinEvtx-heatmap.json index 3252beb..7987192 100644 --- a/mappings/layers/enterprise/WinEvtx-heatmap.json +++ b/mappings/layers/enterprise/WinEvtx-heatmap.json @@ -9,2741 +9,929 @@ "description": "", "domain": "enterprise-attack", "techniques": [ - { - "techniqueID": "T1558.004", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, { "techniqueID": "T1558", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { "techniqueID": "T1550", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1558.001", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1550.003", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { "techniqueID": "T1649", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1550.002", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1558.003", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { "techniqueID": "T1033", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { "techniqueID": "T1003", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { "techniqueID": "T1615", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1003.006", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1484.002", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { "techniqueID": "T1207", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1484.001", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1098.005", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { "techniqueID": "T1484", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { "techniqueID": "T1037", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1222.001", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { "techniqueID": "T1222", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { "techniqueID": "T1098", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { "techniqueID": "T1531", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1556.006", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1134.005", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1037.003", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1556.005", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { "techniqueID": "T1134", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { "techniqueID": "T1556", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1053.005", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1560.001", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { "techniqueID": "T1047", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { "techniqueID": "T1113", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1218.011", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1222.002", + "techniqueID": "T1006", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1216.001", + "techniqueID": "T1123", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1561.002", + "techniqueID": "T1543", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1006", + "techniqueID": "T1069", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1564.008", + "techniqueID": "T1114", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1546.013", + "techniqueID": "T1561", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1059.007", + "techniqueID": "T1025", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1123", + "techniqueID": "T1547", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1543", + "techniqueID": "T1489", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1546.006", + "techniqueID": "T1652", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1548.002", + "techniqueID": "T1564", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1016.001", + "techniqueID": "T1137", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1548.003", + "techniqueID": "T1119", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1069", + "techniqueID": "T1115", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1114", + "techniqueID": "T1007", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1003.002", + "techniqueID": "T1040", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1069.003", + "techniqueID": "T1135", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1574.011", + "techniqueID": "T1120", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1561", + "techniqueID": "T1082", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1555.002", + "techniqueID": "T1053", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1025", + "techniqueID": "T1176", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1218.013", + "techniqueID": "T1202", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1074.001", + "techniqueID": "T1005", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1114.001", + "techniqueID": "T1562", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1555.001", + "techniqueID": "T1555", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1547", + "techniqueID": "T1567", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1003.004", + "techniqueID": "T1036", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1036.008", + "techniqueID": "T1552", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1489", + "techniqueID": "T1218", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1652", + "techniqueID": "T1010", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1087.002", + "techniqueID": "T1011", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1547.014", + "techniqueID": "T1560", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1564", + "techniqueID": "T1021", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1087.001", + "techniqueID": "T1112", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1562.009", + "techniqueID": "T1563", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1542.005", + "techniqueID": "T1217", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1543.003", + "techniqueID": "T1548", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1497.001", + "techniqueID": "T1125", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1053.003", + "techniqueID": "T1016", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1069.002", + "techniqueID": "T1087", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1070.002", + "techniqueID": "T1059", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1137", + "techniqueID": "T1482", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1218.004", + "techniqueID": "T1020", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1119", + "techniqueID": "T1070", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1115", + "techniqueID": "T1609", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1003.007", + "techniqueID": "T1083", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1555.005", + "techniqueID": "T1647", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1553.001", + "techniqueID": "T1074", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1007", + "techniqueID": "T1049", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1040", + "techniqueID": "T1542", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1552.002", + "techniqueID": "T1497", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1135", + "techniqueID": "T1480", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1120", + "techniqueID": "T1204", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1137.006", + "techniqueID": "T1057", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1082", + "techniqueID": "T1041", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1074.002", + "techniqueID": "T1048", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1053", + "techniqueID": "T1110", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1218.007", + "techniqueID": "T1039", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1505.005", + "techniqueID": "T1574", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1059.002", + "techniqueID": "T1027", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1176", + "techniqueID": "T1201", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1070.007", + "techniqueID": "T1546", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1070.003", + "techniqueID": "T1486", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1202", + "techniqueID": "T1553", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1005", + "techniqueID": "T1570", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1137.005", + "techniqueID": "T1012", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1562", + "techniqueID": "T1614", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1555", + "techniqueID": "T1197", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1567", + "techniqueID": "T1496", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1036", + "techniqueID": "T1569", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1546.011", + "techniqueID": "T1485", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1552", + "techniqueID": "T1651", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1070.008", + "techniqueID": "T1136", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1037.002", + "techniqueID": "T1018", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1218", + "techniqueID": "T1046", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1010", + "techniqueID": "T1518", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1087.003", + "techniqueID": "T1622", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1497.003", + "techniqueID": "T1052", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1218.003", + "techniqueID": "T1124", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1563.001", + "techniqueID": "T1490", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1562.002", + "techniqueID": "T1216", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1021.002", + "techniqueID": "T1127", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1218.002", + "techniqueID": "T1529", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1547.005", + "techniqueID": "T1091", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1011", + "techniqueID": "T1092", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1562.004", + "techniqueID": "T1200", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1560", + "techniqueID": "T1014", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1021", + "techniqueID": "T1539", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1059.009", + "techniqueID": "T1187", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1553.006", + "techniqueID": "T1080", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1112", + "techniqueID": "T1491", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1543.004", + "techniqueID": "T1554", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1555.003", + "techniqueID": "T1566", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1563", + "techniqueID": "T1565", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1217", + "techniqueID": "T1505", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1552.004", + "techniqueID": "T1189", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1021.006", + "techniqueID": "T1105", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1011.001", + "techniqueID": "T1195", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1547.003", + "techniqueID": "T1055", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1546.005", + "techniqueID": "T1600", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1574.006", + "techniqueID": "T1140", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1136.001", + "techniqueID": "T1601", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1070.001", + "techniqueID": "T1056", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1003.001", + "techniqueID": "T1499", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1548", + "techniqueID": "T1498", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1134.002", + "techniqueID": "T1185", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1548.001", + "techniqueID": "T1606", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1547.004", + "techniqueID": "T1621", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1003.005", + "techniqueID": "T1199", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1098.004", + "techniqueID": "T1078", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1546.012", + "techniqueID": "T1213", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1218.008", + "techniqueID": "T1538", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1125", + "techniqueID": "T1133", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1016", + "techniqueID": "T1602", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1546.008", + "techniqueID": "T1219", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1087", + "techniqueID": "T1205", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1059", + "techniqueID": "T1029", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1562.006", + "techniqueID": "T1572", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1136.002", + "techniqueID": "T1090", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1482", + "techniqueID": "T1568", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1020", + "techniqueID": "T1612", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1070", + "techniqueID": "T1102", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1048.001", + "techniqueID": "T1104", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1137.001", + "techniqueID": "T1030", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1609", + "techniqueID": "T1221", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1083", + "techniqueID": "T1008", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1036.004", + "techniqueID": "T1559", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1647", + "techniqueID": "T1611", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1546.009", + "techniqueID": "T1072", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1114.003", + "techniqueID": "T1212", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1074", + "techniqueID": "T1068", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1049", + "techniqueID": "T1203", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1542", + "techniqueID": "T1220", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1218.012", + "techniqueID": "T1211", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1569.001", + "techniqueID": "T1620", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { - "techniqueID": "T1059.008", + "techniqueID": "T1557", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1552.003", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1562.010", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1497", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1552.001", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1218.005", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1480", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1134.001", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1567.001", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1204", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1564.002", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1134.003", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1552.006", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1048.002", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1087.004", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1057", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1562.003", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1546.003", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1497.002", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1041", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1059.001", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1546.001", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1546.014", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1547.001", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1069.001", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1048", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1547.006", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1056.002", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1052.001", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1053.006", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1218.001", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1070.005", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1110", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1059.004", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1137.003", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1562.001", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1039", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1574", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1204.003", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1564.009", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1027", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1114.002", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1505.004", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1564.006", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1201", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1546", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1546.004", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1486", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1553", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1547.002", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1218.010", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1546.015", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1036.003", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1137.004", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1567.002", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1570", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1037.005", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1614.001", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1012", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1218.009", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1553.004", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1027.004", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1614", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1197", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1127.001", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1518.001", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1564.003", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1059.006", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1546.010", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1496", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1546.002", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1003.008", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1543.001", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1569", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1059.003", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1070.009", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1555.004", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1485", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1027.010", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1070.004", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1651", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1546.016", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1037.004", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1059.005", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1543.002", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1563.002", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1136", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1547.013", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1018", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1046", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1518", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1622", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1547.007", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1052", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1037.001", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1564.001", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1137.002", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1003.003", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1569.002", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1480.001", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1564.004", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1124", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1053.002", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1490", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1546.007", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1216", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1552.007", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1561.001", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1048.003", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1127", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1529", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1218.014", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1574.012", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1091", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1092", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1200", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1014", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1542.003", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1539", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1187", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1027.009", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1574.007", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1491.002", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1053.007", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1036.007", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1560.003", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1565.001", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1204.002", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1080", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1547.012", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1566.001", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1574.001", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1565.003", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1505.002", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1556.002", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1560.002", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1547.010", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1547.009", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1574.008", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1491", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1505.003", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1574.005", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1553.005", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1547.015", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1491.001", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1556.008", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1554", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1574.010", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1566", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1565", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1574.009", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1505", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1027.006", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1189", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1574.002", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1105", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1204.001", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1547.008", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1574.004", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1195.001", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1036.005", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1027.008", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1553.002", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1195", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1055", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1070.006", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1027.001", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1055.013", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1036.002", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1036.001", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1195.002", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1027.003", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1564.007", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1027.002", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1036.006", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1027.007", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1556.003", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1600", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1600.001", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1140", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1553.003", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1556.007", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1056.003", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1600.002", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1601", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1056", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1055.009", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1601.001", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1556.001", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1564.005", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1556.004", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1601.002", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1562.007", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1098.002", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1498.001", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1499.001", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1499.003", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1499.004", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1498.002", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1499.002", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1195.003", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1562.011", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1499", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1498", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1021.005", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1213.002", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1606.002", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1021.004", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1185", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1078.001", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1213.001", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1606.001", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1021.007", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1606", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1621", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1199", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1078", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1078.002", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1213.003", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1213", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1538", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1021.001", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1078.004", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1078.003", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1133", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1558.002", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1205.002", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1602", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1568.001", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1219", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1205", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1029", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1572", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1602.002", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1021.003", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1090.002", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1090", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1568", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1020.001", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1612", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1102", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1104", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1205.001", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1102.003", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1090.003", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1102.002", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1030", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1221", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1602.001", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1008", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1090.001", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1055.003", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1055.004", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1055.002", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1559.003", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1559", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1055.012", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1055.005", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1055.008", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1055.001", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1559.002", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1559.001", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1611", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1072", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1134.004", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1212", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1068", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1548.004", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1203", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1220", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1211", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1564.010", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1620", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1557", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1557.001", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1110.001", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1552.005", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1110.002", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1110.003", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1110.004", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1136.003", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1098.003", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { "techniqueID": "T1528", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1098.001", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1562.008", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1027.011", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1056.001", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" }, { "techniqueID": "T1111", "score": 1, "comment": "WinEvtx: ", - "color": "#9B6956" + "color": "#390e6e" } ], "gradient": { @@ -2757,7 +945,7 @@ "legendItems": [ { "label": "WinEvtx", - "color": "#9B6956" + "color": "#390e6e" } ] } \ No newline at end of file diff --git a/mappings/layers/enterprise/Zeek-heatmap.json b/mappings/layers/enterprise/Zeek-heatmap.json index efafd50..850b56d 100644 --- a/mappings/layers/enterprise/Zeek-heatmap.json +++ b/mappings/layers/enterprise/Zeek-heatmap.json @@ -9,869 +9,407 @@ "description": "", "domain": "enterprise-attack", "techniques": [ - { - "techniqueID": "T1205.002", - "score": 1, - "comment": "Zeek: connection_SYN_packet, connection_established, connection_first_ack, ntlm_authenticate, ntlm_challenge, pop3_login_success, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, socks_login_userpass_reply, socks_login_userpass_request, ssh2_dh_server_params, ssh_auth_successful, ssl_client_hello, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake", - "color": "#757575" - }, - { - "techniqueID": "T1021.005", - "score": 1, - "comment": "Zeek: connection_SYN_packet, connection_established, connection_first_ack, ntlm_authenticate, ntlm_challenge, pop3_login_success, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, socks_login_userpass_reply, socks_login_userpass_request, ssh2_dh_server_params, ssh_auth_successful, ssl_client_hello, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake", - "color": "#757575" - }, { "techniqueID": "T1047", "score": 1, "comment": "Zeek: connection_SYN_packet, connection_established, connection_first_ack, ntlm_authenticate, ntlm_challenge, pop3_login_success, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, socks_login_userpass_reply, socks_login_userpass_request, ssh2_dh_server_params, ssh_auth_successful, ssl_client_hello, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1602", "score": 1, "comment": "Zeek: connection_SYN_packet, connection_established, connection_first_ack, http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, ntlm_authenticate, ntlm_challenge, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_login_success, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_successful, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, udp_contents", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1133", "score": 1, "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1114", "score": 1, "comment": "Zeek: connection_SYN_packet, connection_established, connection_first_ack, ntlm_authenticate, ntlm_challenge, pop3_login_success, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, socks_login_userpass_reply, socks_login_userpass_request, ssh2_dh_server_params, ssh_auth_successful, ssl_client_hello, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake", - "color": "#757575" - }, - { - "techniqueID": "T1542.005", - "score": 1, - "comment": "Zeek: connection_SYN_packet, connection_established, connection_first_ack, ntlm_authenticate, ntlm_challenge, pop3_login_success, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, socks_login_userpass_reply, socks_login_userpass_request, ssh2_dh_server_params, ssh_auth_successful, ssl_client_hello, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake", - "color": "#757575" - }, - { - "techniqueID": "T1568.001", - "score": 1, - "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_reply, http_request, icmp_echo_reply, icmp_echo_request, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_headers, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_reply, sip_request, smb2_close_response, smb2_create_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_get_bulk_request, snmp_get_next_request, snmp_inform_request, snmp_response, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh2_dh_server_params, ssh_auth_attempted, ssh_auth_successful, ssh_client_version, ssh_server_version, ssl_change_cipher_spec, ssl_client_hello, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake, tcp_rexmit, udp_reply, udp_request", - "color": "#757575" - }, - { - "techniqueID": "T1021.004", - "score": 1, - "comment": "Zeek: connection_SYN_packet, connection_established, connection_first_ack, ntlm_authenticate, ntlm_challenge, pop3_login_success, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, socks_login_userpass_reply, socks_login_userpass_request, ssh2_dh_server_params, ssh_auth_successful, ssl_client_hello, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake", - "color": "#757575" - }, - { - "techniqueID": "T1218.007", - "score": 1, - "comment": "Zeek: connection_SYN_packet, connection_established, connection_first_ack, ntlm_authenticate, ntlm_challenge, pop3_login_success, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, socks_login_userpass_reply, socks_login_userpass_request, ssh2_dh_server_params, ssh_auth_successful, ssl_client_hello, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1176", "score": 1, "comment": "Zeek: connection_SYN_packet, connection_established, connection_first_ack, ntlm_authenticate, ntlm_challenge, pop3_login_success, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, socks_login_userpass_reply, socks_login_userpass_request, ssh2_dh_server_params, ssh_auth_successful, ssl_client_hello, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1567", "score": 1, "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1219", "score": 1, "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1205", "score": 1, "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1218", "score": 1, "comment": "Zeek: connection_SYN_packet, connection_established, connection_first_ack, ntlm_authenticate, ntlm_challenge, pop3_login_success, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, socks_login_userpass_reply, socks_login_userpass_request, ssh2_dh_server_params, ssh_auth_successful, ssl_client_hello, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake", - "color": "#757575" - }, - { - "techniqueID": "T1218.003", - "score": 1, - "comment": "Zeek: connection_SYN_packet, connection_established, connection_first_ack, ntlm_authenticate, ntlm_challenge, pop3_login_success, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, socks_login_userpass_reply, socks_login_userpass_request, ssh2_dh_server_params, ssh_auth_successful, ssl_client_hello, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1029", "score": 1, "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_reply, http_request, icmp_echo_reply, icmp_echo_request, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_headers, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_reply, sip_request, smb2_close_response, smb2_create_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_get_bulk_request, snmp_get_next_request, snmp_inform_request, snmp_response, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh2_dh_server_params, ssh_auth_attempted, ssh_auth_successful, ssh_client_version, ssh_server_version, ssl_change_cipher_spec, ssl_client_hello, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake, tcp_rexmit, udp_reply, udp_request", - "color": "#757575" - }, - { - "techniqueID": "T1021.002", - "score": 1, - "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_reply, http_request, icmp_echo_reply, icmp_echo_request, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_headers, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_reply, sip_request, smb2_close_response, smb2_create_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_get_bulk_request, snmp_get_next_request, snmp_inform_request, snmp_response, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh2_dh_server_params, ssh_auth_attempted, ssh_auth_successful, ssh_client_version, ssh_server_version, ssl_change_cipher_spec, ssl_client_hello, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake, tcp_rexmit, udp_reply, udp_request", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1572", "score": 1, "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1011", "score": 1, "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" - }, - { - "techniqueID": "T1602.002", - "score": 1, - "comment": "Zeek: connection_SYN_packet, connection_established, connection_first_ack, http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, ntlm_authenticate, ntlm_challenge, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_login_success, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_successful, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, udp_contents", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1021", "score": 1, "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_reply, http_request, icmp_echo_reply, icmp_echo_request, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_headers, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_reply, sip_request, smb2_close_response, smb2_create_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_get_bulk_request, snmp_get_next_request, snmp_inform_request, snmp_response, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh2_dh_server_params, ssh_auth_attempted, ssh_auth_successful, ssh_client_version, ssh_server_version, ssl_change_cipher_spec, ssl_client_hello, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake, tcp_rexmit, udp_reply, udp_request", - "color": "#757575" - }, - { - "techniqueID": "T1021.006", - "score": 1, - "comment": "Zeek: connection_SYN_packet, connection_established, connection_first_ack, ntlm_authenticate, ntlm_challenge, pop3_login_success, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, socks_login_userpass_reply, socks_login_userpass_request, ssh2_dh_server_params, ssh_auth_successful, ssl_client_hello, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake", - "color": "#757575" - }, - { - "techniqueID": "T1011.001", - "score": 1, - "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" - }, - { - "techniqueID": "T1021.003", - "score": 1, - "comment": "Zeek: connection_SYN_packet, connection_established, connection_first_ack, ntlm_authenticate, ntlm_challenge, pop3_login_success, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, socks_login_userpass_reply, socks_login_userpass_request, ssh2_dh_server_params, ssh_auth_successful, ssl_client_hello, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake", - "color": "#757575" - }, - { - "techniqueID": "T1090.002", - "score": 1, - "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1090", "score": 1, "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1020", "score": 1, "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" - }, - { - "techniqueID": "T1048.001", - "score": 1, - "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1568", "score": 1, "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" - }, - { - "techniqueID": "T1020.001", - "score": 1, - "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_reply, http_request, icmp_echo_reply, icmp_echo_request, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_headers, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_reply, sip_request, smb2_close_response, smb2_create_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_get_bulk_request, snmp_get_next_request, snmp_inform_request, snmp_response, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh2_dh_server_params, ssh_auth_attempted, ssh_auth_successful, ssh_client_version, ssh_server_version, ssl_change_cipher_spec, ssl_client_hello, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake, tcp_rexmit, udp_reply, udp_request", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1542", "score": 1, "comment": "Zeek: connection_SYN_packet, connection_established, connection_first_ack, ntlm_authenticate, ntlm_challenge, pop3_login_success, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, socks_login_userpass_reply, socks_login_userpass_request, ssh2_dh_server_params, ssh_auth_successful, ssl_client_hello, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1612", "score": 1, "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1102", "score": 1, "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" - }, - { - "techniqueID": "T1218.005", - "score": 1, - "comment": "Zeek: connection_SYN_packet, connection_established, connection_first_ack, ntlm_authenticate, ntlm_challenge, pop3_login_success, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, socks_login_userpass_reply, socks_login_userpass_request, ssh2_dh_server_params, ssh_auth_successful, ssl_client_hello, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1104", "score": 1, "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_reply, http_request, icmp_echo_reply, icmp_echo_request, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_headers, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_reply, sip_request, smb2_close_response, smb2_create_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_get_bulk_request, snmp_get_next_request, snmp_inform_request, snmp_response, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh2_dh_server_params, ssh_auth_attempted, ssh_auth_successful, ssh_client_version, ssh_server_version, ssl_change_cipher_spec, ssl_client_hello, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake, tcp_rexmit, udp_reply, udp_request", - "color": "#757575" - }, - { - "techniqueID": "T1205.001", - "score": 1, - "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_reply, http_request, icmp_echo_reply, icmp_echo_request, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_headers, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_reply, sip_request, smb2_close_response, smb2_create_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_get_bulk_request, snmp_get_next_request, snmp_inform_request, snmp_response, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh2_dh_server_params, ssh_auth_attempted, ssh_auth_successful, ssh_client_version, ssh_server_version, ssl_change_cipher_spec, ssl_client_hello, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake, tcp_rexmit, udp_reply, udp_request", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1204", "score": 1, "comment": "Zeek: connection_SYN_packet, connection_established, connection_first_ack, http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, ntlm_authenticate, ntlm_challenge, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_login_success, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_successful, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, udp_contents", - "color": "#757575" - }, - { - "techniqueID": "T1048.002", - "score": 1, - "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1041", "score": 1, "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" - }, - { - "techniqueID": "T1102.003", - "score": 1, - "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1048", "score": 1, "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" - }, - { - "techniqueID": "T1090.003", - "score": 1, - "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1039", "score": 1, "comment": "Zeek: connection_SYN_packet, connection_established, connection_first_ack, http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, ntlm_authenticate, ntlm_challenge, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_login_success, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_successful, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, udp_contents", - "color": "#757575" - }, - { - "techniqueID": "T1114.002", - "score": 1, - "comment": "Zeek: connection_SYN_packet, connection_established, connection_first_ack, ntlm_authenticate, ntlm_challenge, pop3_login_success, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, socks_login_userpass_reply, socks_login_userpass_request, ssh2_dh_server_params, ssh_auth_successful, ssl_client_hello, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake", - "color": "#757575" - }, - { - "techniqueID": "T1218.010", - "score": 1, - "comment": "Zeek: connection_SYN_packet, connection_established, connection_first_ack, ntlm_authenticate, ntlm_challenge, pop3_login_success, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, socks_login_userpass_reply, socks_login_userpass_request, ssh2_dh_server_params, ssh_auth_successful, ssl_client_hello, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake", - "color": "#757575" - }, - { - "techniqueID": "T1102.002", - "score": 1, - "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" - }, - { - "techniqueID": "T1567.002", - "score": 1, - "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1030", "score": 1, "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_reply, http_request, icmp_echo_reply, icmp_echo_request, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_headers, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_reply, sip_request, smb2_close_response, smb2_create_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_get_bulk_request, snmp_get_next_request, snmp_inform_request, snmp_response, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh2_dh_server_params, ssh_auth_attempted, ssh_auth_successful, ssh_client_version, ssh_server_version, ssl_change_cipher_spec, ssl_client_hello, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake, tcp_rexmit, udp_reply, udp_request", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1197", "score": 1, "comment": "Zeek: connection_SYN_packet, connection_established, connection_first_ack, ntlm_authenticate, ntlm_challenge, pop3_login_success, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, socks_login_userpass_reply, socks_login_userpass_request, ssh2_dh_server_params, ssh_auth_successful, ssl_client_hello, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1496", "score": 1, "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_reply, http_request, icmp_echo_reply, icmp_echo_request, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_headers, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_reply, sip_request, smb2_close_response, smb2_create_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_get_bulk_request, snmp_get_next_request, snmp_inform_request, snmp_response, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh2_dh_server_params, ssh_auth_attempted, ssh_auth_successful, ssh_client_version, ssh_server_version, ssl_change_cipher_spec, ssl_client_hello, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake, tcp_rexmit, udp_reply, udp_request", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1189", "score": 1, "comment": "Zeek: connection_SYN_packet, connection_established, connection_first_ack, http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, ntlm_authenticate, ntlm_challenge, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_login_success, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_successful, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, udp_contents", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1221", "score": 1, "comment": "Zeek: connection_SYN_packet, connection_established, connection_first_ack, http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, ntlm_authenticate, ntlm_challenge, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_login_success, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_successful, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, udp_contents", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1018", "score": 1, "comment": "Zeek: connection_SYN_packet, connection_established, connection_first_ack, ntlm_authenticate, ntlm_challenge, pop3_login_success, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, socks_login_userpass_reply, socks_login_userpass_request, ssh2_dh_server_params, ssh_auth_successful, ssl_client_hello, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1105", "score": 1, "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" - }, - { - "techniqueID": "T1021.001", - "score": 1, - "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_reply, http_request, icmp_echo_reply, icmp_echo_request, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_headers, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_reply, sip_request, smb2_close_response, smb2_create_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_get_bulk_request, snmp_get_next_request, snmp_inform_request, snmp_response, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh2_dh_server_params, ssh_auth_attempted, ssh_auth_successful, ssh_client_version, ssh_server_version, ssl_change_cipher_spec, ssl_client_hello, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake, tcp_rexmit, udp_reply, udp_request", - "color": "#757575" - }, - { - "techniqueID": "T1602.001", - "score": 1, - "comment": "Zeek: connection_SYN_packet, connection_established, connection_first_ack, http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, ntlm_authenticate, ntlm_challenge, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_login_success, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_successful, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, udp_contents", - "color": "#757575" - }, - { - "techniqueID": "T1204.001", - "score": 1, - "comment": "Zeek: connection_SYN_packet, connection_established, connection_first_ack, http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, ntlm_authenticate, ntlm_challenge, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_login_success, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_successful, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, udp_contents", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1008", "score": 1, "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_reply, http_request, icmp_echo_reply, icmp_echo_request, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_headers, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_reply, sip_request, smb2_close_response, smb2_create_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_get_bulk_request, snmp_get_next_request, snmp_inform_request, snmp_response, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh2_dh_server_params, ssh_auth_attempted, ssh_auth_successful, ssh_client_version, ssh_server_version, ssl_change_cipher_spec, ssl_client_hello, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake, tcp_rexmit, udp_reply, udp_request", - "color": "#757575" - }, - { - "techniqueID": "T1090.001", - "score": 1, - "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" - }, - { - "techniqueID": "T1048.003", - "score": 1, - "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1557", "score": 1, "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1033", "score": 1, "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" - }, - { - "techniqueID": "T1132.001", - "score": 1, - "comment": "Zeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1003", "score": 1, "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" - }, - { - "techniqueID": "T1491.002", - "score": 1, - "comment": "Zeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents", - "color": "#757575" - }, - { - "techniqueID": "T1499.001", - "score": 1, - "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" - }, - { - "techniqueID": "T1499.003", - "score": 1, - "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" - }, - { - "techniqueID": "T1071.004", - "score": 1, - "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1615", "score": 1, "comment": "Zeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents", - "color": "#757575" - }, - { - "techniqueID": "T1087.002", - "score": 1, - "comment": "Zeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents", - "color": "#757575" - }, - { - "techniqueID": "T1573.001", - "score": 1, - "comment": "Zeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents", - "color": "#757575" - }, - { - "techniqueID": "T1586.001", - "score": 1, - "comment": "Zeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents", - "color": "#757575" - }, - { - "techniqueID": "T1566.002", - "score": 1, - "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" - }, - { - "techniqueID": "T1499.004", - "score": 1, - "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" - }, - { - "techniqueID": "T1598.003", - "score": 1, - "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" - }, - { - "techniqueID": "T1566.001", - "score": 1, - "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1071", "score": 1, "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" - }, - { - "techniqueID": "T1499.002", - "score": 1, - "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1190", "score": 1, "comment": "Zeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents", - "color": "#757575" - }, - { - "techniqueID": "T1563.001", - "score": 1, - "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" - }, - { - "techniqueID": "T1599.001", - "score": 1, - "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1589", "score": 1, "comment": "Zeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents", - "color": "#757575" - }, - { - "techniqueID": "T1071.003", - "score": 1, - "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" - }, - { - "techniqueID": "T1595.002", - "score": 1, - "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1207", "score": 1, "comment": "Zeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1491", "score": 1, "comment": "Zeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents", - "color": "#757575" - }, - { - "techniqueID": "T1557.003", - "score": 1, - "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1563", "score": 1, "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" - }, - { - "techniqueID": "T1505.003", - "score": 1, - "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" - }, - { - "techniqueID": "T1557.001", - "score": 1, - "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1595", "score": 1, "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" - }, - { - "techniqueID": "T1589.002", - "score": 1, - "comment": "Zeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1482", "score": 1, "comment": "Zeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1070", "score": 1, "comment": "Zeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1586", "score": 1, "comment": "Zeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents", - "color": "#757575" - }, - { - "techniqueID": "T1568.003", - "score": 1, - "comment": "Zeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents", - "color": "#757575" - }, - { - "techniqueID": "T1567.001", - "score": 1, - "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" - }, - { - "techniqueID": "T1598.002", - "score": 1, - "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" - }, - { - "techniqueID": "T1491.001", - "score": 1, - "comment": "Zeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents", - "color": "#757575" - }, - { - "techniqueID": "T1071.002", - "score": 1, - "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1210", "score": 1, "comment": "Zeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1534", "score": 1, "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1199", "score": 1, "comment": "Zeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1566", "score": 1, "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" - }, - { - "techniqueID": "T1070.005", - "score": 1, - "comment": "Zeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1565", "score": 1, "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1001", "score": 1, "comment": "Zeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1571", "score": 1, "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" - }, - { - "techniqueID": "T1585.001", - "score": 1, - "comment": "Zeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1187", "score": 1, "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1599", "score": 1, "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1573", "score": 1, "comment": "Zeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents", - "color": "#757575" - }, - { - "techniqueID": "T1567.003", - "score": 1, - "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" - }, - { - "techniqueID": "T1595.003", - "score": 1, - "comment": "Zeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents", - "color": "#757575" - }, - { - "techniqueID": "T1573.002", - "score": 1, - "comment": "Zeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1570", "score": 1, "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1095", "score": 1, "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" - }, - { - "techniqueID": "T1001.003", - "score": 1, - "comment": "Zeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1499", "score": 1, "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" - }, - { - "techniqueID": "T1090.004", - "score": 1, - "comment": "Zeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents", - "color": "#757575" - }, - { - "techniqueID": "T1557.002", - "score": 1, - "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1132", "score": 1, "comment": "Zeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1598", "score": 1, "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1585", "score": 1, "comment": "Zeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents", - "color": "#757575" - }, - { - "techniqueID": "T1565.002", - "score": 1, - "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1505", "score": 1, "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" - }, - { - "techniqueID": "T1132.002", - "score": 1, - "comment": "Zeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1537", "score": 1, "comment": "Zeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents", - "color": "#757575" - }, - { - "techniqueID": "T1071.001", - "score": 1, - "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" - }, - { - "techniqueID": "T1563.002", - "score": 1, - "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" - }, - { - "techniqueID": "T1001.002", - "score": 1, - "comment": "Zeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents", - "color": "#757575" - }, - { - "techniqueID": "T1003.006", - "score": 1, - "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" - }, - { - "techniqueID": "T1566.003", - "score": 1, - "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" - }, - { - "techniqueID": "T1102.001", - "score": 1, - "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" - }, - { - "techniqueID": "T1001.001", - "score": 1, - "comment": "Zeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents", - "color": "#757575" - }, - { - "techniqueID": "T1598.001", - "score": 1, - "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request", - "color": "#757575" - }, - { - "techniqueID": "T1498.001", - "score": 1, - "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_reply, http_request, icmp_echo_reply, icmp_echo_request, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_headers, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_reply, sip_request, smb2_close_response, smb2_create_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_get_bulk_request, snmp_get_next_request, snmp_inform_request, snmp_response, socks_reply, socks_request, ssh_auth_attempted, ssh_client_version, ssh_server_version, ssl_change_cipher_spec, ssl_extension, ssl_handshake_message, ssl_heartbeat, tcp_rexmit, udp_reply, udp_request", - "color": "#757575" - }, - { - "techniqueID": "T1568.002", - "score": 1, - "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_reply, http_request, icmp_echo_reply, icmp_echo_request, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_headers, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_reply, sip_request, smb2_close_response, smb2_create_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_get_bulk_request, snmp_get_next_request, snmp_inform_request, snmp_response, socks_reply, socks_request, ssh_auth_attempted, ssh_client_version, ssh_server_version, ssl_change_cipher_spec, ssl_extension, ssl_handshake_message, ssl_heartbeat, tcp_rexmit, udp_reply, udp_request", - "color": "#757575" - }, - { - "techniqueID": "T1498.002", - "score": 1, - "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_reply, http_request, icmp_echo_reply, icmp_echo_request, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_headers, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_reply, sip_request, smb2_close_response, smb2_create_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_get_bulk_request, snmp_get_next_request, snmp_inform_request, snmp_response, socks_reply, socks_request, ssh_auth_attempted, ssh_client_version, ssh_server_version, ssl_change_cipher_spec, ssl_extension, ssl_handshake_message, ssl_heartbeat, tcp_rexmit, udp_reply, udp_request", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1200", "score": 1, "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_reply, http_request, icmp_echo_reply, icmp_echo_request, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_headers, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_reply, sip_request, smb2_close_response, smb2_create_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_get_bulk_request, snmp_get_next_request, snmp_inform_request, snmp_response, socks_reply, socks_request, ssh_auth_attempted, ssh_client_version, ssh_server_version, ssl_change_cipher_spec, ssl_extension, ssl_handshake_message, ssl_heartbeat, tcp_rexmit, udp_reply, udp_request", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1498", "score": 1, "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_reply, http_request, icmp_echo_reply, icmp_echo_request, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_headers, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_reply, sip_request, smb2_close_response, smb2_create_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_get_bulk_request, snmp_get_next_request, snmp_inform_request, snmp_response, socks_reply, socks_request, ssh_auth_attempted, ssh_client_version, ssh_server_version, ssl_change_cipher_spec, ssl_extension, ssl_handshake_message, ssl_heartbeat, tcp_rexmit, udp_reply, udp_request", - "color": "#757575" - }, - { - "techniqueID": "T1595.001", - "score": 1, - "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_reply, http_request, icmp_echo_reply, icmp_echo_request, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_headers, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_reply, sip_request, smb2_close_response, smb2_create_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_get_bulk_request, snmp_get_next_request, snmp_inform_request, snmp_response, socks_reply, socks_request, ssh_auth_attempted, ssh_client_version, ssh_server_version, ssl_change_cipher_spec, ssl_extension, ssl_handshake_message, ssl_heartbeat, tcp_rexmit, udp_reply, udp_request", - "color": "#757575" + "color": "#954a47" }, { "techniqueID": "T1046", "score": 1, "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_reply, http_request, icmp_echo_reply, icmp_echo_request, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_headers, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_reply, sip_request, smb2_close_response, smb2_create_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_get_bulk_request, snmp_get_next_request, snmp_inform_request, snmp_response, socks_reply, socks_request, ssh_auth_attempted, ssh_client_version, ssh_server_version, ssl_change_cipher_spec, ssl_extension, ssl_handshake_message, ssl_heartbeat, tcp_rexmit, udp_reply, udp_request", - "color": "#757575" + "color": "#954a47" } ], "gradient": { @@ -885,7 +423,7 @@ "legendItems": [ { "label": "Zeek", - "color": "#757575" + "color": "#954a47" } ] } \ No newline at end of file diff --git a/mappings/layers/enterprise/sensor-comparison-heatmap.json b/mappings/layers/enterprise/sensor-comparison-heatmap.json index 787be15..7d73518 100644 --- a/mappings/layers/enterprise/sensor-comparison-heatmap.json +++ b/mappings/layers/enterprise/sensor-comparison-heatmap.json @@ -9,2688 +9,942 @@ "description": "", "domain": "enterprise-attack", "techniques": [ - { - "techniqueID": "T1053.005", - "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG\n\nOSQuery: file_events, running_apps\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1560.001", - "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: file_events, running_apps\n\nSysmon: \n\nWinEvtx: " - }, { "techniqueID": "T1047", "score": 5, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: \n\nZeek: connection_SYN_packet, connection_established, connection_first_ack, ntlm_authenticate, ntlm_challenge, pop3_login_success, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, socks_login_userpass_reply, socks_login_userpass_request, ssh2_dh_server_params, ssh_auth_successful, ssl_client_hello, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake" + "comment": "Zeek: connection_SYN_packet, connection_established, connection_first_ack, ntlm_authenticate, ntlm_challenge, pop3_login_success, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, socks_login_userpass_reply, socks_login_userpass_request, ssh2_dh_server_params, ssh_auth_successful, ssl_client_hello, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake\n\nSysmon: \n\nWinEvtx: \n\nOSQuery: running_apps\n\nAuditd: USER_CMD, USYS_CONFIG" }, { - "techniqueID": "T1113", - "score": 2, - "comment": "Auditd: USYS_CONFIG\n\nWinEvtx: " + "techniqueID": "T1602", + "score": 5, + "comment": "Zeek: connection_SYN_packet, connection_established, connection_first_ack, http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, ntlm_authenticate, ntlm_challenge, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_login_success, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_successful, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, udp_contents\n\nSysmon: \n\nWinEvtx: \n\nOSQuery: socket_events\n\nAuditd: MAC_UNLBL_ALLOW" }, { - "techniqueID": "T1037", + "techniqueID": "T1133", "score": 5, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG\n\nCloudTrail: AddClientIDToOpenIDConnectProvider, RemoveClientIDFromOpenIDConnectProvider, TagOpenIDConnectProvider, TagSAMLProvider, UntagOpenIDConnectProvider, UntagSAMLProvider, UpdateOpenIDConnectProviderThumbprint, UpdateSAMLProvider\n\nOSQuery: file_events, running_apps\n\nSysmon: \n\nWinEvtx: " + "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request\n\nSysmon: \n\nWinEvtx: \n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, last, logged_in_users, logon_sessions, opera_extensions, safari_extensions, socket_events\n\nAuditd: CRYPTO_KEY_USER, LOGIN, MAC_UNLBL_ALLOW, USER_END, USER_LOGOUT" }, { - "techniqueID": "T1033", + "techniqueID": "T1114", "score": 6, - "comment": "Auditd: ANOM_LINK, MAC_UNLBL_ALLOW, TTY, USER_AVC, USER_CMD, USYS_CONFIG\n\nCloudTrail: GetOpenIDConnectProvider\n\nOSQuery: appcompat_shims, augeas, autoexec, managed_policies, office_mru, plist, registry, running_apps, socket_events, startup_items, userassist\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + "comment": "Zeek: connection_SYN_packet, connection_established, connection_first_ack, ntlm_authenticate, ntlm_challenge, pop3_login_success, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, socks_login_userpass_reply, socks_login_userpass_request, ssh2_dh_server_params, ssh_auth_successful, ssl_client_hello, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake\n\nSysmon: \n\nCloudTrail: ConsoleLogin\n\nWinEvtx: \n\nOSQuery: augeas, browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, office_mru, opera_extensions, plist, safari_extensions\n\nAuditd: ANOM_LINK, CRYPTO_SESSION, USER_AVC, USER_LOGIN, USER_START, USYS_CONFIG" }, { - "techniqueID": "T1218.011", - "score": 4, - "comment": "Auditd: USER_CMD, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT, USYS_CONFIG\n\nOSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, running_apps, shimcache, signature, suid_bin\n\nSysmon: \n\nWinEvtx: " + "techniqueID": "T1176", + "score": 5, + "comment": "Zeek: connection_SYN_packet, connection_established, connection_first_ack, ntlm_authenticate, ntlm_challenge, pop3_login_success, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, socks_login_userpass_reply, socks_login_userpass_request, ssh2_dh_server_params, ssh_auth_successful, ssl_client_hello, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake\n\nSysmon: \n\nWinEvtx: \n\nOSQuery: file_events, running_apps\n\nAuditd: USER_CMD, USYS_CONFIG" }, { - "techniqueID": "T1222.002", - "score": 4, - "comment": "Auditd: USER_CMD, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT, USYS_CONFIG\n\nOSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, running_apps, shimcache, signature, suid_bin\n\nSysmon: \n\nWinEvtx: " + "techniqueID": "T1567", + "score": 5, + "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request\n\nSysmon: \n\nWinEvtx: \n\nOSQuery: augeas, office_mru, plist, socket_events\n\nAuditd: ANOM_LINK, MAC_UNLBL_ALLOW, USER_AVC, USYS_CONFIG" }, { - "techniqueID": "T1216.001", - "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: powershell_events, running_apps\n\nSysmon: \n\nWinEvtx: " + "techniqueID": "T1219", + "score": 5, + "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request\n\nSysmon: \n\nWinEvtx: \n\nOSQuery: running_apps, socket_events\n\nAuditd: MAC_UNLBL_ALLOW, USER_CMD" }, { - "techniqueID": "T1003", - "score": 6, - "comment": "Auditd: ANOM_LINK, MAC_UNLBL_ALLOW, TTY, USER_AVC, USER_CMD, USYS_CONFIG\n\nCloudTrail: GetOpenIDConnectProvider\n\nOSQuery: appcompat_shims, augeas, autoexec, managed_policies, office_mru, plist, registry, running_apps, socket_events, startup_items, userassist\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + "techniqueID": "T1205", + "score": 5, + "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request\n\nSysmon: \n\nWinEvtx: \n\nOSQuery: running_apps, socket_events\n\nAuditd: MAC_UNLBL_ALLOW, USER_CMD" }, { - "techniqueID": "T1561.002", - "score": 4, - "comment": "Auditd: FS_RELABEL, USER_CMD, USYS_CONFIG\n\nOSQuery: device_file, device_partitions, disk_encryption, disk_events, disk_info, logical_drives, running_apps, time_machine_backups\n\nSysmon: \n\nWinEvtx: " + "techniqueID": "T1218", + "score": 5, + "comment": "Zeek: connection_SYN_packet, connection_established, connection_first_ack, ntlm_authenticate, ntlm_challenge, pop3_login_success, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, socks_login_userpass_reply, socks_login_userpass_request, ssh2_dh_server_params, ssh_auth_successful, ssl_client_hello, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake\n\nSysmon: \n\nWinEvtx: \n\nOSQuery: file_events, running_apps\n\nAuditd: USER_CMD, USYS_CONFIG" }, { - "techniqueID": "T1006", + "techniqueID": "T1029", "score": 3, - "comment": "Auditd: USYS_CONFIG\n\nOSQuery: device_file, device_partitions, disk_encryption, disk_events, disk_info, logical_drives\n\nWinEvtx: " + "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_reply, http_request, icmp_echo_reply, icmp_echo_request, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_headers, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_reply, sip_request, smb2_close_response, smb2_create_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_get_bulk_request, snmp_get_next_request, snmp_inform_request, snmp_response, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh2_dh_server_params, ssh_auth_attempted, ssh_auth_successful, ssh_client_version, ssh_server_version, ssl_change_cipher_spec, ssl_client_hello, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake, tcp_rexmit, udp_reply, udp_request\n\nSysmon: \n\nWinEvtx: " }, { - "techniqueID": "T1564.008", - "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USYS_CONFIG\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, file_events, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions\n\nSysmon: \n\nWinEvtx: " + "techniqueID": "T1572", + "score": 5, + "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request\n\nSysmon: \n\nWinEvtx: \n\nOSQuery: socket_events\n\nAuditd: MAC_UNLBL_ALLOW" }, { - "techniqueID": "T1546.013", - "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG\n\nOSQuery: file_events, running_apps\n\nSysmon: \n\nWinEvtx: " + "techniqueID": "T1011", + "score": 5, + "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request\n\nSysmon: \n\nWinEvtx: \n\nOSQuery: augeas, office_mru, plist, socket_events\n\nAuditd: ANOM_LINK, MAC_UNLBL_ALLOW, USER_AVC, USYS_CONFIG" }, { - "techniqueID": "T1059.007", - "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: powershell_events, running_apps\n\nSysmon: \n\nWinEvtx: " + "techniqueID": "T1021", + "score": 6, + "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_reply, http_request, icmp_echo_reply, icmp_echo_request, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_headers, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_reply, sip_request, smb2_close_response, smb2_create_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_get_bulk_request, snmp_get_next_request, snmp_inform_request, snmp_response, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh2_dh_server_params, ssh_auth_attempted, ssh_auth_successful, ssh_client_version, ssh_server_version, ssl_change_cipher_spec, ssl_client_hello, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake, tcp_rexmit, udp_reply, udp_request\n\nSysmon: \n\nCloudTrail: ConsoleLogin\n\nWinEvtx: \n\nOSQuery: mounts, nfs_shares, running_apps, shared_folders, sharing_preferences\n\nAuditd: CRYPTO_SESSION, USER_CMD, USER_LOGIN, USER_START, USYS_CONFIG" }, { - "techniqueID": "T1123", - "score": 2, - "comment": "Auditd: USYS_CONFIG\n\nWinEvtx: " + "techniqueID": "T1090", + "score": 5, + "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request\n\nSysmon: \n\nWinEvtx: \n\nOSQuery: socket_events\n\nAuditd: MAC_UNLBL_ALLOW" }, { - "techniqueID": "T1543", - "score": 4, - "comment": "Auditd: ANOM_PROMISCUOUS, CONFIG_CHANGE, DAEMON_CONFIG, DAEMON_START, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_CIPSOV4_ADD, MAC_CIPSOV4_DEL, MAC_CONFIG_CHANGE, MAC_MAP_ADD, MAC_MAP_DEL, MAC_POLICY_LOAD, MAC_STATUS, ROLE_ASSIGN, ROLE_REMOVE, USER_CMD, USYS_CONFIG\n\nOSQuery: file_events, running_apps\n\nSysmon: \n\nWinEvtx: " + "techniqueID": "T1020", + "score": 5, + "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request\n\nSysmon: \n\nWinEvtx: \n\nOSQuery: augeas, office_mru, plist, powershell_events, socket_events\n\nAuditd: ANOM_LINK, MAC_UNLBL_ALLOW, USER_AVC, USYS_CONFIG" }, { - "techniqueID": "T1546.006", - "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT, USYS_CONFIG\n\nOSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, running_apps, shimcache, signature, suid_bin\n\nSysmon: \n\nWinEvtx: " + "techniqueID": "T1568", + "score": 5, + "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request\n\nSysmon: \n\nWinEvtx: \n\nOSQuery: socket_events\n\nAuditd: MAC_UNLBL_ALLOW" }, { - "techniqueID": "T1548.002", - "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: background_activities_moderator, package_receipts, process_envs, process_events, process_memory_map, process_namespaces, process_open_files, process_open_pipes, process_open_sockets, running_apps\n\nSysmon: \n\nWinEvtx: " + "techniqueID": "T1542", + "score": 5, + "comment": "Zeek: connection_SYN_packet, connection_established, connection_first_ack, ntlm_authenticate, ntlm_challenge, pop3_login_success, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, socks_login_userpass_reply, socks_login_userpass_request, ssh2_dh_server_params, ssh_auth_successful, ssl_client_hello, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake\n\nSysmon: \n\nWinEvtx: \n\nOSQuery: bitlocker_info, drivers, iokit_devicetree, iokit_registry, time_machine_backups\n\nAuditd: FS_RELABEL, USYS_CONFIG" }, { - "techniqueID": "T1016.001", - "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " + "techniqueID": "T1612", + "score": 6, + "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request\n\nSysmon: \n\nCloudTrail: CreateImage\n\nWinEvtx: \n\nOSQuery: socket_events\n\nAuditd: MAC_UNLBL_ALLOW" }, { - "techniqueID": "T1548.003", - "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG\n\nOSQuery: background_activities_moderator, file_events, package_receipts, process_envs, process_events, process_memory_map, process_namespaces, process_open_files, process_open_pipes, process_open_sockets, running_apps\n\nSysmon: \n\nWinEvtx: " + "techniqueID": "T1102", + "score": 5, + "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request\n\nSysmon: \n\nWinEvtx: \n\nOSQuery: socket_events\n\nAuditd: MAC_UNLBL_ALLOW" }, { - "techniqueID": "T1069", - "score": 5, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nCloudTrail: DeleteGroupPolicy, DetachGroupPolicy, GetContextKeysForPrincipalPolicy, GetGroupPolicy, ListAttachedGroupPolicies, ListEntitiesForPolicy, ListGroupPolicies, ListGroups, ListGroupsForUser, ListPoliciesGrantingServiceAccess, PutGroupPolicy\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, groups, homebrew_packages, ie_extensions, opera_extensions, running_apps, safari_extensions, user_groups\n\nSysmon: \n\nWinEvtx: " + "techniqueID": "T1104", + "score": 3, + "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_reply, http_request, icmp_echo_reply, icmp_echo_request, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_headers, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_reply, sip_request, smb2_close_response, smb2_create_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_get_bulk_request, snmp_get_next_request, snmp_inform_request, snmp_response, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh2_dh_server_params, ssh_auth_attempted, ssh_auth_successful, ssh_client_version, ssh_server_version, ssl_change_cipher_spec, ssl_client_hello, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake, tcp_rexmit, udp_reply, udp_request\n\nSysmon: \n\nWinEvtx: " }, { - "techniqueID": "T1114", + "techniqueID": "T1204", "score": 6, - "comment": "Auditd: ANOM_LINK, CRYPTO_SESSION, USER_AVC, USER_LOGIN, USER_START, USYS_CONFIG\n\nCloudTrail: ConsoleLogin\n\nOSQuery: augeas, browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, office_mru, opera_extensions, plist, safari_extensions\n\nSysmon: \n\nWinEvtx: \n\nZeek: connection_SYN_packet, connection_established, connection_first_ack, ntlm_authenticate, ntlm_challenge, pop3_login_success, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, socks_login_userpass_reply, socks_login_userpass_request, ssh2_dh_server_params, ssh_auth_successful, ssl_client_hello, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake" + "comment": "Zeek: connection_SYN_packet, connection_established, connection_first_ack, http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, ntlm_authenticate, ntlm_challenge, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_login_success, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_successful, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, udp_contents\n\nSysmon: \n\nCloudTrail: CreateImage, RunInstances, StartInstances\n\nWinEvtx: \n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, file_events, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, running_apps, safari_extensions, socket_events\n\nAuditd: MAC_UNLBL_ALLOW, USER_CMD, USYS_CONFIG" }, { - "techniqueID": "T1003.002", - "score": 4, - "comment": "Auditd: ANOM_LINK, USER_AVC, USYS_CONFIG\n\nOSQuery: appcompat_shims, augeas, autoexec, office_mru, plist, registry, startup_items, userassist\n\nSysmon: \n\nWinEvtx: " + "techniqueID": "T1041", + "score": 5, + "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request\n\nSysmon: \n\nWinEvtx: \n\nOSQuery: augeas, office_mru, plist, socket_events\n\nAuditd: ANOM_LINK, MAC_UNLBL_ALLOW, USER_AVC, USYS_CONFIG" }, { - "techniqueID": "T1069.003", + "techniqueID": "T1048", "score": 5, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nCloudTrail: DeleteGroupPolicy, DetachGroupPolicy, GetContextKeysForPrincipalPolicy, GetGroupPolicy, ListAttachedGroupPolicies, ListEntitiesForPolicy, ListGroupPolicies, ListGroups, ListGroupsForUser, ListPoliciesGrantingServiceAccess, PutGroupPolicy\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, groups, homebrew_packages, ie_extensions, opera_extensions, running_apps, safari_extensions, user_groups\n\nSysmon: \n\nWinEvtx: " + "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request\n\nSysmon: \n\nWinEvtx: \n\nOSQuery: augeas, browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, office_mru, opera_extensions, plist, safari_extensions, socket_events\n\nAuditd: ANOM_LINK, MAC_UNLBL_ALLOW, USER_AVC, USYS_CONFIG" }, { - "techniqueID": "T1574.011", - "score": 4, - "comment": "Auditd: ANOM_PROMISCUOUS, CONFIG_CHANGE, DAEMON_CONFIG, MAC_CIPSOV4_ADD, MAC_CIPSOV4_DEL, MAC_CONFIG_CHANGE, MAC_MAP_ADD, MAC_MAP_DEL, MAC_STATUS, ROLE_ASSIGN, ROLE_REMOVE, USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " + "techniqueID": "T1039", + "score": 5, + "comment": "Zeek: connection_SYN_packet, connection_established, connection_first_ack, http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, ntlm_authenticate, ntlm_challenge, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_login_success, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_successful, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, udp_contents\n\nSysmon: \n\nWinEvtx: \n\nOSQuery: augeas, mounts, nfs_shares, office_mru, plist, shared_folders, sharing_preferences, socket_events\n\nAuditd: ANOM_LINK, MAC_UNLBL_ALLOW, USER_AVC, USYS_CONFIG" }, { - "techniqueID": "T1561", - "score": 4, - "comment": "Auditd: FS_RELABEL, USER_CMD, USYS_CONFIG\n\nOSQuery: device_file, device_partitions, disk_encryption, disk_events, disk_info, logical_drives, running_apps, time_machine_backups\n\nSysmon: \n\nWinEvtx: " + "techniqueID": "T1030", + "score": 3, + "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_reply, http_request, icmp_echo_reply, icmp_echo_request, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_headers, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_reply, sip_request, smb2_close_response, smb2_create_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_get_bulk_request, snmp_get_next_request, snmp_inform_request, snmp_response, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh2_dh_server_params, ssh_auth_attempted, ssh_auth_successful, ssh_client_version, ssh_server_version, ssl_change_cipher_spec, ssl_client_hello, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake, tcp_rexmit, udp_reply, udp_request\n\nSysmon: \n\nWinEvtx: " }, { - "techniqueID": "T1555.002", - "score": 3, - "comment": "Auditd: TTY, USYS_CONFIG\n\nSysmon: \n\nWinEvtx: " + "techniqueID": "T1197", + "score": 5, + "comment": "Zeek: connection_SYN_packet, connection_established, connection_first_ack, ntlm_authenticate, ntlm_challenge, pop3_login_success, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, socks_login_userpass_reply, socks_login_userpass_request, ssh2_dh_server_params, ssh_auth_successful, ssl_client_hello, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake\n\nSysmon: \n\nWinEvtx: \n\nOSQuery: gatekeeper, gatekeeper_apps, running_apps\n\nAuditd: DAEMON_ABORT, DAEMON_END, DAEMON_RESUME, DAEMON_ROTATE, SELINUX_ERR, USER_CMD, USER_TTY, USYS_CONFIG" }, { - "techniqueID": "T1615", - "score": 6, - "comment": "Auditd: MAC_UNLBL_ALLOW, USER_CMD, USYS_CONFIG\n\nCloudTrail: GetOpenIDConnectProvider\n\nOSQuery: managed_policies, powershell_events, running_apps, socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents" + "techniqueID": "T1496", + "score": 5, + "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_reply, http_request, icmp_echo_reply, icmp_echo_request, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_headers, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_reply, sip_request, smb2_close_response, smb2_create_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_get_bulk_request, snmp_get_next_request, snmp_inform_request, snmp_response, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh2_dh_server_params, ssh_auth_attempted, ssh_auth_successful, ssh_client_version, ssh_server_version, ssl_change_cipher_spec, ssl_client_hello, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake, tcp_rexmit, udp_reply, udp_request\n\nSysmon: \n\nWinEvtx: \n\nOSQuery: app_schemes, apparmor_events, apparmor_profiles, apps, apt_sources, asl, battery, block_devices, chassis_info, connectivity, cpu_info, cpu_time, cpuid, crashes, cups_destinations, cups_jobs, deb_packages, default_environment, device_firmware, event_taps, fan_speed_sensors, file_events, hardware_events, hvci_status, ibridge_info, intel_me_info, kernel_panics, keychain_acls, keychain_items, memory_error_info, memory_info, memory_map, npm_packages, ntdomains, os_version, patches, portage_keywords, portage_packages, portage_use, preferences, programs, python_packages, rpm_package_files, rpm_packages, running_apps, selinux_events, selinux_settings, shared_resources, sip_config, sudoers, syslog_events, system_controls, system_info, ulimit_info, video_info, winbaseobj, windows_crashes, windows_optional_features, windows_security_center, windows_security_products, xprotect_entries, xprotect_meta, xprotect_reports\n\nAuditd: SYSTEM_RUNLEVEL, SYSTEM_SHUTDOWN, USER_CMD, USYS_CONFIG" }, { - "techniqueID": "T1025", - "score": 4, - "comment": "Auditd: ANOM_LINK, USER_AVC, USYS_CONFIG\n\nOSQuery: augeas, office_mru, plist\n\nSysmon: \n\nWinEvtx: " + "techniqueID": "T1189", + "score": 5, + "comment": "Zeek: connection_SYN_packet, connection_established, connection_first_ack, http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, ntlm_authenticate, ntlm_challenge, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_login_success, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_successful, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, udp_contents\n\nSysmon: \n\nWinEvtx: \n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, file_events, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, running_apps, safari_extensions, socket_events\n\nAuditd: MAC_UNLBL_ALLOW, USER_CMD" }, { - "techniqueID": "T1218.013", - "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " + "techniqueID": "T1221", + "score": 5, + "comment": "Zeek: connection_SYN_packet, connection_established, connection_first_ack, http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, ntlm_authenticate, ntlm_challenge, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_login_success, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_successful, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, udp_contents\n\nSysmon: \n\nWinEvtx: \n\nOSQuery: running_apps, socket_events\n\nAuditd: MAC_UNLBL_ALLOW, USER_CMD" }, { - "techniqueID": "T1074.001", - "score": 4, - "comment": "Auditd: ANOM_LINK, USER_AVC, USYS_CONFIG\n\nOSQuery: augeas, file_events, office_mru, plist\n\nSysmon: \n\nWinEvtx: " + "techniqueID": "T1018", + "score": 5, + "comment": "Zeek: connection_SYN_packet, connection_established, connection_first_ack, ntlm_authenticate, ntlm_challenge, pop3_login_success, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, socks_login_userpass_reply, socks_login_userpass_request, ssh2_dh_server_params, ssh_auth_successful, ssl_client_hello, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake\n\nSysmon: \n\nWinEvtx: \n\nOSQuery: augeas, office_mru, plist, running_apps\n\nAuditd: ANOM_LINK, USER_AVC, USER_CMD, USYS_CONFIG" }, { - "techniqueID": "T1114.001", - "score": 4, - "comment": "Auditd: ANOM_LINK, USER_AVC, USYS_CONFIG\n\nOSQuery: augeas, office_mru, plist\n\nSysmon: \n\nWinEvtx: " + "techniqueID": "T1105", + "score": 5, + "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request\n\nSysmon: \n\nWinEvtx: \n\nOSQuery: file_events, socket_events\n\nAuditd: MAC_UNLBL_ALLOW" }, { - "techniqueID": "T1555.001", - "score": 4, - "comment": "Auditd: ANOM_LINK, USER_AVC, USER_CMD, USYS_CONFIG\n\nOSQuery: augeas, office_mru, plist, running_apps\n\nSysmon: \n\nWinEvtx: " + "techniqueID": "T1008", + "score": 3, + "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_reply, http_request, icmp_echo_reply, icmp_echo_request, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_headers, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_reply, sip_request, smb2_close_response, smb2_create_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_get_bulk_request, snmp_get_next_request, snmp_inform_request, snmp_response, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh2_dh_server_params, ssh_auth_attempted, ssh_auth_successful, ssh_client_version, ssh_server_version, ssl_change_cipher_spec, ssl_client_hello, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake, tcp_rexmit, udp_reply, udp_request\n\nSysmon: \n\nWinEvtx: " }, { - "techniqueID": "T1547", - "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG\n\nOSQuery: authorization_mechanisms, fbsd_kmods, file_events, kernel_modules, running_apps\n\nSysmon: \n\nWinEvtx: " + "techniqueID": "T1557", + "score": 5, + "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request\n\nSysmon: \n\nWinEvtx: \n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, socket_events\n\nAuditd: DAEMON_START, MAC_POLICY_LOAD, MAC_UNLBL_ALLOW" }, { - "techniqueID": "T1003.004", - "score": 3, - "comment": "Auditd: USYS_CONFIG\n\nOSQuery: appcompat_shims, autoexec, registry, startup_items, userassist\n\nWinEvtx: " + "techniqueID": "T1033", + "score": 6, + "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request\n\nSysmon: \n\nCloudTrail: GetOpenIDConnectProvider\n\nWinEvtx: \n\nOSQuery: appcompat_shims, augeas, autoexec, managed_policies, office_mru, plist, registry, running_apps, socket_events, startup_items, userassist\n\nAuditd: ANOM_LINK, MAC_UNLBL_ALLOW, TTY, USER_AVC, USER_CMD, USYS_CONFIG" }, { - "techniqueID": "T1036.008", - "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USYS_CONFIG\n\nOSQuery: file_events\n\nSysmon: \n\nWinEvtx: " + "techniqueID": "T1003", + "score": 6, + "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request\n\nSysmon: \n\nCloudTrail: GetOpenIDConnectProvider\n\nWinEvtx: \n\nOSQuery: appcompat_shims, augeas, autoexec, managed_policies, office_mru, plist, registry, running_apps, socket_events, startup_items, userassist\n\nAuditd: ANOM_LINK, MAC_UNLBL_ALLOW, TTY, USER_AVC, USER_CMD, USYS_CONFIG" }, { - "techniqueID": "T1489", - "score": 4, - "comment": "Auditd: ANOM_ABEND, DAEMON_ABORT, DAEMON_END, DAEMON_RESUME, DAEMON_ROTATE, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, SELINUX_ERR, USER_CMD, USER_TTY, USYS_CONFIG\n\nOSQuery: file_events, gatekeeper, gatekeeper_apps, running_apps\n\nSysmon: \n\nWinEvtx: " + "techniqueID": "T1615", + "score": 6, + "comment": "Zeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents\n\nSysmon: \n\nCloudTrail: GetOpenIDConnectProvider\n\nWinEvtx: \n\nOSQuery: managed_policies, powershell_events, running_apps, socket_events\n\nAuditd: MAC_UNLBL_ALLOW, USER_CMD, USYS_CONFIG" }, { - "techniqueID": "T1652", - "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: appcompat_shims, autoexec, registry, running_apps, startup_items, userassist\n\nSysmon: \n\nWinEvtx: " + "techniqueID": "T1071", + "score": 3, + "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request\n\nOSQuery: socket_events\n\nAuditd: MAC_UNLBL_ALLOW" }, { - "techniqueID": "T1087.002", - "score": 6, - "comment": "Auditd: MAC_UNLBL_ALLOW, USER_CMD, USYS_CONFIG\n\nCloudTrail: ListAttachedGroupPolicies, ListGroupPolicies, ListGroups, ListGroupsForUser\n\nOSQuery: running_apps, socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents" + "techniqueID": "T1190", + "score": 3, + "comment": "Zeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, socket_events\n\nAuditd: MAC_UNLBL_ALLOW" }, { - "techniqueID": "T1547.014", - "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " + "techniqueID": "T1589", + "score": 3, + "comment": "Zeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents\n\nOSQuery: socket_events\n\nAuditd: MAC_UNLBL_ALLOW" }, { - "techniqueID": "T1564", + "techniqueID": "T1207", + "score": 5, + "comment": "Zeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents\n\nCloudTrail: AddClientIDToOpenIDConnectProvider, CreateOpenIDConnectProvider, CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, RemoveClientIDFromOpenIDConnectProvider, ResyncMFADevice, TagMFADevice, TagOpenIDConnectProvider, TagSAMLProvider, UntagMFADevice, UntagOpenIDConnectProvider, UntagSAMLProvider, UpdateOpenIDConnectProviderThumbprint, UpdateSAMLProvider\n\nWinEvtx: \n\nOSQuery: socket_events, user_events\n\nAuditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, MAC_UNLBL_ALLOW, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH" + }, + { + "techniqueID": "T1491", "score": 5, - "comment": "Auditd: ADD_USER, ANOM_ADD_ACCOUNT, CRED_ACQ, CRED_DISP, DAEMON_START, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_POLICY_LOAD, USER_CHAUTHTOK, USER_CMD, USER_ERR, USER_LABELED_EXPORT, USER_ROLE_CHANGE, USER_UNLABELED_EXPORT, USYS_CONFIG\n\nCloudTrail: AttachRolePolicy, AttachUserPolicy, ChangePassword, CreateAccessKey, CreateAccountAlias, CreateLoginProfile, CreatePolicy, CreatePolicyVersion, CreateRole, CreateServiceLinkedRole, CreateServiceSpecificCredential, CreateUser, DeleteAccessKey, DeleteAccountAlias, DeleteAccountPasswordPolicy, DeleteLoginProfile, DeletePolicyVersion, DeleteRole, DeleteRolePermissionsBoundary, DeleteRolePolicy, DeleteSSHPublicKey, DeleteServiceSpecificCredential, DeleteSigningCertificate, DeleteUserPermissionsBoundary, DeleteUserPolicy, DetachRolePolicy, DetachUserPolicy, GenerateCredentialReport, GetAccountAuthorizationDetails, GetAccountPasswordPolicy, GetContextKeysForCustomPolicy, GetContextKeysForPrincipalPolicy, GetCredentialReport, GetLoginprofile, GetPolicy, GetPolicyVersion, GetRole, GetRolePolicy, GetUserPolicy, ListAttachedRolePolicies, ListEntitiesForPolicy, ListPoliciesGrantingServiceAccess, ListPolicyTags, ListPolicyVersions, ListRolePolicies, ListRoleTags, ListRoles, PutRolePermissionsBoundary, PutRolePolicy, PutUserPermissionsBoundary, PutUserPolicy, SetDefaultPolicyVersion, SimulateCustomPolicy, SimulatePrincipalPolicy, TagPolicy, TagRole, Untag Policy, UntagRole, UpdateAccountPasswordPolicy, UpdateAssumeRolePolicy, UpdateLoginProfile, UpdateRole\n\nOSQuery: account_policy_data, authenticode, authorizations, authorized_keys, browser_plugins, chrome_extension_content_scripts, chrome_extensions, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, firefox_addons, homebrew_packages, ie_extensions, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, opera_extensions, package_bom, powershell_events, process_file_events, quicklook_cache, running_apps, safari_extensions, shadow, shimcache, signature, suid_bin, user_ssh_keys\n\nSysmon: \n\nWinEvtx: " + "comment": "Zeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents\n\nSysmon: \n\nWinEvtx: \n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, file_events, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, socket_events\n\nAuditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_UNLBL_ALLOW" + }, + { + "techniqueID": "T1563", + "score": 6, + "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request\n\nSysmon: \n\nCloudTrail: ConsoleLogin\n\nWinEvtx: \n\nOSQuery: running_apps, socket_events\n\nAuditd: CRYPTO_SESSION, MAC_UNLBL_ALLOW, USER_CMD, USER_LOGIN, USER_START, USYS_CONFIG" }, { - "techniqueID": "T1484.002", + "techniqueID": "T1595", "score": 3, - "comment": "Auditd: USYS_CONFIG\n\nCloudTrail: AddClientIDToOpenIDConnectProvider, CreateOpenIDConnectProvider, RemoveClientIDFromOpenIDConnectProvider, TagOpenIDConnectProvider, TagSAMLProvider, UntagOpenIDConnectProvider, UntagSAMLProvider, UpdateOpenIDConnectProviderThumbprint, UpdateSAMLProvider\n\nWinEvtx: " + "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request\n\nOSQuery: socket_events\n\nAuditd: MAC_UNLBL_ALLOW" }, { - "techniqueID": "T1087.001", + "techniqueID": "T1482", "score": 5, - "comment": "Auditd: ANOM_LINK, USER_AVC, USER_CMD, USYS_CONFIG\n\nCloudTrail: ListAttachedGroupPolicies, ListGroupPolicies, ListGroups, ListGroupsForUser\n\nOSQuery: augeas, office_mru, plist, running_apps\n\nSysmon: \n\nWinEvtx: " + "comment": "Zeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents\n\nSysmon: \n\nWinEvtx: \n\nOSQuery: powershell_events, running_apps, socket_events\n\nAuditd: MAC_UNLBL_ALLOW, USER_CMD, USYS_CONFIG" }, { - "techniqueID": "T1562.009", - "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " + "techniqueID": "T1070", + "score": 6, + "comment": "Zeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents\n\nSysmon: \n\nCloudTrail: CreateVirtualMFADevice, DeactivateMFADevice, DeleteUser, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice\n\nWinEvtx: \n\nOSQuery: alf_exceptions, authenticode, browser_plugins, chrome_extension_content_scripts, chrome_extensions, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, firefox_addons, homebrew_packages, ie_extensions, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, opera_extensions, package_bom, process_file_events, quicklook_cache, running_apps, safari_extensions, shimcache, signature, socket_events, suid_bin, user_events\n\nAuditd: ANOM_DEL_ACCOUNT, ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, DEL_USER, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_UNLBL_ALLOW, NETFILTER_CFG, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USER_CHAUTHTOK, USER_CMD, USER_LABELED_EXPORT, USER_ROLE_CHANGE, USER_UNLABELED_EXPORT, USYS_CONFIG" }, { - "techniqueID": "T1542.005", - "score": 4, - "comment": "Auditd: USYS_CONFIG\n\nSysmon: \n\nWinEvtx: \n\nZeek: connection_SYN_packet, connection_established, connection_first_ack, ntlm_authenticate, ntlm_challenge, pop3_login_success, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, socks_login_userpass_reply, socks_login_userpass_request, ssh2_dh_server_params, ssh_auth_successful, ssl_client_hello, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake" + "techniqueID": "T1586", + "score": 3, + "comment": "Zeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents\n\nOSQuery: socket_events\n\nAuditd: MAC_UNLBL_ALLOW" }, { - "techniqueID": "T1543.003", - "score": 4, - "comment": "Auditd: ANOM_PROMISCUOUS, CONFIG_CHANGE, DAEMON_CONFIG, DAEMON_START, MAC_CIPSOV4_ADD, MAC_CIPSOV4_DEL, MAC_CONFIG_CHANGE, MAC_MAP_ADD, MAC_MAP_DEL, MAC_POLICY_LOAD, MAC_STATUS, ROLE_ASSIGN, ROLE_REMOVE, USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " + "techniqueID": "T1210", + "score": 3, + "comment": "Zeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, socket_events\n\nAuditd: MAC_UNLBL_ALLOW" }, { - "techniqueID": "T1497.001", - "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " + "techniqueID": "T1534", + "score": 3, + "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, socket_events\n\nAuditd: MAC_UNLBL_ALLOW" }, { - "techniqueID": "T1053.003", - "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG\n\nOSQuery: file_events, running_apps\n\nSysmon: \n\nWinEvtx: " + "techniqueID": "T1199", + "score": 5, + "comment": "Zeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents\n\nCloudTrail: ConsoleLogin\n\nWinEvtx: \n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, last, logged_in_users, logon_sessions, opera_extensions, safari_extensions, socket_events\n\nAuditd: CRYPTO_KEY_USER, CRYPTO_SESSION, LOGIN, MAC_UNLBL_ALLOW, USER_END, USER_LOGIN, USER_LOGOUT, USER_START" }, { - "techniqueID": "T1069.002", + "techniqueID": "T1566", "score": 5, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nCloudTrail: ListAttachedGroupPolicies, ListGroupPolicies, ListGroups, ListGroupsForUser\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " + "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request\n\nSysmon: \n\nWinEvtx: \n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, file_events, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, socket_events\n\nAuditd: MAC_UNLBL_ALLOW" }, { - "techniqueID": "T1070.002", - "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CHAUTHTOK, USYS_CONFIG\n\nOSQuery: file_events\n\nSysmon: \n\nWinEvtx: " + "techniqueID": "T1565", + "score": 5, + "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request\n\nSysmon: \n\nWinEvtx: \n\nOSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, shimcache, signature, socket_events, suid_bin\n\nAuditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_UNLBL_ALLOW, USER_CHAUTHTOK, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT" }, { - "techniqueID": "T1137", - "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, file_events, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, running_apps, safari_extensions\n\nSysmon: \n\nWinEvtx: " + "techniqueID": "T1001", + "score": 3, + "comment": "Zeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents\n\nOSQuery: socket_events\n\nAuditd: MAC_UNLBL_ALLOW" }, { - "techniqueID": "T1218.004", - "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " + "techniqueID": "T1571", + "score": 3, + "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request\n\nOSQuery: socket_events\n\nAuditd: MAC_UNLBL_ALLOW" }, { - "techniqueID": "T1119", - "score": 4, - "comment": "Auditd: ANOM_LINK, USER_AVC, USYS_CONFIG\n\nOSQuery: augeas, office_mru, plist, powershell_events\n\nSysmon: \n\nWinEvtx: " + "techniqueID": "T1187", + "score": 5, + "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request\n\nSysmon: \n\nWinEvtx: \n\nOSQuery: augeas, file_events, office_mru, plist, socket_events\n\nAuditd: ANOM_LINK, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_UNLBL_ALLOW, USER_AVC" }, { - "techniqueID": "T1115", - "score": 2, - "comment": "Auditd: USYS_CONFIG\n\nWinEvtx: " + "techniqueID": "T1599", + "score": 3, + "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request\n\nOSQuery: socket_events\n\nAuditd: MAC_UNLBL_ALLOW" }, { - "techniqueID": "T1003.007", - "score": 4, - "comment": "Auditd: ANOM_LINK, USER_AVC, USYS_CONFIG\n\nOSQuery: augeas, office_mru, plist\n\nSysmon: \n\nWinEvtx: " + "techniqueID": "T1573", + "score": 3, + "comment": "Zeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents\n\nOSQuery: socket_events\n\nAuditd: MAC_UNLBL_ALLOW" }, { - "techniqueID": "T1555.005", - "score": 4, - "comment": "Auditd: ANOM_LINK, TTY, USER_AVC, USYS_CONFIG\n\nOSQuery: augeas, office_mru, plist\n\nSysmon: \n\nWinEvtx: " + "techniqueID": "T1570", + "score": 5, + "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request\n\nSysmon: \n\nWinEvtx: \n\nOSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, mounts, nfs_shares, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, running_apps, shared_folders, sharing_preferences, shimcache, signature, socket_events, suid_bin\n\nAuditd: MAC_UNLBL_ALLOW, USER_CMD, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT, USYS_CONFIG" }, { - "techniqueID": "T1553.001", - "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT, USYS_CONFIG\n\nOSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, running_apps, shimcache, signature, suid_bin\n\nSysmon: \n\nWinEvtx: " + "techniqueID": "T1095", + "score": 3, + "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request\n\nOSQuery: socket_events\n\nAuditd: MAC_UNLBL_ALLOW" }, { - "techniqueID": "T1007", + "techniqueID": "T1499", "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " + "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request\n\nWinEvtx: \n\nOSQuery: app_schemes, apparmor_events, apparmor_profiles, apps, apt_sources, asl, battery, block_devices, browser_plugins, chassis_info, chrome_extension_content_scripts, chrome_extensions, connectivity, cpu_info, cpu_time, cpuid, crashes, cups_destinations, cups_jobs, deb_packages, default_environment, device_firmware, event_taps, fan_speed_sensors, firefox_addons, hardware_events, homebrew_packages, hvci_status, ibridge_info, ie_extensions, intel_me_info, kernel_panics, keychain_acls, keychain_items, memory_error_info, memory_info, memory_map, npm_packages, ntdomains, opera_extensions, os_version, patches, portage_keywords, portage_packages, portage_use, preferences, programs, python_packages, rpm_package_files, rpm_packages, safari_extensions, selinux_events, selinux_settings, shared_resources, sip_config, socket_events, sudoers, syslog_events, system_controls, system_info, ulimit_info, video_info, winbaseobj, windows_crashes, windows_optional_features, windows_security_center, windows_security_products, xprotect_entries, xprotect_meta, xprotect_reports\n\nAuditd: MAC_UNLBL_ALLOW, SYSTEM_RUNLEVEL, SYSTEM_SHUTDOWN" }, { - "techniqueID": "T1040", - "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " + "techniqueID": "T1132", + "score": 3, + "comment": "Zeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents\n\nOSQuery: socket_events\n\nAuditd: MAC_UNLBL_ALLOW" }, { - "techniqueID": "T1552.002", - "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: appcompat_shims, autoexec, registry, running_apps, startup_items, userassist\n\nSysmon: \n\nWinEvtx: " + "techniqueID": "T1598", + "score": 3, + "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, socket_events\n\nAuditd: MAC_UNLBL_ALLOW" }, { - "techniqueID": "T1135", - "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " + "techniqueID": "T1585", + "score": 3, + "comment": "Zeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents\n\nOSQuery: socket_events\n\nAuditd: MAC_UNLBL_ALLOW" }, { - "techniqueID": "T1120", + "techniqueID": "T1505", + "score": 5, + "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request\n\nSysmon: \n\nWinEvtx: \n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, file_events, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, running_apps, safari_extensions, socket_events\n\nAuditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_UNLBL_ALLOW, USER_CMD" + }, + { + "techniqueID": "T1537", "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " + "comment": "Zeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents\n\nCloudTrail: CreateSnapshot, ModifySnapshotAttribute\n\nOSQuery: socket_events\n\nAuditd: MAC_UNLBL_ALLOW" }, { - "techniqueID": "T1222.001", - "score": 5, - "comment": "Auditd: USER_CMD, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT, USYS_CONFIG\n\nCloudTrail: AddClientIDToOpenIDConnectProvider, RemoveClientIDFromOpenIDConnectProvider, TagOpenIDConnectProvider, TagSAMLProvider, UntagOpenIDConnectProvider, UntagSAMLProvider, UpdateOpenIDConnectProviderThumbprint, UpdateSAMLProvider\n\nOSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, running_apps, shimcache, signature, suid_bin\n\nSysmon: \n\nWinEvtx: " + "techniqueID": "T1200", + "score": 3, + "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_reply, http_request, icmp_echo_reply, icmp_echo_request, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_headers, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_reply, sip_request, smb2_close_response, smb2_create_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_get_bulk_request, snmp_get_next_request, snmp_inform_request, snmp_response, socks_reply, socks_request, ssh_auth_attempted, ssh_client_version, ssh_server_version, ssl_change_cipher_spec, ssl_extension, ssl_handshake_message, ssl_heartbeat, tcp_rexmit, udp_reply, udp_request\n\nWinEvtx: \n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, usb_devices" }, { - "techniqueID": "T1137.006", + "techniqueID": "T1498", "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG\n\nOSQuery: file_events, running_apps\n\nSysmon: \n\nWinEvtx: " + "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_reply, http_request, icmp_echo_reply, icmp_echo_request, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_headers, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_reply, sip_request, smb2_close_response, smb2_create_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_get_bulk_request, snmp_get_next_request, snmp_inform_request, snmp_response, socks_reply, socks_request, ssh_auth_attempted, ssh_client_version, ssh_server_version, ssl_change_cipher_spec, ssl_extension, ssl_handshake_message, ssl_heartbeat, tcp_rexmit, udp_reply, udp_request\n\nWinEvtx: \n\nOSQuery: app_schemes, apparmor_events, apparmor_profiles, apps, apt_sources, asl, battery, block_devices, chassis_info, connectivity, cpu_info, cpu_time, cpuid, crashes, cups_destinations, cups_jobs, deb_packages, default_environment, device_firmware, event_taps, fan_speed_sensors, hardware_events, hvci_status, ibridge_info, intel_me_info, kernel_panics, keychain_acls, keychain_items, memory_error_info, memory_info, memory_map, npm_packages, ntdomains, os_version, patches, portage_keywords, portage_packages, portage_use, preferences, programs, python_packages, rpm_package_files, rpm_packages, selinux_events, selinux_settings, shared_resources, sip_config, sudoers, syslog_events, system_controls, system_info, ulimit_info, video_info, winbaseobj, windows_crashes, windows_optional_features, windows_security_center, windows_security_products, xprotect_entries, xprotect_meta, xprotect_reports\n\nAuditd: SYSTEM_RUNLEVEL, SYSTEM_SHUTDOWN" }, { - "techniqueID": "T1082", + "techniqueID": "T1046", + "score": 3, + "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_reply, http_request, icmp_echo_reply, icmp_echo_request, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_headers, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_reply, sip_request, smb2_close_response, smb2_create_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_get_bulk_request, snmp_get_next_request, snmp_inform_request, snmp_response, socks_reply, socks_request, ssh_auth_attempted, ssh_client_version, ssh_server_version, ssl_change_cipher_spec, ssl_extension, ssl_handshake_message, ssl_heartbeat, tcp_rexmit, udp_reply, udp_request\n\nWinEvtx: \n\nAuditd: USYS_CONFIG" + }, + { + "techniqueID": "T1543", "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: file_events, running_apps\n\nAuditd: ANOM_PROMISCUOUS, CONFIG_CHANGE, DAEMON_CONFIG, DAEMON_START, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_CIPSOV4_ADD, MAC_CIPSOV4_DEL, MAC_CONFIG_CHANGE, MAC_MAP_ADD, MAC_MAP_DEL, MAC_POLICY_LOAD, MAC_STATUS, ROLE_ASSIGN, ROLE_REMOVE, USER_CMD, USYS_CONFIG" }, { - "techniqueID": "T1074.002", + "techniqueID": "T1561", "score": 4, - "comment": "Auditd: ANOM_LINK, USER_AVC, USYS_CONFIG\n\nOSQuery: augeas, file_events, office_mru, plist\n\nSysmon: \n\nWinEvtx: " + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: device_file, device_partitions, disk_encryption, disk_events, disk_info, logical_drives, running_apps, time_machine_backups\n\nAuditd: FS_RELABEL, USER_CMD, USYS_CONFIG" }, { - "techniqueID": "T1053", + "techniqueID": "T1547", "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG\n\nOSQuery: file_events, running_apps\n\nSysmon: \n\nWinEvtx: " + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: authorization_mechanisms, fbsd_kmods, file_events, kernel_modules, running_apps\n\nAuditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG" }, { - "techniqueID": "T1218.007", + "techniqueID": "T1562", "score": 5, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: \n\nZeek: connection_SYN_packet, connection_established, connection_first_ack, ntlm_authenticate, ntlm_challenge, pop3_login_success, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, socks_login_userpass_reply, socks_login_userpass_request, ssh2_dh_server_params, ssh_auth_successful, ssl_client_hello, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake" + "comment": "Sysmon: \n\nCloudTrail: SetSecurityTokenPreferences, StopLogging, TagUser, UntagUser, UpdateAccessKey, UpdateSSHPublicKey, UpdateServiceSpecificCredential, UpdateSigningCertificate, UpdateUser, UploadSSHPublicKey, UploadServerCertificate, UploadSigningCertificate\n\nWinEvtx: \n\nOSQuery: alf_exceptions, app_schemes, apparmor_events, apparmor_profiles, apps, apt_sources, asl, battery, block_devices, chassis_info, connectivity, cpu_info, cpu_time, cpuid, crashes, cups_destinations, cups_jobs, deb_packages, default_environment, device_firmware, event_taps, fan_speed_sensors, gatekeeper, gatekeeper_apps, hardware_events, hvci_status, ibridge_info, intel_me_info, kernel_panics, keychain_acls, keychain_items, memory_error_info, memory_info, memory_map, npm_packages, ntdomains, os_version, patches, portage_keywords, portage_packages, portage_use, powershell_events, preferences, programs, python_packages, rpm_package_files, rpm_packages, running_apps, selinux_events, selinux_settings, shared_resources, sip_config, sudoers, syslog_events, system_controls, system_info, ulimit_info, video_info, winbaseobj, windows_crashes, windows_optional_features, windows_security_center, windows_security_products, xprotect_entries, xprotect_meta, xprotect_reports\n\nAuditd: ANOM_ABEND, DAEMON_ABORT, DAEMON_END, DAEMON_RESUME, DAEMON_ROTATE, NETFILTER_CFG, SELINUX_ERR, SYSTEM_RUNLEVEL, SYSTEM_SHUTDOWN, USER_CHAUTHTOK, USER_CMD, USER_ROLE_CHANGE, USER_TTY, USYS_CONFIG" }, { - "techniqueID": "T1505.005", + "techniqueID": "T1068", "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG\n\nOSQuery: file_events, running_apps\n\nSysmon: \n\nWinEvtx: " + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: running_apps\n\nAuditd: USER_CMD" }, { - "techniqueID": "T1059.002", + "techniqueID": "T1056", "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: background_activities_moderator, file_events, package_receipts, process_envs, process_events, process_memory_map, process_namespaces, process_open_files, process_open_pipes, process_open_sockets, running_apps\n\nAuditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD" }, { - "techniqueID": "T1176", - "score": 5, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: file_events, running_apps\n\nSysmon: \n\nWinEvtx: \n\nZeek: connection_SYN_packet, connection_established, connection_first_ack, ntlm_authenticate, ntlm_challenge, pop3_login_success, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, socks_login_userpass_reply, socks_login_userpass_request, ssh2_dh_server_params, ssh_auth_successful, ssl_client_hello, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake" + "techniqueID": "T1111", + "score": 2, + "comment": "Sysmon: \n\nWinEvtx: " }, { - "techniqueID": "T1070.007", + "techniqueID": "T1539", "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, NETFILTER_CFG, USER_CMD, USYS_CONFIG\n\nOSQuery: alf_exceptions, file_events, running_apps\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1070.003", - "score": 5, - "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USER_CHAUTHTOK, USYS_CONFIG\n\nCloudTrail: CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice\n\nOSQuery: file_events, user_events\n\nSysmon: \n\nWinEvtx: " + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: augeas, office_mru, plist\n\nAuditd: ANOM_LINK, TTY, USER_AVC" }, { - "techniqueID": "T1202", + "techniqueID": "T1025", "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: augeas, office_mru, plist\n\nAuditd: ANOM_LINK, USER_AVC, USYS_CONFIG" }, { - "techniqueID": "T1005", + "techniqueID": "T1119", "score": 4, - "comment": "Auditd: ANOM_LINK, USER_AVC, USER_CMD, USYS_CONFIG\n\nOSQuery: augeas, office_mru, plist, powershell_events, running_apps\n\nSysmon: \n\nWinEvtx: " + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: augeas, office_mru, plist, powershell_events\n\nAuditd: ANOM_LINK, USER_AVC, USYS_CONFIG" }, { - "techniqueID": "T1137.005", + "techniqueID": "T1091", "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, running_apps, safari_extensions\n\nSysmon: \n\nWinEvtx: " + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: augeas, file_events, office_mru, plist, running_apps, usb_devices\n\nAuditd: ANOM_LINK, USER_AVC, USER_CMD" }, { - "techniqueID": "T1562", - "score": 5, - "comment": "Auditd: ANOM_ABEND, DAEMON_ABORT, DAEMON_END, DAEMON_RESUME, DAEMON_ROTATE, NETFILTER_CFG, SELINUX_ERR, SYSTEM_RUNLEVEL, SYSTEM_SHUTDOWN, USER_CHAUTHTOK, USER_CMD, USER_ROLE_CHANGE, USER_TTY, USYS_CONFIG\n\nCloudTrail: SetSecurityTokenPreferences, StopLogging, TagUser, UntagUser, UpdateAccessKey, UpdateSSHPublicKey, UpdateServiceSpecificCredential, UpdateSigningCertificate, UpdateUser, UploadSSHPublicKey, UploadServerCertificate, UploadSigningCertificate\n\nOSQuery: alf_exceptions, app_schemes, apparmor_events, apparmor_profiles, apps, apt_sources, asl, battery, block_devices, chassis_info, connectivity, cpu_info, cpu_time, cpuid, crashes, cups_destinations, cups_jobs, deb_packages, default_environment, device_firmware, event_taps, fan_speed_sensors, gatekeeper, gatekeeper_apps, hardware_events, hvci_status, ibridge_info, intel_me_info, kernel_panics, keychain_acls, keychain_items, memory_error_info, memory_info, memory_map, npm_packages, ntdomains, os_version, patches, portage_keywords, portage_packages, portage_use, powershell_events, preferences, programs, python_packages, rpm_package_files, rpm_packages, running_apps, selinux_events, selinux_settings, shared_resources, sip_config, sudoers, syslog_events, system_controls, system_info, ulimit_info, video_info, winbaseobj, windows_crashes, windows_optional_features, windows_security_center, windows_security_products, xprotect_entries, xprotect_meta, xprotect_reports\n\nSysmon: \n\nWinEvtx: " + "techniqueID": "T1005", + "score": 4, + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: augeas, office_mru, plist, powershell_events, running_apps\n\nAuditd: ANOM_LINK, USER_AVC, USER_CMD, USYS_CONFIG" }, { "techniqueID": "T1558", "score": 4, - "comment": "Auditd: ANOM_LINK, CRYPTO_KEY_USER, LOGIN, USER_AVC, USER_END, USER_LOGOUT, USYS_CONFIG\n\nOSQuery: augeas, last, logged_in_users, logon_sessions, office_mru, plist\n\nSysmon: \n\nWinEvtx: " + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: augeas, last, logged_in_users, logon_sessions, office_mru, plist\n\nAuditd: ANOM_LINK, CRYPTO_KEY_USER, LOGIN, USER_AVC, USER_END, USER_LOGOUT, USYS_CONFIG" }, { "techniqueID": "T1555", "score": 4, - "comment": "Auditd: ANOM_LINK, TTY, USER_AVC, USER_CMD, USYS_CONFIG\n\nOSQuery: augeas, office_mru, plist, running_apps\n\nSysmon: \n\nWinEvtx: " + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: augeas, office_mru, plist, running_apps\n\nAuditd: ANOM_LINK, TTY, USER_AVC, USER_CMD, USYS_CONFIG" }, { - "techniqueID": "T1567", + "techniqueID": "T1552", "score": 5, - "comment": "Auditd: ANOM_LINK, MAC_UNLBL_ALLOW, USER_AVC, USYS_CONFIG\n\nOSQuery: augeas, office_mru, plist, socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + "comment": "Sysmon: \n\nCloudTrail: CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice\n\nWinEvtx: \n\nOSQuery: appcompat_shims, augeas, autoexec, browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, office_mru, opera_extensions, plist, registry, running_apps, safari_extensions, startup_items, user_events, userassist\n\nAuditd: ANOM_LINK, ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USER_AVC, USER_CMD, USYS_CONFIG" }, { - "techniqueID": "T1036", + "techniqueID": "T1217", "score": 4, - "comment": "Auditd: DAEMON_ABORT, DAEMON_END, DAEMON_RESUME, DAEMON_ROTATE, DAEMON_START, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_POLICY_LOAD, SELINUX_ERR, USER_LABELED_EXPORT, USER_TTY, USER_UNLABELED_EXPORT, USYS_CONFIG\n\nOSQuery: authenticode, background_activities_moderator, crontab, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, gatekeeper, gatekeeper_apps, launchd, launchd_overrides, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, package_receipts, process_envs, process_events, process_file_events, process_memory_map, process_namespaces, process_open_files, process_open_pipes, process_open_sockets, quicklook_cache, sandboxes, shimcache, signature, suid_bin\n\nSysmon: \n\nWinEvtx: " + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: augeas, office_mru, plist, running_apps\n\nAuditd: ANOM_LINK, USER_AVC, USER_CMD, USYS_CONFIG" }, { - "techniqueID": "T1546.011", + "techniqueID": "T1087", "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG\n\nOSQuery: file_events, running_apps\n\nSysmon: \n\nWinEvtx: " + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: augeas, office_mru, plist, running_apps\n\nAuditd: ANOM_LINK, USER_AVC, USER_CMD, USYS_CONFIG" }, { - "techniqueID": "T1552", + "techniqueID": "T1074", + "score": 4, + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: augeas, file_events, office_mru, plist\n\nAuditd: ANOM_LINK, USER_AVC, USYS_CONFIG" + }, + { + "techniqueID": "T1649", "score": 5, - "comment": "Auditd: ANOM_LINK, ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USER_AVC, USER_CMD, USYS_CONFIG\n\nCloudTrail: CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice\n\nOSQuery: appcompat_shims, augeas, autoexec, browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, office_mru, opera_extensions, plist, registry, running_apps, safari_extensions, startup_items, user_events, userassist\n\nSysmon: \n\nWinEvtx: " + "comment": "Sysmon: \n\nCloudTrail: AddClientIDToOpenIDConnectProvider, ConsoleLogin, RemoveClientIDFromOpenIDConnectProvider, TagOpenIDConnectProvider, TagSAMLProvider, UntagOpenIDConnectProvider, UntagSAMLProvider, UpdateOpenIDConnectProviderThumbprint, UpdateSAMLProvider\n\nWinEvtx: \n\nOSQuery: appcompat_shims, augeas, autoexec, browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, office_mru, opera_extensions, plist, registry, safari_extensions, startup_items, userassist\n\nAuditd: ANOM_LINK, CRYPTO_SESSION, USER_AVC, USER_LOGIN, USER_START, USYS_CONFIG" }, { - "techniqueID": "T1070.008", + "techniqueID": "T1052", "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CHAUTHTOK, USER_CMD, USYS_CONFIG\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, file_events, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, running_apps, safari_extensions\n\nSysmon: \n\nWinEvtx: " + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: augeas, office_mru, plist, running_apps, usb_devices\n\nAuditd: ANOM_LINK, USER_AVC, USER_CMD, USYS_CONFIG" }, { - "techniqueID": "T1037.002", - "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG\n\nOSQuery: file_events, running_apps\n\nSysmon: \n\nWinEvtx: " + "techniqueID": "T1037", + "score": 5, + "comment": "Sysmon: \n\nCloudTrail: AddClientIDToOpenIDConnectProvider, RemoveClientIDFromOpenIDConnectProvider, TagOpenIDConnectProvider, TagSAMLProvider, UntagOpenIDConnectProvider, UntagSAMLProvider, UpdateOpenIDConnectProviderThumbprint, UpdateSAMLProvider\n\nWinEvtx: \n\nOSQuery: file_events, running_apps\n\nAuditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG" }, { - "techniqueID": "T1218", + "techniqueID": "T1564", "score": 5, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: file_events, running_apps\n\nSysmon: \n\nWinEvtx: \n\nZeek: connection_SYN_packet, connection_established, connection_first_ack, ntlm_authenticate, ntlm_challenge, pop3_login_success, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, socks_login_userpass_reply, socks_login_userpass_request, ssh2_dh_server_params, ssh_auth_successful, ssl_client_hello, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake" + "comment": "Sysmon: \n\nCloudTrail: AttachRolePolicy, AttachUserPolicy, ChangePassword, CreateAccessKey, CreateAccountAlias, CreateLoginProfile, CreatePolicy, CreatePolicyVersion, CreateRole, CreateServiceLinkedRole, CreateServiceSpecificCredential, CreateUser, DeleteAccessKey, DeleteAccountAlias, DeleteAccountPasswordPolicy, DeleteLoginProfile, DeletePolicyVersion, DeleteRole, DeleteRolePermissionsBoundary, DeleteRolePolicy, DeleteSSHPublicKey, DeleteServiceSpecificCredential, DeleteSigningCertificate, DeleteUserPermissionsBoundary, DeleteUserPolicy, DetachRolePolicy, DetachUserPolicy, GenerateCredentialReport, GetAccountAuthorizationDetails, GetAccountPasswordPolicy, GetContextKeysForCustomPolicy, GetContextKeysForPrincipalPolicy, GetCredentialReport, GetLoginprofile, GetPolicy, GetPolicyVersion, GetRole, GetRolePolicy, GetUserPolicy, ListAttachedRolePolicies, ListEntitiesForPolicy, ListPoliciesGrantingServiceAccess, ListPolicyTags, ListPolicyVersions, ListRolePolicies, ListRoleTags, ListRoles, PutRolePermissionsBoundary, PutRolePolicy, PutUserPermissionsBoundary, PutUserPolicy, SetDefaultPolicyVersion, SimulateCustomPolicy, SimulatePrincipalPolicy, TagPolicy, TagRole, Untag Policy, UntagRole, UpdateAccountPasswordPolicy, UpdateAssumeRolePolicy, UpdateLoginProfile, UpdateRole\n\nWinEvtx: \n\nOSQuery: account_policy_data, authenticode, authorizations, authorized_keys, browser_plugins, chrome_extension_content_scripts, chrome_extensions, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, firefox_addons, homebrew_packages, ie_extensions, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, opera_extensions, package_bom, powershell_events, process_file_events, quicklook_cache, running_apps, safari_extensions, shadow, shimcache, signature, suid_bin, user_ssh_keys\n\nAuditd: ADD_USER, ANOM_ADD_ACCOUNT, CRED_ACQ, CRED_DISP, DAEMON_START, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_POLICY_LOAD, USER_CHAUTHTOK, USER_CMD, USER_ERR, USER_LABELED_EXPORT, USER_ROLE_CHANGE, USER_UNLABELED_EXPORT, USYS_CONFIG" }, { - "techniqueID": "T1010", + "techniqueID": "T1080", "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: file_events, mounts, nfs_shares, running_apps, shared_folders, sharing_preferences\n\nAuditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD" }, { - "techniqueID": "T1087.003", + "techniqueID": "T1137", "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, file_events, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, running_apps, safari_extensions\n\nAuditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG" }, { - "techniqueID": "T1497.003", + "techniqueID": "T1053", "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: file_events, running_apps\n\nAuditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG" }, { - "techniqueID": "T1218.003", - "score": 5, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: \n\nZeek: connection_SYN_packet, connection_established, connection_first_ack, ntlm_authenticate, ntlm_challenge, pop3_login_success, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, socks_login_userpass_reply, socks_login_userpass_request, ssh2_dh_server_params, ssh_auth_successful, ssl_client_hello, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake" - }, - { - "techniqueID": "T1563.001", - "score": 6, - "comment": "Auditd: CRYPTO_SESSION, MAC_UNLBL_ALLOW, USER_CMD, USER_LOGIN, USER_START, USYS_CONFIG\n\nCloudTrail: ConsoleLogin\n\nOSQuery: running_apps, socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" - }, - { - "techniqueID": "T1562.002", + "techniqueID": "T1560", "score": 4, - "comment": "Auditd: SYSTEM_RUNLEVEL, SYSTEM_SHUTDOWN, USER_CMD, USYS_CONFIG\n\nOSQuery: app_schemes, apparmor_events, apparmor_profiles, apps, apt_sources, asl, battery, block_devices, browser_plugins, chassis_info, chrome_extension_content_scripts, chrome_extensions, connectivity, cpu_info, cpu_time, cpuid, crashes, cups_destinations, cups_jobs, deb_packages, default_environment, device_firmware, event_taps, fan_speed_sensors, firefox_addons, hardware_events, homebrew_packages, hvci_status, ibridge_info, ie_extensions, intel_me_info, kernel_panics, keychain_acls, keychain_items, memory_error_info, memory_info, memory_map, npm_packages, ntdomains, opera_extensions, os_version, patches, portage_keywords, portage_packages, portage_use, powershell_events, preferences, programs, python_packages, rpm_package_files, rpm_packages, running_apps, safari_extensions, selinux_events, selinux_settings, shared_resources, sip_config, sudoers, syslog_events, system_controls, system_info, ulimit_info, video_info, winbaseobj, windows_crashes, windows_optional_features, windows_security_center, windows_security_products, xprotect_entries, xprotect_meta, xprotect_reports\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1021.002", - "score": 6, - "comment": "Auditd: CRYPTO_SESSION, USER_LOGIN, USER_START, USYS_CONFIG\n\nCloudTrail: ConsoleLogin\n\nOSQuery: mounts, nfs_shares, shared_folders, sharing_preferences\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_reply, http_request, icmp_echo_reply, icmp_echo_request, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_headers, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_reply, sip_request, smb2_close_response, smb2_create_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_get_bulk_request, snmp_get_next_request, snmp_inform_request, snmp_response, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh2_dh_server_params, ssh_auth_attempted, ssh_auth_successful, ssh_client_version, ssh_server_version, ssl_change_cipher_spec, ssl_client_hello, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake, tcp_rexmit, udp_reply, udp_request" + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: file_events, powershell_events, running_apps\n\nAuditd: USER_CMD, USYS_CONFIG" }, { - "techniqueID": "T1218.002", + "techniqueID": "T1554", "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: file_events, running_apps\n\nSysmon: \n\nWinEvtx: " + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, shimcache, signature, suid_bin\n\nAuditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CHAUTHTOK, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT" }, { - "techniqueID": "T1547.005", - "score": 3, - "comment": "Auditd: USYS_CONFIG\n\nSysmon: \n\nWinEvtx: " + "techniqueID": "T1574", + "score": 4, + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: file_events, gatekeeper, gatekeeper_apps, running_apps\n\nAuditd: DAEMON_ABORT, DAEMON_END, DAEMON_RESUME, DAEMON_ROTATE, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, SELINUX_ERR, USER_CMD, USER_TTY, USYS_CONFIG" }, { - "techniqueID": "T1011", - "score": 5, - "comment": "Auditd: ANOM_LINK, MAC_UNLBL_ALLOW, USER_AVC, USYS_CONFIG\n\nOSQuery: augeas, office_mru, plist, socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + "techniqueID": "T1027", + "score": 4, + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, powershell_events, process_file_events, quicklook_cache, running_apps, shimcache, signature, suid_bin, wmi_cli_event_consumers, wmi_script_event_consumers\n\nAuditd: USER_CMD, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT, USYS_CONFIG" }, { - "techniqueID": "T1562.004", + "techniqueID": "T1546", "score": 4, - "comment": "Auditd: NETFILTER_CFG, USYS_CONFIG\n\nOSQuery: alf_exceptions\n\nSysmon: \n\nWinEvtx: " + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, running_apps, shimcache, signature, suid_bin, wmi_cli_event_consumers, wmi_script_event_consumers\n\nAuditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT, USYS_CONFIG" }, { - "techniqueID": "T1560", + "techniqueID": "T1486", "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: file_events, powershell_events, running_apps\n\nSysmon: \n\nWinEvtx: " + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: file_events, mounts, nfs_shares, running_apps, shared_folders, sharing_preferences\n\nAuditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG" }, { - "techniqueID": "T1021", - "score": 6, - "comment": "Auditd: CRYPTO_SESSION, USER_CMD, USER_LOGIN, USER_START, USYS_CONFIG\n\nCloudTrail: ConsoleLogin\n\nOSQuery: mounts, nfs_shares, running_apps, shared_folders, sharing_preferences\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_reply, http_request, icmp_echo_reply, icmp_echo_request, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_headers, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_reply, sip_request, smb2_close_response, smb2_create_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_get_bulk_request, snmp_get_next_request, snmp_inform_request, snmp_response, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh2_dh_server_params, ssh_auth_attempted, ssh_auth_successful, ssh_client_version, ssh_server_version, ssl_change_cipher_spec, ssl_client_hello, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake, tcp_rexmit, udp_reply, udp_request" + "techniqueID": "T1556", + "score": 5, + "comment": "Sysmon: \n\nCloudTrail: AddClientIDToOpenIDConnectProvider, ConsoleLogin, CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, RemoveClientIDFromOpenIDConnectProvider, ResyncMFADevice, SetSecurityTokenPreferences, TagMFADevice, TagOpenIDConnectProvider, TagSAMLProvider, TagUser, UntagMFADevice, UntagOpenIDConnectProvider, UntagSAMLProvider, UntagUser, UpdateAccessKey, UpdateOpenIDConnectProviderThumbprint, UpdateSAMLProvider, UpdateSSHPublicKey, UpdateServiceSpecificCredential, UpdateSigningCertificate, UpdateUser, UploadSSHPublicKey, UploadServerCertificate, UploadSigningCertificate\n\nWinEvtx: \n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, file_events, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, user_events\n\nAuditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, CRYPTO_SESSION, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, TTY, USER_ACCT, USER_AUTH, USER_CHAUTHTOK, USER_LOGIN, USER_ROLE_CHANGE, USER_START" }, { - "techniqueID": "T1059.009", - "score": 2, - "comment": "Auditd: USYS_CONFIG\n\nWinEvtx: " + "techniqueID": "T1485", + "score": 5, + "comment": "Sysmon: \n\nCloudTrail: DeleteSnapshot\n\nWinEvtx: \n\nOSQuery: file_events, running_apps\n\nAuditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CHAUTHTOK, USER_CMD, USYS_CONFIG" }, { - "techniqueID": "T1553.006", - "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " + "techniqueID": "T1490", + "score": 5, + "comment": "Sysmon: \n\nCloudTrail: DeleteSnapshot\n\nWinEvtx: \n\nOSQuery: file_events, gatekeeper, gatekeeper_apps, running_apps\n\nAuditd: DAEMON_ABORT, DAEMON_END, DAEMON_RESUME, DAEMON_ROTATE, SELINUX_ERR, USER_CHAUTHTOK, USER_CMD, USER_TTY, USYS_CONFIG" }, { - "techniqueID": "T1112", + "techniqueID": "T1014", "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: file_events, time_machine_backups\n\nAuditd: FS_RELABEL, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE" }, { - "techniqueID": "T1543.004", + "techniqueID": "T1600", "score": 4, - "comment": "Auditd: ANOM_PROMISCUOUS, CONFIG_CHANGE, DAEMON_CONFIG, DAEMON_START, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_CIPSOV4_ADD, MAC_CIPSOV4_DEL, MAC_CONFIG_CHANGE, MAC_MAP_ADD, MAC_MAP_DEL, MAC_POLICY_LOAD, MAC_STATUS, ROLE_ASSIGN, ROLE_REMOVE, USER_CMD, USYS_CONFIG\n\nOSQuery: file_events, running_apps\n\nSysmon: \n\nWinEvtx: " + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: file_events\n\nAuditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE" }, { - "techniqueID": "T1555.003", + "techniqueID": "T1489", "score": 4, - "comment": "Auditd: ANOM_LINK, TTY, USER_AVC, USYS_CONFIG\n\nOSQuery: augeas, office_mru, plist\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1563", - "score": 6, - "comment": "Auditd: CRYPTO_SESSION, MAC_UNLBL_ALLOW, USER_CMD, USER_LOGIN, USER_START, USYS_CONFIG\n\nCloudTrail: ConsoleLogin\n\nOSQuery: running_apps, socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" - }, - { - "techniqueID": "T1484.001", - "score": 3, - "comment": "Auditd: USYS_CONFIG\n\nCloudTrail: AddClientIDToOpenIDConnectProvider, CreateOpenIDConnectProvider, DeleteOpenIDConnectProvider, DeleteSAMLProvider, RemoveClientIDFromOpenIDConnectProvider, TagOpenIDConnectProvider, TagSAMLProvider, UntagOpenIDConnectProvider, UntagSAMLProvider, UpdateOpenIDConnectProviderThumbprint, UpdateSAMLProvider\n\nWinEvtx: " + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: file_events, gatekeeper, gatekeeper_apps, running_apps\n\nAuditd: ANOM_ABEND, DAEMON_ABORT, DAEMON_END, DAEMON_RESUME, DAEMON_ROTATE, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, SELINUX_ERR, USER_CMD, USER_TTY, USYS_CONFIG" }, { - "techniqueID": "T1217", + "techniqueID": "T1140", "score": 4, - "comment": "Auditd: ANOM_LINK, USER_AVC, USER_CMD, USYS_CONFIG\n\nOSQuery: augeas, office_mru, plist, running_apps\n\nSysmon: \n\nWinEvtx: " + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: file_events, powershell_events, running_apps\n\nAuditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD" }, { - "techniqueID": "T1552.004", + "techniqueID": "T1036", "score": 4, - "comment": "Auditd: ANOM_LINK, USER_AVC, USYS_CONFIG\n\nOSQuery: augeas, office_mru, plist\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1021.006", - "score": 6, - "comment": "Auditd: CRYPTO_SESSION, DAEMON_ABORT, DAEMON_END, DAEMON_RESUME, DAEMON_ROTATE, SELINUX_ERR, USER_CMD, USER_LOGIN, USER_START, USER_TTY, USYS_CONFIG\n\nCloudTrail: ConsoleLogin\n\nOSQuery: gatekeeper, gatekeeper_apps, running_apps\n\nSysmon: \n\nWinEvtx: \n\nZeek: connection_SYN_packet, connection_established, connection_first_ack, ntlm_authenticate, ntlm_challenge, pop3_login_success, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, socks_login_userpass_reply, socks_login_userpass_request, ssh2_dh_server_params, ssh_auth_successful, ssl_client_hello, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake" - }, - { - "techniqueID": "T1011.001", - "score": 5, - "comment": "Auditd: ANOM_LINK, MAC_UNLBL_ALLOW, USER_AVC, USYS_CONFIG\n\nOSQuery: augeas, office_mru, plist, socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: authenticode, background_activities_moderator, crontab, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, gatekeeper, gatekeeper_apps, launchd, launchd_overrides, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, package_receipts, process_envs, process_events, process_file_events, process_memory_map, process_namespaces, process_open_files, process_open_pipes, process_open_sockets, quicklook_cache, sandboxes, shimcache, signature, suid_bin\n\nAuditd: DAEMON_ABORT, DAEMON_END, DAEMON_RESUME, DAEMON_ROTATE, DAEMON_START, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_POLICY_LOAD, SELINUX_ERR, USER_LABELED_EXPORT, USER_TTY, USER_UNLABELED_EXPORT, USYS_CONFIG" }, { - "techniqueID": "T1547.003", + "techniqueID": "T1055", "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: authenticode, background_activities_moderator, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, package_receipts, process_envs, process_events, process_file_events, process_memory_map, process_namespaces, process_open_files, process_open_pipes, process_open_sockets, quicklook_cache, shimcache, signature, suid_bin\n\nAuditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, TTY, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT" }, { - "techniqueID": "T1546.005", + "techniqueID": "T1548", "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG\n\nOSQuery: file_events, running_apps\n\nSysmon: \n\nWinEvtx: " + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: authenticode, background_activities_moderator, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, package_receipts, process_envs, process_events, process_file_events, process_memory_map, process_namespaces, process_open_files, process_open_pipes, process_open_sockets, quicklook_cache, running_apps, shimcache, signature, suid_bin\n\nAuditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT, USYS_CONFIG" }, { - "techniqueID": "T1574.006", + "techniqueID": "T1647", "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG\n\nOSQuery: file_events, running_apps\n\nSysmon: \n\nWinEvtx: " + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: file_events, running_apps\n\nAuditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG" }, { - "techniqueID": "T1136.001", + "techniqueID": "T1098", "score": 5, - "comment": "Auditd: ADD_USER, ANOM_ADD_ACCOUNT, USER_CMD, USER_ROLE_CHANGE, USYS_CONFIG\n\nCloudTrail: CreateUser\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " + "comment": "Sysmon: \n\nCloudTrail: AddClientIDToOpenIDConnectProvider, AddUserToGroup, AttachGroupPolicy, RemoveClientIDFromOpenIDConnectProvider, RemoveUserFromGroup, SetSecurityTokenPreferences, TagOpenIDConnectProvider, TagSAMLProvider, TagUser, UntagOpenIDConnectProvider, UntagSAMLProvider, UntagUser, UpdateAccessKey, UpdateGroup, UpdateOpenIDConnectProviderThumbprint, UpdateSAMLProvider, UpdateSSHPublicKey, UpdateServiceSpecificCredential, UpdateSigningCertificate, UpdateUser, UploadSSHPublicKey, UploadServerCertificate, UploadSigningCertificate\n\nWinEvtx: \n\nOSQuery: file_events, running_apps\n\nAuditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CHAUTHTOK, USER_CMD, USER_ROLE_CHANGE, USYS_CONFIG" }, { - "techniqueID": "T1070.001", + "techniqueID": "T1601", "score": 4, - "comment": "Auditd: USER_CHAUTHTOK, USYS_CONFIG\n\nOSQuery: file_events\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1222", - "score": 5, - "comment": "Auditd: USER_CMD, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT, USYS_CONFIG\n\nCloudTrail: AddClientIDToOpenIDConnectProvider, RemoveClientIDFromOpenIDConnectProvider, TagOpenIDConnectProvider, TagSAMLProvider, UntagOpenIDConnectProvider, UntagSAMLProvider, UpdateOpenIDConnectProviderThumbprint, UpdateSAMLProvider\n\nOSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, running_apps, shimcache, signature, suid_bin\n\nSysmon: \n\nWinEvtx: " + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: file_events\n\nAuditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE" }, { - "techniqueID": "T1003.001", + "techniqueID": "T1553", "score": 4, - "comment": "Auditd: TTY, USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, running_apps, shimcache, signature, suid_bin\n\nAuditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT, USYS_CONFIG" }, { - "techniqueID": "T1548", + "techniqueID": "T1569", "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT, USYS_CONFIG\n\nOSQuery: authenticode, background_activities_moderator, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, package_receipts, process_envs, process_events, process_file_events, process_memory_map, process_namespaces, process_open_files, process_open_pipes, process_open_sockets, quicklook_cache, running_apps, shimcache, signature, suid_bin\n\nSysmon: \n\nWinEvtx: " + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: file_events, running_apps\n\nAuditd: DAEMON_START, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_POLICY_LOAD, USER_CMD, USYS_CONFIG" }, { - "techniqueID": "T1134.002", - "score": 2, - "comment": "Auditd: USYS_CONFIG\n\nWinEvtx: " + "techniqueID": "T1129", + "score": 1, + "comment": "Sysmon: ", + "color": "#ea31de" }, { - "techniqueID": "T1548.001", - "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT, USYS_CONFIG\n\nOSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, shimcache, signature, suid_bin\n\nSysmon: \n\nWinEvtx: " + "techniqueID": "T1106", + "score": 1, + "comment": "Sysmon: ", + "color": "#ea31de" }, { - "techniqueID": "T1547.004", + "techniqueID": "T1620", "score": 3, - "comment": "Auditd: USYS_CONFIG\n\nSysmon: \n\nWinEvtx: " + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: powershell_events" }, { - "techniqueID": "T1003.005", - "score": 2, - "comment": "Auditd: USYS_CONFIG\n\nWinEvtx: " + "techniqueID": "T1059", + "score": 4, + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: background_activities_moderator, package_receipts, powershell_events, process_envs, process_events, process_memory_map, process_namespaces, process_open_files, process_open_pipes, process_open_sockets, running_apps\n\nAuditd: USER_CMD, USYS_CONFIG" }, { - "techniqueID": "T1098.004", + "techniqueID": "T1559", "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG\n\nOSQuery: file_events, running_apps\n\nSysmon: \n\nWinEvtx: " + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: powershell_events, running_apps\n\nAuditd: TTY, USER_CMD" }, { - "techniqueID": "T1546.012", + "techniqueID": "T1220", "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: running_apps\n\nAuditd: USER_CMD" }, { - "techniqueID": "T1218.008", + "techniqueID": "T1185", "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " + "comment": "Sysmon: \n\nCloudTrail: ConsoleLogin\n\nWinEvtx: \n\nAuditd: CRYPTO_SESSION, TTY, USER_LOGIN, USER_START" }, { - "techniqueID": "T1125", - "score": 2, - "comment": "Auditd: USYS_CONFIG\n\nWinEvtx: " + "techniqueID": "T1069", + "score": 5, + "comment": "Sysmon: \n\nCloudTrail: DeleteGroupPolicy, DetachGroupPolicy, GetContextKeysForPrincipalPolicy, GetGroupPolicy, ListAttachedGroupPolicies, ListEntitiesForPolicy, ListGroupPolicies, ListGroups, ListGroupsForUser, ListPoliciesGrantingServiceAccess, PutGroupPolicy\n\nWinEvtx: \n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, groups, homebrew_packages, ie_extensions, opera_extensions, running_apps, safari_extensions, user_groups\n\nAuditd: USER_CMD, USYS_CONFIG" }, { - "techniqueID": "T1016", + "techniqueID": "T1652", "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: powershell_events, running_apps\n\nSysmon: \n\nWinEvtx: " + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: appcompat_shims, autoexec, registry, running_apps, startup_items, userassist\n\nAuditd: USER_CMD, USYS_CONFIG" }, { - "techniqueID": "T1546.008", + "techniqueID": "T1007", "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG\n\nOSQuery: file_events, running_apps\n\nSysmon: \n\nWinEvtx: " + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: running_apps\n\nAuditd: USER_CMD, USYS_CONFIG" }, { - "techniqueID": "T1087", + "techniqueID": "T1040", "score": 4, - "comment": "Auditd: ANOM_LINK, USER_AVC, USER_CMD, USYS_CONFIG\n\nOSQuery: augeas, office_mru, plist, running_apps\n\nSysmon: \n\nWinEvtx: " + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: running_apps\n\nAuditd: USER_CMD, USYS_CONFIG" }, { - "techniqueID": "T1059", + "techniqueID": "T1135", "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: background_activities_moderator, package_receipts, powershell_events, process_envs, process_events, process_memory_map, process_namespaces, process_open_files, process_open_pipes, process_open_sockets, running_apps\n\nSysmon: \n\nWinEvtx: " + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: running_apps\n\nAuditd: USER_CMD, USYS_CONFIG" }, { - "techniqueID": "T1562.006", + "techniqueID": "T1120", "score": 4, - "comment": "Auditd: SYSTEM_RUNLEVEL, SYSTEM_SHUTDOWN, USYS_CONFIG\n\nOSQuery: app_schemes, apparmor_events, apparmor_profiles, apps, apt_sources, asl, battery, block_devices, chassis_info, connectivity, cpu_info, cpu_time, cpuid, crashes, cups_destinations, cups_jobs, deb_packages, default_environment, device_firmware, event_taps, fan_speed_sensors, hardware_events, hvci_status, ibridge_info, intel_me_info, kernel_panics, keychain_acls, keychain_items, memory_error_info, memory_info, memory_map, npm_packages, ntdomains, os_version, patches, portage_keywords, portage_packages, portage_use, preferences, programs, python_packages, rpm_package_files, rpm_packages, selinux_events, selinux_settings, shared_resources, sip_config, sudoers, syslog_events, system_controls, system_info, ulimit_info, video_info, winbaseobj, windows_crashes, windows_optional_features, windows_security_center, windows_security_products, xprotect_entries, xprotect_meta, xprotect_reports\n\nSysmon: \n\nWinEvtx: " + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: running_apps\n\nAuditd: USER_CMD, USYS_CONFIG" }, { - "techniqueID": "T1136.002", - "score": 5, - "comment": "Auditd: ADD_USER, ANOM_ADD_ACCOUNT, USER_CMD, USER_ROLE_CHANGE, USYS_CONFIG\n\nCloudTrail: CreateUser\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " + "techniqueID": "T1082", + "score": 4, + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: running_apps\n\nAuditd: USER_CMD, USYS_CONFIG" }, { - "techniqueID": "T1482", - "score": 5, - "comment": "Auditd: MAC_UNLBL_ALLOW, USER_CMD, USYS_CONFIG\n\nOSQuery: powershell_events, running_apps, socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents" + "techniqueID": "T1202", + "score": 4, + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: running_apps\n\nAuditd: USER_CMD, USYS_CONFIG" }, { - "techniqueID": "T1020", + "techniqueID": "T1611", "score": 5, - "comment": "Auditd: ANOM_LINK, MAC_UNLBL_ALLOW, USER_AVC, USYS_CONFIG\n\nOSQuery: augeas, office_mru, plist, powershell_events, socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + "comment": "Sysmon: \n\nCloudTrail: DetachVolume, ModifyVolume\n\nWinEvtx: \n\nOSQuery: authorization_mechanisms, fbsd_kmods, kernel_modules, running_apps\n\nAuditd: USER_CMD" }, { - "techniqueID": "T1070", - "score": 6, - "comment": "Auditd: ANOM_DEL_ACCOUNT, ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, DEL_USER, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_UNLBL_ALLOW, NETFILTER_CFG, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USER_CHAUTHTOK, USER_CMD, USER_LABELED_EXPORT, USER_ROLE_CHANGE, USER_UNLABELED_EXPORT, USYS_CONFIG\n\nCloudTrail: CreateVirtualMFADevice, DeactivateMFADevice, DeleteUser, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice\n\nOSQuery: alf_exceptions, authenticode, browser_plugins, chrome_extension_content_scripts, chrome_extensions, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, firefox_addons, homebrew_packages, ie_extensions, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, opera_extensions, package_bom, process_file_events, quicklook_cache, running_apps, safari_extensions, shimcache, signature, socket_events, suid_bin, user_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents" + "techniqueID": "T1010", + "score": 4, + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: running_apps\n\nAuditd: USER_CMD, USYS_CONFIG" + }, + { + "techniqueID": "T1112", + "score": 4, + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: running_apps\n\nAuditd: USER_CMD, USYS_CONFIG" }, { - "techniqueID": "T1048.001", + "techniqueID": "T1222", "score": 5, - "comment": "Auditd: ANOM_LINK, MAC_UNLBL_ALLOW, USER_AVC, USYS_CONFIG\n\nOSQuery: augeas, office_mru, plist, socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + "comment": "Sysmon: \n\nCloudTrail: AddClientIDToOpenIDConnectProvider, RemoveClientIDFromOpenIDConnectProvider, TagOpenIDConnectProvider, TagSAMLProvider, UntagOpenIDConnectProvider, UntagSAMLProvider, UpdateOpenIDConnectProviderThumbprint, UpdateSAMLProvider\n\nWinEvtx: \n\nOSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, running_apps, shimcache, signature, suid_bin\n\nAuditd: USER_CMD, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT, USYS_CONFIG" }, { - "techniqueID": "T1137.001", + "techniqueID": "T1016", "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG\n\nOSQuery: file_events, running_apps\n\nSysmon: \n\nWinEvtx: " + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: powershell_events, running_apps\n\nAuditd: USER_CMD, USYS_CONFIG" }, { "techniqueID": "T1609", "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: running_apps\n\nAuditd: USER_CMD, USYS_CONFIG" }, { "techniqueID": "T1083", "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: running_apps\n\nAuditd: USER_CMD, USYS_CONFIG" }, { - "techniqueID": "T1036.004", + "techniqueID": "T1049", "score": 4, - "comment": "Auditd: DAEMON_ABORT, DAEMON_END, DAEMON_RESUME, DAEMON_ROTATE, DAEMON_START, MAC_POLICY_LOAD, SELINUX_ERR, USER_TTY, USYS_CONFIG\n\nOSQuery: crontab, gatekeeper, gatekeeper_apps, launchd, launchd_overrides\n\nSysmon: \n\nWinEvtx: " + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: running_apps\n\nAuditd: USER_CMD, USYS_CONFIG" }, { - "techniqueID": "T1647", + "techniqueID": "T1497", "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG\n\nOSQuery: file_events, running_apps\n\nSysmon: \n\nWinEvtx: " + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: running_apps\n\nAuditd: USER_CMD, USYS_CONFIG" }, { - "techniqueID": "T1546.009", + "techniqueID": "T1480", "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: running_apps\n\nAuditd: USER_CMD, USYS_CONFIG" }, { - "techniqueID": "T1114.003", - "score": 3, - "comment": "Auditd: USYS_CONFIG\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions\n\nWinEvtx: " + "techniqueID": "T1057", + "score": 4, + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: running_apps\n\nAuditd: USER_CMD, USYS_CONFIG" }, { - "techniqueID": "T1074", + "techniqueID": "T1072", "score": 4, - "comment": "Auditd: ANOM_LINK, USER_AVC, USYS_CONFIG\n\nOSQuery: augeas, file_events, office_mru, plist\n\nSysmon: \n\nWinEvtx: " + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, running_apps, safari_extensions\n\nAuditd: USER_CMD" }, { - "techniqueID": "T1649", + "techniqueID": "T1212", "score": 5, - "comment": "Auditd: ANOM_LINK, CRYPTO_SESSION, USER_AVC, USER_LOGIN, USER_START, USYS_CONFIG\n\nCloudTrail: AddClientIDToOpenIDConnectProvider, ConsoleLogin, RemoveClientIDFromOpenIDConnectProvider, TagOpenIDConnectProvider, TagSAMLProvider, UntagOpenIDConnectProvider, UntagSAMLProvider, UpdateOpenIDConnectProviderThumbprint, UpdateSAMLProvider\n\nOSQuery: appcompat_shims, augeas, autoexec, browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, office_mru, opera_extensions, plist, registry, safari_extensions, startup_items, userassist\n\nSysmon: \n\nWinEvtx: " + "comment": "Sysmon: \n\nCloudTrail: CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice\n\nWinEvtx: \n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, running_apps, safari_extensions, user_events\n\nAuditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USER_CMD" }, { - "techniqueID": "T1049", + "techniqueID": "T1201", + "score": 5, + "comment": "Sysmon: \n\nCloudTrail: AttachRolePolicy, AttachUserPolicy, ChangePassword, CreateAccessKey, CreateAccountAlias, CreateLoginProfile, CreatePolicy, CreatePolicyVersion, CreateRole, CreateServiceLinkedRole, CreateServiceSpecificCredential, DeleteAccessKey, DeleteAccountAlias, DeleteAccountPasswordPolicy, DeleteLoginProfile, DeletePolicyVersion, DeleteRole, DeleteRolePermissionsBoundary, DeleteRolePolicy, DeleteSSHPublicKey, DeleteServiceSpecificCredential, DeleteSigningCertificate, DeleteUserPermissionsBoundary, DeleteUserPolicy, DetachRolePolicy, DetachUserPolicy, GenerateCredentialReport, GetAccountAuthorizationDetails, GetAccountPasswordPolicy, GetContextKeysForCustomPolicy, GetContextKeysForPrincipalPolicy, GetCredentialReport, GetLoginprofile, GetPolicy, GetPolicyVersion, GetRole, GetRolePolicy, GetUserPolicy, ListAttachedRolePolicies, ListEntitiesForPolicy, ListPoliciesGrantingServiceAccess, ListPolicyTags, ListPolicyVersions, ListRolePolicies, ListRoleTags, ListRoles, PutRolePermissionsBoundary, PutRolePolicy, PutUserPermissionsBoundary, PutUserPolicy, SetDefaultPolicyVersion, SimulateCustomPolicy, SimulatePrincipalPolicy, TagPolicy, TagRole, Untag Policy, UntagRole, UpdateAccountPasswordPolicy, UpdateAssumeRolePolicy, UpdateLoginProfile, UpdateRole\n\nWinEvtx: \n\nOSQuery: account_policy_data, authorizations, authorized_keys, running_apps, shadow, user_ssh_keys\n\nAuditd: CRED_ACQ, CRED_DISP, USER_CHAUTHTOK, USER_CMD, USER_ERR, USYS_CONFIG" + }, + { + "techniqueID": "T1203", "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, running_apps, safari_extensions\n\nAuditd: USER_CMD" }, { - "techniqueID": "T1542", - "score": 5, - "comment": "Auditd: FS_RELABEL, USYS_CONFIG\n\nOSQuery: bitlocker_info, drivers, iokit_devicetree, iokit_registry, time_machine_backups\n\nSysmon: \n\nWinEvtx: \n\nZeek: connection_SYN_packet, connection_established, connection_first_ack, ntlm_authenticate, ntlm_challenge, pop3_login_success, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, socks_login_userpass_reply, socks_login_userpass_request, ssh2_dh_server_params, ssh_auth_successful, ssl_client_hello, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake" + "techniqueID": "T1012", + "score": 4, + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: appcompat_shims, autoexec, registry, running_apps, startup_items, userassist\n\nAuditd: USER_CMD, USYS_CONFIG" }, { - "techniqueID": "T1218.012", + "techniqueID": "T1614", "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: running_apps\n\nAuditd: USER_CMD, USYS_CONFIG" }, { - "techniqueID": "T1569.001", + "techniqueID": "T1651", "score": 4, - "comment": "Auditd: DAEMON_START, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_POLICY_LOAD, USER_CMD, USYS_CONFIG\n\nOSQuery: file_events, running_apps\n\nSysmon: \n\nWinEvtx: " + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: powershell_events, running_apps\n\nAuditd: USER_CMD, USYS_CONFIG" }, { - "techniqueID": "T1059.008", - "score": 2, - "comment": "Auditd: USYS_CONFIG\n\nWinEvtx: " + "techniqueID": "T1134", + "score": 5, + "comment": "Sysmon: \n\nCloudTrail: AddClientIDToOpenIDConnectProvider, AttachRolePolicy, AttachUserPolicy, ChangePassword, CreateAccessKey, CreateAccountAlias, CreateLoginProfile, CreatePolicy, CreatePolicyVersion, CreateRole, CreateServiceLinkedRole, CreateServiceSpecificCredential, DeleteAccessKey, DeleteAccountAlias, DeleteAccountPasswordPolicy, DeleteLoginProfile, DeletePolicyVersion, DeleteRole, DeleteRolePermissionsBoundary, DeleteRolePolicy, DeleteSSHPublicKey, DeleteServiceSpecificCredential, DeleteSigningCertificate, DeleteUserPermissionsBoundary, DeleteUserPolicy, DetachRolePolicy, DetachUserPolicy, GenerateCredentialReport, GetAccountAuthorizationDetails, GetAccountPasswordPolicy, GetContextKeysForCustomPolicy, GetContextKeysForPrincipalPolicy, GetCredentialReport, GetLoginprofile, GetPolicy, GetPolicyVersion, GetRole, GetRolePolicy, GetUserPolicy, ListAttachedRolePolicies, ListEntitiesForPolicy, ListPoliciesGrantingServiceAccess, ListPolicyTags, ListPolicyVersions, ListRolePolicies, ListRoleTags, ListRoles, PutRolePermissionsBoundary, PutRolePolicy, PutUserPermissionsBoundary, PutUserPolicy, RemoveClientIDFromOpenIDConnectProvider, SetDefaultPolicyVersion, SimulateCustomPolicy, SimulatePrincipalPolicy, TagOpenIDConnectProvider, TagPolicy, TagRole, TagSAMLProvider, Untag Policy, UntagOpenIDConnectProvider, UntagRole, UntagSAMLProvider, UpdateAccountPasswordPolicy, UpdateAssumeRolePolicy, UpdateLoginProfile, UpdateOpenIDConnectProviderThumbprint, UpdateRole, UpdateSAMLProvider\n\nWinEvtx: \n\nOSQuery: account_policy_data, authorizations, authorized_keys, background_activities_moderator, package_receipts, process_envs, process_events, process_memory_map, process_namespaces, process_open_files, process_open_pipes, process_open_sockets, running_apps, shadow, user_ssh_keys\n\nAuditd: CRED_ACQ, CRED_DISP, USER_CHAUTHTOK, USER_CMD, USER_ERR, USYS_CONFIG" }, { - "techniqueID": "T1552.003", - "score": 4, - "comment": "Auditd: ANOM_LINK, USER_AVC, USYS_CONFIG\n\nOSQuery: augeas, office_mru, plist\n\nSysmon: \n\nWinEvtx: " + "techniqueID": "T1136", + "score": 5, + "comment": "Sysmon: \n\nCloudTrail: CreateUser\n\nWinEvtx: \n\nOSQuery: running_apps\n\nAuditd: ADD_USER, ANOM_ADD_ACCOUNT, USER_CMD, USER_ROLE_CHANGE, USYS_CONFIG" }, { - "techniqueID": "T1562.010", + "techniqueID": "T1518", "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: background_activities_moderator, package_receipts, process_envs, process_events, process_memory_map, process_namespaces, process_open_files, process_open_pipes, process_open_sockets, running_apps\n\nSysmon: \n\nWinEvtx: " + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: alf, alf_explicit_auths, iptables, running_apps\n\nAuditd: USER_CMD, USYS_CONFIG" }, { - "techniqueID": "T1497", + "techniqueID": "T1622", "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, running_apps, safari_extensions\n\nAuditd: USER_CMD, USYS_CONFIG" }, { - "techniqueID": "T1552.001", + "techniqueID": "T1124", "score": 4, - "comment": "Auditd: ANOM_LINK, USER_AVC, USYS_CONFIG\n\nOSQuery: augeas, office_mru, plist\n\nSysmon: \n\nWinEvtx: " + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: running_apps\n\nAuditd: USER_CMD, USYS_CONFIG" }, { - "techniqueID": "T1218.005", - "score": 5, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: file_events, running_apps\n\nSysmon: \n\nWinEvtx: \n\nZeek: connection_SYN_packet, connection_established, connection_first_ack, ntlm_authenticate, ntlm_challenge, pop3_login_success, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, socks_login_userpass_reply, socks_login_userpass_request, ssh2_dh_server_params, ssh_auth_successful, ssl_client_hello, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake" + "techniqueID": "T1216", + "score": 4, + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: powershell_events, running_apps\n\nAuditd: USER_CMD, USYS_CONFIG" }, { - "techniqueID": "T1480", + "techniqueID": "T1211", "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, running_apps, safari_extensions\n\nAuditd: USER_CMD" }, { - "techniqueID": "T1134.001", - "score": 2, - "comment": "Auditd: USYS_CONFIG\n\nWinEvtx: " + "techniqueID": "T1127", + "score": 4, + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: running_apps\n\nAuditd: USER_CMD, USYS_CONFIG" }, { - "techniqueID": "T1567.001", - "score": 5, - "comment": "Auditd: ANOM_LINK, MAC_UNLBL_ALLOW, USER_AVC, USYS_CONFIG\n\nOSQuery: augeas, office_mru, plist, socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + "techniqueID": "T1529", + "score": 4, + "comment": "Sysmon: \n\nWinEvtx: \n\nOSQuery: app_schemes, apparmor_events, apparmor_profiles, apps, apt_sources, asl, battery, block_devices, chassis_info, connectivity, cpu_info, cpu_time, cpuid, crashes, cups_destinations, cups_jobs, deb_packages, default_environment, device_firmware, event_taps, fan_speed_sensors, hardware_events, hvci_status, ibridge_info, intel_me_info, kernel_panics, keychain_acls, keychain_items, memory_error_info, memory_info, memory_map, npm_packages, ntdomains, os_version, patches, portage_keywords, portage_packages, portage_use, preferences, programs, python_packages, rpm_package_files, rpm_packages, running_apps, selinux_events, selinux_settings, shared_resources, sip_config, sudoers, syslog_events, system_controls, system_info, ulimit_info, video_info, winbaseobj, windows_crashes, windows_optional_features, windows_security_center, windows_security_products, xprotect_entries, xprotect_meta, xprotect_reports\n\nAuditd: SYSTEM_RUNLEVEL, SYSTEM_SHUTDOWN, USER_CMD, USYS_CONFIG" }, { - "techniqueID": "T1204", - "score": 6, - "comment": "Auditd: MAC_UNLBL_ALLOW, USER_CMD, USYS_CONFIG\n\nCloudTrail: CreateImage, RunInstances, StartInstances\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, file_events, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, running_apps, safari_extensions, socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: connection_SYN_packet, connection_established, connection_first_ack, http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, ntlm_authenticate, ntlm_challenge, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_login_success, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_successful, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, udp_contents" + "techniqueID": "T1484", + "score": 3, + "comment": "CloudTrail: AddClientIDToOpenIDConnectProvider, CreateOpenIDConnectProvider, DeleteOpenIDConnectProvider, DeleteSAMLProvider, RemoveClientIDFromOpenIDConnectProvider, TagOpenIDConnectProvider, TagSAMLProvider, UntagOpenIDConnectProvider, UntagSAMLProvider, UpdateOpenIDConnectProviderThumbprint, UpdateSAMLProvider\n\nWinEvtx: \n\nAuditd: USYS_CONFIG" }, { - "techniqueID": "T1564.002", - "score": 5, - "comment": "Auditd: ADD_USER, ANOM_ADD_ACCOUNT, CRED_ACQ, CRED_DISP, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CHAUTHTOK, USER_CMD, USER_ERR, USER_ROLE_CHANGE, USYS_CONFIG\n\nCloudTrail: AttachRolePolicy, AttachUserPolicy, ChangePassword, CreateAccessKey, CreateAccountAlias, CreateLoginProfile, CreatePolicy, CreatePolicyVersion, CreateRole, CreateServiceLinkedRole, CreateServiceSpecificCredential, CreateUser, DeleteAccessKey, DeleteAccountAlias, DeleteAccountPasswordPolicy, DeleteLoginProfile, DeletePolicyVersion, DeleteRole, DeleteRolePermissionsBoundary, DeleteRolePolicy, DeleteSSHPublicKey, DeleteServiceSpecificCredential, DeleteSigningCertificate, DeleteUserPermissionsBoundary, DeleteUserPolicy, DetachRolePolicy, DetachUserPolicy, GenerateCredentialReport, GetAccountAuthorizationDetails, GetAccountPasswordPolicy, GetContextKeysForCustomPolicy, GetContextKeysForPrincipalPolicy, GetCredentialReport, GetLoginprofile, GetPolicy, GetPolicyVersion, GetRole, GetRolePolicy, GetUserPolicy, ListAttachedRolePolicies, ListEntitiesForPolicy, ListPoliciesGrantingServiceAccess, ListPolicyTags, ListPolicyVersions, ListRolePolicies, ListRoleTags, ListRoles, PutRolePermissionsBoundary, PutRolePolicy, PutUserPermissionsBoundary, PutUserPolicy, SetDefaultPolicyVersion, SimulateCustomPolicy, SimulatePrincipalPolicy, TagPolicy, TagRole, Untag Policy, UntagRole, UpdateAccountPasswordPolicy, UpdateAssumeRolePolicy, UpdateLoginProfile, UpdateRole\n\nOSQuery: account_policy_data, authorizations, authorized_keys, file_events, running_apps, shadow, user_ssh_keys\n\nSysmon: \n\nWinEvtx: " + "techniqueID": "T1531", + "score": 3, + "comment": "CloudTrail: AddClientIDToOpenIDConnectProvider, DeleteUser, RemoveClientIDFromOpenIDConnectProvider, SetSecurityTokenPreferences, TagOpenIDConnectProvider, TagSAMLProvider, TagUser, UntagOpenIDConnectProvider, UntagSAMLProvider, UntagUser, UpdateAccessKey, UpdateOpenIDConnectProviderThumbprint, UpdateSAMLProvider, UpdateSSHPublicKey, UpdateServiceSpecificCredential, UpdateSigningCertificate, UpdateUser, UploadSSHPublicKey, UploadServerCertificate, UploadSigningCertificate\n\nWinEvtx: \n\nAuditd: ANOM_DEL_ACCOUNT, DEL_USER, USER_CHAUTHTOK, USER_ROLE_CHANGE" }, { - "techniqueID": "T1134.003", + "techniqueID": "T1525", "score": 2, - "comment": "Auditd: USYS_CONFIG\n\nWinEvtx: " - }, - { - "techniqueID": "T1552.006", - "score": 4, - "comment": "Auditd: ANOM_LINK, USER_AVC, USYS_CONFIG\n\nOSQuery: augeas, office_mru, plist\n\nSysmon: \n\nWinEvtx: " + "comment": "CloudTrail: CreateImage, ModifyImageAttribute\n\nOSQuery: sandboxes" }, { - "techniqueID": "T1048.002", - "score": 5, - "comment": "Auditd: ANOM_LINK, MAC_UNLBL_ALLOW, USER_AVC, USYS_CONFIG\n\nOSQuery: augeas, office_mru, plist, socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + "techniqueID": "T1578", + "score": 1, + "comment": "CloudTrail: AddRoleToInstanceProfile, CreateInstanceProfile, CreateSnapshot, CreateVolume, DeleteInstanceProfile, DeleteSnapshot, DetachVolume, GetInstanceProfile, ListInstanceProfileTags, ListInstanceProfiles, ListInstanceProfilesForRole, ModifySnapshotAttribute, ModifyVolume, RemoveRoleFromInstanceProfile, RunInstances, StartInstances, StopInstances, TagInstanceProfile, UntagInstanceProfile", + "color": "#5d053f" }, { - "techniqueID": "T1087.004", - "score": 2, - "comment": "Auditd: USYS_CONFIG\n\nWinEvtx: " + "techniqueID": "T1535", + "score": 1, + "comment": "CloudTrail: AddRoleToInstanceProfile, CreateInstanceProfile, DeleteInstanceProfile, GetInstanceProfile, ListInstanceProfileTags, ListInstanceProfiles, ListInstanceProfilesForRole, RemoveRoleFromInstanceProfile, TagInstanceProfile, UntagInstanceProfile", + "color": "#5d053f" }, { - "techniqueID": "T1057", + "techniqueID": "T1550", "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " + "comment": "CloudTrail: ConsoleLogin, CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice\n\nWinEvtx: \n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, user_events\n\nAuditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, CRYPTO_SESSION, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USER_LOGIN, USER_START" }, { - "techniqueID": "T1562.003", + "techniqueID": "T1606", "score": 3, - "comment": "Auditd: SYSTEM_RUNLEVEL, SYSTEM_SHUTDOWN, USYS_CONFIG\n\nOSQuery: app_schemes, apparmor_events, apparmor_profiles, apps, apt_sources, asl, battery, block_devices, chassis_info, connectivity, cpu_info, cpu_time, cpuid, crashes, cups_destinations, cups_jobs, deb_packages, default_environment, device_firmware, event_taps, fan_speed_sensors, hardware_events, hvci_status, ibridge_info, intel_me_info, kernel_panics, keychain_acls, keychain_items, memory_error_info, memory_info, memory_map, npm_packages, ntdomains, os_version, patches, portage_keywords, portage_packages, portage_use, preferences, programs, python_packages, rpm_package_files, rpm_packages, selinux_events, selinux_settings, shared_resources, sip_config, sudoers, syslog_events, system_controls, system_info, ulimit_info, video_info, winbaseobj, windows_crashes, windows_optional_features, windows_security_center, windows_security_products, xprotect_entries, xprotect_meta, xprotect_reports\n\nWinEvtx: " - }, - { - "techniqueID": "T1546.003", - "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps, wmi_cli_event_consumers, wmi_script_event_consumers\n\nSysmon: \n\nWinEvtx: " + "comment": "CloudTrail: ConsoleLogin\n\nWinEvtx: \n\nAuditd: CRYPTO_SESSION, USER_LOGIN, USER_START" }, { - "techniqueID": "T1497.002", + "techniqueID": "T1621", "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1041", - "score": 5, - "comment": "Auditd: ANOM_LINK, MAC_UNLBL_ALLOW, USER_AVC, USYS_CONFIG\n\nOSQuery: augeas, office_mru, plist, socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + "comment": "CloudTrail: ConsoleLogin, CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice\n\nWinEvtx: \n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, last, logged_in_users, logon_sessions, opera_extensions, safari_extensions, user_events\n\nAuditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, CRYPTO_KEY_USER, CRYPTO_SESSION, LOGIN, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USER_END, USER_LOGIN, USER_LOGOUT, USER_START" }, { - "techniqueID": "T1059.001", + "techniqueID": "T1078", "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: background_activities_moderator, package_receipts, powershell_events, process_envs, process_events, process_memory_map, process_namespaces, process_open_files, process_open_pipes, process_open_sockets, running_apps\n\nSysmon: \n\nWinEvtx: " + "comment": "CloudTrail: ConsoleLogin, CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice\n\nWinEvtx: \n\nOSQuery: last, logged_in_users, logon_sessions, user_events\n\nAuditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, CRYPTO_KEY_USER, CRYPTO_SESSION, LOGIN, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USER_END, USER_LOGIN, USER_LOGOUT, USER_START" }, { - "techniqueID": "T1546.001", + "techniqueID": "T1213", "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " + "comment": "CloudTrail: ConsoleLogin\n\nWinEvtx: \n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions\n\nAuditd: CRYPTO_SESSION, USER_LOGIN, USER_START" }, { - "techniqueID": "T1546.014", + "techniqueID": "T1538", "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG\n\nOSQuery: file_events, running_apps\n\nSysmon: \n\nWinEvtx: " + "comment": "CloudTrail: ConsoleLogin, CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice\n\nWinEvtx: \n\nOSQuery: user_events\n\nAuditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, CRYPTO_SESSION, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USER_LOGIN, USER_START" }, { - "techniqueID": "T1547.001", + "techniqueID": "T1110", "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG\n\nOSQuery: file_events, running_apps\n\nSysmon: \n\nWinEvtx: " + "comment": "CloudTrail: CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice\n\nWinEvtx: \n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, user_events\n\nAuditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USYS_CONFIG" }, { - "techniqueID": "T1069.001", - "score": 5, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nCloudTrail: ListAttachedGroupPolicies, ListGroupPolicies, ListGroups, ListGroupsForUser\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " + "techniqueID": "T1528", + "score": 3, + "comment": "CloudTrail: SetSecurityTokenPreferences, TagUser, UntagUser, UpdateAccessKey, UpdateSSHPublicKey, UpdateServiceSpecificCredential, UpdateSigningCertificate, UpdateUser, UploadSSHPublicKey, UploadServerCertificate, UploadSigningCertificate\n\nWinEvtx: \n\nAuditd: USER_CHAUTHTOK, USER_ROLE_CHANGE" }, { - "techniqueID": "T1098", - "score": 5, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CHAUTHTOK, USER_CMD, USER_ROLE_CHANGE, USYS_CONFIG\n\nCloudTrail: AddClientIDToOpenIDConnectProvider, AddUserToGroup, AttachGroupPolicy, RemoveClientIDFromOpenIDConnectProvider, RemoveUserFromGroup, SetSecurityTokenPreferences, TagOpenIDConnectProvider, TagSAMLProvider, TagUser, UntagOpenIDConnectProvider, UntagSAMLProvider, UntagUser, UpdateAccessKey, UpdateGroup, UpdateOpenIDConnectProviderThumbprint, UpdateSAMLProvider, UpdateSSHPublicKey, UpdateServiceSpecificCredential, UpdateSigningCertificate, UpdateUser, UploadSSHPublicKey, UploadServerCertificate, UploadSigningCertificate\n\nOSQuery: file_events, running_apps\n\nSysmon: \n\nWinEvtx: " + "techniqueID": "T1113", + "score": 2, + "comment": "WinEvtx: \n\nAuditd: USYS_CONFIG" }, { - "techniqueID": "T1048", - "score": 5, - "comment": "Auditd: ANOM_LINK, MAC_UNLBL_ALLOW, USER_AVC, USYS_CONFIG\n\nOSQuery: augeas, browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, office_mru, opera_extensions, plist, safari_extensions, socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + "techniqueID": "T1006", + "score": 3, + "comment": "WinEvtx: \n\nOSQuery: device_file, device_partitions, disk_encryption, disk_events, disk_info, logical_drives\n\nAuditd: USYS_CONFIG" }, { - "techniqueID": "T1547.006", - "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG\n\nOSQuery: authorization_mechanisms, fbsd_kmods, file_events, kernel_modules, running_apps\n\nSysmon: \n\nWinEvtx: " + "techniqueID": "T1123", + "score": 2, + "comment": "WinEvtx: \n\nAuditd: USYS_CONFIG" }, { - "techniqueID": "T1056.002", - "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: powershell_events, running_apps\n\nSysmon: \n\nWinEvtx: " + "techniqueID": "T1115", + "score": 2, + "comment": "WinEvtx: \n\nAuditd: USYS_CONFIG" }, { - "techniqueID": "T1052.001", - "score": 4, - "comment": "Auditd: ANOM_LINK, USER_AVC, USER_CMD, USYS_CONFIG\n\nOSQuery: augeas, office_mru, plist, running_apps, usb_devices\n\nSysmon: \n\nWinEvtx: " + "techniqueID": "T1125", + "score": 2, + "comment": "WinEvtx: \n\nAuditd: USYS_CONFIG" }, { - "techniqueID": "T1053.006", - "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG\n\nOSQuery: file_events, running_apps\n\nSysmon: \n\nWinEvtx: " + "techniqueID": "T1092", + "score": 2, + "comment": "WinEvtx: \n\nOSQuery: device_file, device_partitions, disk_encryption, disk_events, disk_info, logical_drives, usb_devices" }, { - "techniqueID": "T1218.001", - "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: file_events, running_apps\n\nSysmon: \n\nWinEvtx: " + "techniqueID": "T1195", + "score": 3, + "comment": "WinEvtx: \n\nOSQuery: app_schemes, apparmor_events, apparmor_profiles, apps, apt_sources, asl, authenticode, battery, block_devices, chassis_info, connectivity, cpu_info, cpu_time, cpuid, crashes, cups_destinations, cups_jobs, deb_packages, default_environment, device_firmware, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, event_taps, extended_attributes, fan_speed_sensors, file, hardware_events, hvci_status, ibridge_info, intel_me_info, kernel_panics, keychain_acls, keychain_items, magic, mdfind, mdls, memory_error_info, memory_info, memory_map, npm_packages, ntdomains, ntfs_acl_permissions, ntfs_journal_events, os_version, package_bom, patches, portage_keywords, portage_packages, portage_use, preferences, process_file_events, programs, python_packages, quicklook_cache, rpm_package_files, rpm_packages, selinux_events, selinux_settings, shared_resources, shimcache, signature, sip_config, sudoers, suid_bin, syslog_events, system_controls, system_info, ulimit_info, video_info, winbaseobj, windows_crashes, windows_optional_features, windows_security_center, windows_security_products, xprotect_entries, xprotect_meta, xprotect_reports\n\nAuditd: SYSTEM_RUNLEVEL, SYSTEM_SHUTDOWN, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT" }, { - "techniqueID": "T1070.005", - "score": 6, - "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, MAC_UNLBL_ALLOW, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USER_CMD, USYS_CONFIG\n\nCloudTrail: CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice\n\nOSQuery: running_apps, socket_events, user_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents" + "techniqueID": "T1594", + "score": 1, + "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions", + "color": "#be158b" }, { - "techniqueID": "T1110", - "score": 4, - "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USYS_CONFIG\n\nCloudTrail: CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, user_events\n\nWinEvtx: " + "techniqueID": "T1610", + "score": 1, + "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions", + "color": "#be158b" }, { - "techniqueID": "T1059.004", - "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " + "techniqueID": "T1648", + "score": 1, + "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions", + "color": "#be158b" }, { - "techniqueID": "T1137.003", - "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, running_apps, safari_extensions\n\nSysmon: \n\nWinEvtx: " - }, + "techniqueID": "T1588", + "score": 1, + "comment": "OSQuery: certificates", + "color": "#be158b" + } + ], + "gradient": { + "colors": [ + "#b7ffbf", + "#063b00" + ], + "minValue": 1, + "maxValue": 6 + }, + "legendItems": [ { - "techniqueID": "T1562.001", - "score": 4, - "comment": "Auditd: ANOM_ABEND, DAEMON_ABORT, DAEMON_END, DAEMON_RESUME, DAEMON_ROTATE, SELINUX_ERR, SYSTEM_RUNLEVEL, SYSTEM_SHUTDOWN, USER_TTY, USYS_CONFIG\n\nOSQuery: app_schemes, apparmor_events, apparmor_profiles, apps, apt_sources, asl, battery, block_devices, chassis_info, connectivity, cpu_info, cpu_time, cpuid, crashes, cups_destinations, cups_jobs, deb_packages, default_environment, device_firmware, event_taps, fan_speed_sensors, gatekeeper, gatekeeper_apps, hardware_events, hvci_status, ibridge_info, intel_me_info, kernel_panics, keychain_acls, keychain_items, memory_error_info, memory_info, memory_map, npm_packages, ntdomains, os_version, patches, portage_keywords, portage_packages, portage_use, preferences, programs, python_packages, rpm_package_files, rpm_packages, selinux_events, selinux_settings, shared_resources, sip_config, sudoers, syslog_events, system_controls, system_info, ulimit_info, video_info, winbaseobj, windows_crashes, windows_optional_features, windows_security_center, windows_security_products, xprotect_entries, xprotect_meta, xprotect_reports\n\nSysmon: \n\nWinEvtx: " + "label": "Zeek", + "color": "#954a47" }, { - "techniqueID": "T1039", - "score": 5, - "comment": "Auditd: ANOM_LINK, MAC_UNLBL_ALLOW, USER_AVC, USYS_CONFIG\n\nOSQuery: augeas, mounts, nfs_shares, office_mru, plist, shared_folders, sharing_preferences, socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: connection_SYN_packet, connection_established, connection_first_ack, http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, ntlm_authenticate, ntlm_challenge, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_login_success, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_successful, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, udp_contents" + "label": "Sysmon", + "color": "#ea31de" }, { - "techniqueID": "T1574", - "score": 4, - "comment": "Auditd: DAEMON_ABORT, DAEMON_END, DAEMON_RESUME, DAEMON_ROTATE, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, SELINUX_ERR, USER_CMD, USER_TTY, USYS_CONFIG\n\nOSQuery: file_events, gatekeeper, gatekeeper_apps, running_apps\n\nSysmon: \n\nWinEvtx: " + "label": "CloudTrail", + "color": "#5d053f" }, { - "techniqueID": "T1204.003", - "score": 4, - "comment": "Auditd: USYS_CONFIG\n\nCloudTrail: CreateImage, RunInstances, StartInstances\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions\n\nWinEvtx: " + "label": "WinEvtx", + "color": "#390e6e" }, { - "techniqueID": "T1564.009", - "score": 4, - "comment": "Auditd: USER_CMD, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT, USYS_CONFIG\n\nOSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, running_apps, shimcache, signature, suid_bin\n\nSysmon: \n\nWinEvtx: " + "label": "OSQuery", + "color": "#be158b" }, - { - "techniqueID": "T1027", - "score": 4, - "comment": "Auditd: USER_CMD, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT, USYS_CONFIG\n\nOSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, powershell_events, process_file_events, quicklook_cache, running_apps, shimcache, signature, suid_bin, wmi_cli_event_consumers, wmi_script_event_consumers\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1114.002", - "score": 5, - "comment": "Auditd: CRYPTO_SESSION, USER_LOGIN, USER_START, USYS_CONFIG\n\nCloudTrail: ConsoleLogin\n\nSysmon: \n\nWinEvtx: \n\nZeek: connection_SYN_packet, connection_established, connection_first_ack, ntlm_authenticate, ntlm_challenge, pop3_login_success, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, socks_login_userpass_reply, socks_login_userpass_request, ssh2_dh_server_params, ssh_auth_successful, ssl_client_hello, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake" - }, - { - "techniqueID": "T1505.004", - "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USYS_CONFIG\n\nOSQuery: file_events\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1564.006", - "score": 4, - "comment": "Auditd: DAEMON_START, MAC_POLICY_LOAD, USER_CMD, USYS_CONFIG\n\nOSQuery: file_events, running_apps, sandboxes\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1201", - "score": 5, - "comment": "Auditd: CRED_ACQ, CRED_DISP, USER_CHAUTHTOK, USER_CMD, USER_ERR, USYS_CONFIG\n\nCloudTrail: AttachRolePolicy, AttachUserPolicy, ChangePassword, CreateAccessKey, CreateAccountAlias, CreateLoginProfile, CreatePolicy, CreatePolicyVersion, CreateRole, CreateServiceLinkedRole, CreateServiceSpecificCredential, DeleteAccessKey, DeleteAccountAlias, DeleteAccountPasswordPolicy, DeleteLoginProfile, DeletePolicyVersion, DeleteRole, DeleteRolePermissionsBoundary, DeleteRolePolicy, DeleteSSHPublicKey, DeleteServiceSpecificCredential, DeleteSigningCertificate, DeleteUserPermissionsBoundary, DeleteUserPolicy, DetachRolePolicy, DetachUserPolicy, GenerateCredentialReport, GetAccountAuthorizationDetails, GetAccountPasswordPolicy, GetContextKeysForCustomPolicy, GetContextKeysForPrincipalPolicy, GetCredentialReport, GetLoginprofile, GetPolicy, GetPolicyVersion, GetRole, GetRolePolicy, GetUserPolicy, ListAttachedRolePolicies, ListEntitiesForPolicy, ListPoliciesGrantingServiceAccess, ListPolicyTags, ListPolicyVersions, ListRolePolicies, ListRoleTags, ListRoles, PutRolePermissionsBoundary, PutRolePolicy, PutUserPermissionsBoundary, PutUserPolicy, SetDefaultPolicyVersion, SimulateCustomPolicy, SimulatePrincipalPolicy, TagPolicy, TagRole, Untag Policy, UntagRole, UpdateAccountPasswordPolicy, UpdateAssumeRolePolicy, UpdateLoginProfile, UpdateRole\n\nOSQuery: account_policy_data, authorizations, authorized_keys, running_apps, shadow, user_ssh_keys\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1546", - "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT, USYS_CONFIG\n\nOSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, running_apps, shimcache, signature, suid_bin, wmi_cli_event_consumers, wmi_script_event_consumers\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1546.004", - "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG\n\nOSQuery: file_events, running_apps\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1486", - "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG\n\nOSQuery: file_events, mounts, nfs_shares, running_apps, shared_folders, sharing_preferences\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1553", - "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT, USYS_CONFIG\n\nOSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, running_apps, shimcache, signature, suid_bin\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1547.002", - "score": 3, - "comment": "Auditd: USYS_CONFIG\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1218.010", - "score": 5, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: \n\nZeek: connection_SYN_packet, connection_established, connection_first_ack, ntlm_authenticate, ntlm_challenge, pop3_login_success, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, socks_login_userpass_reply, socks_login_userpass_request, ssh2_dh_server_params, ssh_auth_successful, ssl_client_hello, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake" - }, - { - "techniqueID": "T1546.015", - "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1036.003", - "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT, USYS_CONFIG\n\nOSQuery: authenticode, background_activities_moderator, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, package_receipts, process_envs, process_events, process_file_events, process_memory_map, process_namespaces, process_open_files, process_open_pipes, process_open_sockets, quicklook_cache, shimcache, signature, suid_bin\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1137.004", - "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, running_apps, safari_extensions\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1567.002", - "score": 5, - "comment": "Auditd: ANOM_LINK, MAC_UNLBL_ALLOW, USER_AVC, USYS_CONFIG\n\nOSQuery: augeas, office_mru, plist, socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" - }, - { - "techniqueID": "T1570", - "score": 5, - "comment": "Auditd: MAC_UNLBL_ALLOW, USER_CMD, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT, USYS_CONFIG\n\nOSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, mounts, nfs_shares, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, running_apps, shared_folders, sharing_preferences, shimcache, signature, socket_events, suid_bin\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" - }, - { - "techniqueID": "T1037.005", - "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG\n\nOSQuery: file_events, running_apps\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1614.001", - "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: appcompat_shims, autoexec, registry, running_apps, startup_items, userassist\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1012", - "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: appcompat_shims, autoexec, registry, running_apps, startup_items, userassist\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1218.009", - "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1553.004", - "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1037.003", - "score": 5, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG\n\nCloudTrail: AddClientIDToOpenIDConnectProvider, RemoveClientIDFromOpenIDConnectProvider, TagOpenIDConnectProvider, TagSAMLProvider, UntagOpenIDConnectProvider, UntagSAMLProvider, UpdateOpenIDConnectProviderThumbprint, UpdateSAMLProvider\n\nOSQuery: file_events, running_apps\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1027.004", - "score": 4, - "comment": "Auditd: USER_CMD, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT, USYS_CONFIG\n\nOSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, running_apps, shimcache, signature, suid_bin\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1614", - "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1197", - "score": 5, - "comment": "Auditd: DAEMON_ABORT, DAEMON_END, DAEMON_RESUME, DAEMON_ROTATE, SELINUX_ERR, USER_CMD, USER_TTY, USYS_CONFIG\n\nOSQuery: gatekeeper, gatekeeper_apps, running_apps\n\nSysmon: \n\nWinEvtx: \n\nZeek: connection_SYN_packet, connection_established, connection_first_ack, ntlm_authenticate, ntlm_challenge, pop3_login_success, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, socks_login_userpass_reply, socks_login_userpass_request, ssh2_dh_server_params, ssh_auth_successful, ssl_client_hello, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake" - }, - { - "techniqueID": "T1127.001", - "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1518.001", - "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: alf, alf_explicit_auths, iptables, running_apps\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1564.003", - "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG\n\nOSQuery: file_events, powershell_events, running_apps\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1059.006", - "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1546.010", - "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1496", - "score": 5, - "comment": "Auditd: SYSTEM_RUNLEVEL, SYSTEM_SHUTDOWN, USER_CMD, USYS_CONFIG\n\nOSQuery: app_schemes, apparmor_events, apparmor_profiles, apps, apt_sources, asl, battery, block_devices, chassis_info, connectivity, cpu_info, cpu_time, cpuid, crashes, cups_destinations, cups_jobs, deb_packages, default_environment, device_firmware, event_taps, fan_speed_sensors, file_events, hardware_events, hvci_status, ibridge_info, intel_me_info, kernel_panics, keychain_acls, keychain_items, memory_error_info, memory_info, memory_map, npm_packages, ntdomains, os_version, patches, portage_keywords, portage_packages, portage_use, preferences, programs, python_packages, rpm_package_files, rpm_packages, running_apps, selinux_events, selinux_settings, shared_resources, sip_config, sudoers, syslog_events, system_controls, system_info, ulimit_info, video_info, winbaseobj, windows_crashes, windows_optional_features, windows_security_center, windows_security_products, xprotect_entries, xprotect_meta, xprotect_reports\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_reply, http_request, icmp_echo_reply, icmp_echo_request, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_headers, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_reply, sip_request, smb2_close_response, smb2_create_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_get_bulk_request, snmp_get_next_request, snmp_inform_request, snmp_response, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh2_dh_server_params, ssh_auth_attempted, ssh_auth_successful, ssh_client_version, ssh_server_version, ssl_change_cipher_spec, ssl_client_hello, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake, tcp_rexmit, udp_reply, udp_request" - }, - { - "techniqueID": "T1546.002", - "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG\n\nOSQuery: file_events, running_apps\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1003.008", - "score": 4, - "comment": "Auditd: ANOM_LINK, USER_AVC, USYS_CONFIG\n\nOSQuery: augeas, office_mru, plist\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1543.001", - "score": 4, - "comment": "Auditd: ANOM_PROMISCUOUS, CONFIG_CHANGE, DAEMON_CONFIG, DAEMON_START, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_CIPSOV4_ADD, MAC_CIPSOV4_DEL, MAC_CONFIG_CHANGE, MAC_MAP_ADD, MAC_MAP_DEL, MAC_POLICY_LOAD, MAC_STATUS, ROLE_ASSIGN, ROLE_REMOVE, USYS_CONFIG\n\nOSQuery: file_events\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1569", - "score": 4, - "comment": "Auditd: DAEMON_START, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_POLICY_LOAD, USER_CMD, USYS_CONFIG\n\nOSQuery: file_events, running_apps\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1059.003", - "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1070.009", - "score": 5, - "comment": "Auditd: ANOM_DEL_ACCOUNT, DEL_USER, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CHAUTHTOK, USER_CMD, USER_ROLE_CHANGE, USYS_CONFIG\n\nCloudTrail: DeleteUser\n\nOSQuery: file_events, running_apps\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1555.004", - "score": 4, - "comment": "Auditd: ANOM_LINK, USER_AVC, USER_CMD, USYS_CONFIG\n\nOSQuery: augeas, office_mru, plist, running_apps\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1485", - "score": 5, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CHAUTHTOK, USER_CMD, USYS_CONFIG\n\nCloudTrail: DeleteSnapshot\n\nOSQuery: file_events, running_apps\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1556.005", - "score": 4, - "comment": "Auditd: CRED_ACQ, CRED_DISP, USER_CHAUTHTOK, USER_ERR, USYS_CONFIG\n\nCloudTrail: AddClientIDToOpenIDConnectProvider, AttachRolePolicy, AttachUserPolicy, ChangePassword, CreateAccessKey, CreateAccountAlias, CreateLoginProfile, CreatePolicy, CreatePolicyVersion, CreateRole, CreateServiceLinkedRole, CreateServiceSpecificCredential, DeleteAccessKey, DeleteAccountAlias, DeleteAccountPasswordPolicy, DeleteLoginProfile, DeletePolicyVersion, DeleteRole, DeleteRolePermissionsBoundary, DeleteRolePolicy, DeleteSSHPublicKey, DeleteServiceSpecificCredential, DeleteSigningCertificate, DeleteUserPermissionsBoundary, DeleteUserPolicy, DetachRolePolicy, DetachUserPolicy, GenerateCredentialReport, GetAccountAuthorizationDetails, GetAccountPasswordPolicy, GetContextKeysForCustomPolicy, GetContextKeysForPrincipalPolicy, GetCredentialReport, GetLoginprofile, GetPolicy, GetPolicyVersion, GetRole, GetRolePolicy, GetUserPolicy, ListAttachedRolePolicies, ListEntitiesForPolicy, ListPoliciesGrantingServiceAccess, ListPolicyTags, ListPolicyVersions, ListRolePolicies, ListRoleTags, ListRoles, PutRolePermissionsBoundary, PutRolePolicy, PutUserPermissionsBoundary, PutUserPolicy, RemoveClientIDFromOpenIDConnectProvider, SetDefaultPolicyVersion, SimulateCustomPolicy, SimulatePrincipalPolicy, TagOpenIDConnectProvider, TagPolicy, TagRole, TagSAMLProvider, Untag Policy, UntagOpenIDConnectProvider, UntagRole, UntagSAMLProvider, UpdateAccountPasswordPolicy, UpdateAssumeRolePolicy, UpdateLoginProfile, UpdateOpenIDConnectProviderThumbprint, UpdateRole, UpdateSAMLProvider\n\nOSQuery: account_policy_data, authorizations, authorized_keys, powershell_events, shadow, user_ssh_keys\n\nWinEvtx: " - }, - { - "techniqueID": "T1027.010", - "score": 3, - "comment": "Auditd: USER_LABELED_EXPORT, USER_UNLABELED_EXPORT, USYS_CONFIG\n\nOSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, powershell_events, process_file_events, quicklook_cache, shimcache, signature, suid_bin\n\nWinEvtx: " - }, - { - "techniqueID": "T1070.004", - "score": 4, - "comment": "Auditd: USER_CHAUTHTOK, USYS_CONFIG\n\nOSQuery: file_events\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1651", - "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: powershell_events, running_apps\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1546.016", - "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: file_events, running_apps\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1037.004", - "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG\n\nOSQuery: file_events, running_apps\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1134", - "score": 5, - "comment": "Auditd: CRED_ACQ, CRED_DISP, USER_CHAUTHTOK, USER_CMD, USER_ERR, USYS_CONFIG\n\nCloudTrail: AddClientIDToOpenIDConnectProvider, AttachRolePolicy, AttachUserPolicy, ChangePassword, CreateAccessKey, CreateAccountAlias, CreateLoginProfile, CreatePolicy, CreatePolicyVersion, CreateRole, CreateServiceLinkedRole, CreateServiceSpecificCredential, DeleteAccessKey, DeleteAccountAlias, DeleteAccountPasswordPolicy, DeleteLoginProfile, DeletePolicyVersion, DeleteRole, DeleteRolePermissionsBoundary, DeleteRolePolicy, DeleteSSHPublicKey, DeleteServiceSpecificCredential, DeleteSigningCertificate, DeleteUserPermissionsBoundary, DeleteUserPolicy, DetachRolePolicy, DetachUserPolicy, GenerateCredentialReport, GetAccountAuthorizationDetails, GetAccountPasswordPolicy, GetContextKeysForCustomPolicy, GetContextKeysForPrincipalPolicy, GetCredentialReport, GetLoginprofile, GetPolicy, GetPolicyVersion, GetRole, GetRolePolicy, GetUserPolicy, ListAttachedRolePolicies, ListEntitiesForPolicy, ListPoliciesGrantingServiceAccess, ListPolicyTags, ListPolicyVersions, ListRolePolicies, ListRoleTags, ListRoles, PutRolePermissionsBoundary, PutRolePolicy, PutUserPermissionsBoundary, PutUserPolicy, RemoveClientIDFromOpenIDConnectProvider, SetDefaultPolicyVersion, SimulateCustomPolicy, SimulatePrincipalPolicy, TagOpenIDConnectProvider, TagPolicy, TagRole, TagSAMLProvider, Untag Policy, UntagOpenIDConnectProvider, UntagRole, UntagSAMLProvider, UpdateAccountPasswordPolicy, UpdateAssumeRolePolicy, UpdateLoginProfile, UpdateOpenIDConnectProviderThumbprint, UpdateRole, UpdateSAMLProvider\n\nOSQuery: account_policy_data, authorizations, authorized_keys, background_activities_moderator, package_receipts, process_envs, process_events, process_memory_map, process_namespaces, process_open_files, process_open_pipes, process_open_sockets, running_apps, shadow, user_ssh_keys\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1059.005", - "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: powershell_events, running_apps\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1543.002", - "score": 4, - "comment": "Auditd: ANOM_PROMISCUOUS, CONFIG_CHANGE, DAEMON_CONFIG, DAEMON_START, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_CIPSOV4_ADD, MAC_CIPSOV4_DEL, MAC_CONFIG_CHANGE, MAC_MAP_ADD, MAC_MAP_DEL, MAC_POLICY_LOAD, MAC_STATUS, ROLE_ASSIGN, ROLE_REMOVE, USER_CMD, USYS_CONFIG\n\nOSQuery: file_events, running_apps\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1563.002", - "score": 6, - "comment": "Auditd: CRYPTO_SESSION, MAC_UNLBL_ALLOW, USER_CMD, USER_LOGIN, USER_START, USYS_CONFIG\n\nCloudTrail: ConsoleLogin\n\nOSQuery: running_apps, socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" - }, - { - "techniqueID": "T1136", - "score": 5, - "comment": "Auditd: ADD_USER, ANOM_ADD_ACCOUNT, USER_CMD, USER_ROLE_CHANGE, USYS_CONFIG\n\nCloudTrail: CreateUser\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1547.013", - "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG\n\nOSQuery: file_events, running_apps\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1018", - "score": 5, - "comment": "Auditd: ANOM_LINK, USER_AVC, USER_CMD, USYS_CONFIG\n\nOSQuery: augeas, office_mru, plist, running_apps\n\nSysmon: \n\nWinEvtx: \n\nZeek: connection_SYN_packet, connection_established, connection_first_ack, ntlm_authenticate, ntlm_challenge, pop3_login_success, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, socks_login_userpass_reply, socks_login_userpass_request, ssh2_dh_server_params, ssh_auth_successful, ssl_client_hello, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake" - }, - { - "techniqueID": "T1046", - "score": 3, - "comment": "Auditd: USYS_CONFIG\n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_reply, http_request, icmp_echo_reply, icmp_echo_request, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_headers, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_reply, sip_request, smb2_close_response, smb2_create_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_get_bulk_request, snmp_get_next_request, snmp_inform_request, snmp_response, socks_reply, socks_request, ssh_auth_attempted, ssh_client_version, ssh_server_version, ssl_change_cipher_spec, ssl_extension, ssl_handshake_message, ssl_heartbeat, tcp_rexmit, udp_reply, udp_request" - }, - { - "techniqueID": "T1518", - "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: alf, alf_explicit_auths, iptables, running_apps\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1622", - "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, running_apps, safari_extensions\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1547.007", - "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USYS_CONFIG\n\nOSQuery: file_events\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1052", - "score": 4, - "comment": "Auditd: ANOM_LINK, USER_AVC, USER_CMD, USYS_CONFIG\n\nOSQuery: augeas, office_mru, plist, running_apps, usb_devices\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1037.001", - "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1484", - "score": 3, - "comment": "Auditd: USYS_CONFIG\n\nCloudTrail: AddClientIDToOpenIDConnectProvider, CreateOpenIDConnectProvider, DeleteOpenIDConnectProvider, DeleteSAMLProvider, RemoveClientIDFromOpenIDConnectProvider, TagOpenIDConnectProvider, TagSAMLProvider, UntagOpenIDConnectProvider, UntagSAMLProvider, UpdateOpenIDConnectProviderThumbprint, UpdateSAMLProvider\n\nWinEvtx: " - }, - { - "techniqueID": "T1564.001", - "score": 4, - "comment": "Auditd: USER_CMD, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT, USYS_CONFIG\n\nOSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, running_apps, shimcache, signature, suid_bin\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1137.002", - "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG\n\nOSQuery: file_events, running_apps\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1003.003", - "score": 4, - "comment": "Auditd: ANOM_LINK, USER_AVC, USYS_CONFIG\n\nOSQuery: augeas, office_mru, plist\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1569.002", - "score": 4, - "comment": "Auditd: DAEMON_START, MAC_POLICY_LOAD, USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1480.001", - "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1564.004", - "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT, USYS_CONFIG\n\nOSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, shimcache, signature, suid_bin\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1124", - "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1053.002", - "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG\n\nOSQuery: file_events, running_apps\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1490", - "score": 5, - "comment": "Auditd: DAEMON_ABORT, DAEMON_END, DAEMON_RESUME, DAEMON_ROTATE, SELINUX_ERR, USER_CHAUTHTOK, USER_CMD, USER_TTY, USYS_CONFIG\n\nCloudTrail: DeleteSnapshot\n\nOSQuery: file_events, gatekeeper, gatekeeper_apps, running_apps\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1546.007", - "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1216", - "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: powershell_events, running_apps\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1552.007", - "score": 4, - "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USYS_CONFIG\n\nCloudTrail: CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice\n\nOSQuery: user_events\n\nWinEvtx: " - }, - { - "techniqueID": "T1561.001", - "score": 4, - "comment": "Auditd: FS_RELABEL, USER_CMD, USYS_CONFIG\n\nOSQuery: device_file, device_partitions, disk_encryption, disk_events, disk_info, logical_drives, running_apps, time_machine_backups\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1048.003", - "score": 5, - "comment": "Auditd: ANOM_LINK, MAC_UNLBL_ALLOW, USER_AVC, USYS_CONFIG\n\nOSQuery: augeas, office_mru, plist, socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" - }, - { - "techniqueID": "T1127", - "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1529", - "score": 4, - "comment": "Auditd: SYSTEM_RUNLEVEL, SYSTEM_SHUTDOWN, USER_CMD, USYS_CONFIG\n\nOSQuery: app_schemes, apparmor_events, apparmor_profiles, apps, apt_sources, asl, battery, block_devices, chassis_info, connectivity, cpu_info, cpu_time, cpuid, crashes, cups_destinations, cups_jobs, deb_packages, default_environment, device_firmware, event_taps, fan_speed_sensors, hardware_events, hvci_status, ibridge_info, intel_me_info, kernel_panics, keychain_acls, keychain_items, memory_error_info, memory_info, memory_map, npm_packages, ntdomains, os_version, patches, portage_keywords, portage_packages, portage_use, preferences, programs, python_packages, rpm_package_files, rpm_packages, running_apps, selinux_events, selinux_settings, shared_resources, sip_config, sudoers, syslog_events, system_controls, system_info, ulimit_info, video_info, winbaseobj, windows_crashes, windows_optional_features, windows_security_center, windows_security_products, xprotect_entries, xprotect_meta, xprotect_reports\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1218.014", - "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: file_events, running_apps\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1574.012", - "score": 4, - "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1014", - "score": 4, - "comment": "Auditd: FS_RELABEL, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE\n\nOSQuery: file_events, time_machine_backups\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1542.003", - "score": 3, - "comment": "Auditd: FS_RELABEL\n\nOSQuery: time_machine_backups\n\nWinEvtx: " - }, - { - "techniqueID": "T1539", - "score": 4, - "comment": "Auditd: ANOM_LINK, TTY, USER_AVC\n\nOSQuery: augeas, office_mru, plist\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1091", - "score": 4, - "comment": "Auditd: ANOM_LINK, USER_AVC, USER_CMD\n\nOSQuery: augeas, file_events, office_mru, plist, running_apps, usb_devices\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1187", - "score": 5, - "comment": "Auditd: ANOM_LINK, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_UNLBL_ALLOW, USER_AVC\n\nOSQuery: augeas, file_events, office_mru, plist, socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" - }, - { - "techniqueID": "T1565.001", - "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CHAUTHTOK\n\nOSQuery: file_events\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1565.003", - "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CHAUTHTOK, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT\n\nOSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, shimcache, signature, suid_bin\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1554", - "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CHAUTHTOK, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT\n\nOSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, shimcache, signature, suid_bin\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1565", - "score": 5, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_UNLBL_ALLOW, USER_CHAUTHTOK, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT\n\nOSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, shimcache, signature, socket_events, suid_bin\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" - }, - { - "techniqueID": "T1027.009", - "score": 4, - "comment": "Auditd: USER_LABELED_EXPORT, USER_UNLABELED_EXPORT\n\nOSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, shimcache, signature, suid_bin\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1036.007", - "score": 4, - "comment": "Auditd: USER_LABELED_EXPORT, USER_UNLABELED_EXPORT\n\nOSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, shimcache, signature, suid_bin\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1195.001", - "score": 3, - "comment": "Auditd: USER_LABELED_EXPORT, USER_UNLABELED_EXPORT\n\nOSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, shimcache, signature, suid_bin\n\nWinEvtx: " - }, - { - "techniqueID": "T1036.005", - "score": 4, - "comment": "Auditd: USER_LABELED_EXPORT, USER_UNLABELED_EXPORT\n\nOSQuery: authenticode, background_activities_moderator, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, package_receipts, process_envs, process_events, process_file_events, process_memory_map, process_namespaces, process_open_files, process_open_pipes, process_open_sockets, quicklook_cache, sandboxes, shimcache, signature, suid_bin\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1027.008", - "score": 3, - "comment": "Auditd: USER_LABELED_EXPORT, USER_UNLABELED_EXPORT\n\nOSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, shimcache, signature, suid_bin\n\nWinEvtx: " - }, - { - "techniqueID": "T1553.002", - "score": 3, - "comment": "Auditd: USER_LABELED_EXPORT, USER_UNLABELED_EXPORT\n\nOSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, shimcache, signature, suid_bin\n\nWinEvtx: " - }, - { - "techniqueID": "T1195", - "score": 3, - "comment": "Auditd: SYSTEM_RUNLEVEL, SYSTEM_SHUTDOWN, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT\n\nOSQuery: app_schemes, apparmor_events, apparmor_profiles, apps, apt_sources, asl, authenticode, battery, block_devices, chassis_info, connectivity, cpu_info, cpu_time, cpuid, crashes, cups_destinations, cups_jobs, deb_packages, default_environment, device_firmware, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, event_taps, extended_attributes, fan_speed_sensors, file, hardware_events, hvci_status, ibridge_info, intel_me_info, kernel_panics, keychain_acls, keychain_items, magic, mdfind, mdls, memory_error_info, memory_info, memory_map, npm_packages, ntdomains, ntfs_acl_permissions, ntfs_journal_events, os_version, package_bom, patches, portage_keywords, portage_packages, portage_use, preferences, process_file_events, programs, python_packages, quicklook_cache, rpm_package_files, rpm_packages, selinux_events, selinux_settings, shared_resources, shimcache, signature, sip_config, sudoers, suid_bin, syslog_events, system_controls, system_info, ulimit_info, video_info, winbaseobj, windows_crashes, windows_optional_features, windows_security_center, windows_security_products, xprotect_entries, xprotect_meta, xprotect_reports\n\nWinEvtx: " - }, - { - "techniqueID": "T1055", - "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, TTY, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT\n\nOSQuery: authenticode, background_activities_moderator, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, package_receipts, process_envs, process_events, process_file_events, process_memory_map, process_namespaces, process_open_files, process_open_pipes, process_open_sockets, quicklook_cache, shimcache, signature, suid_bin\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1070.006", - "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT\n\nOSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, shimcache, signature, suid_bin\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1027.001", - "score": 3, - "comment": "Auditd: USER_LABELED_EXPORT, USER_UNLABELED_EXPORT\n\nOSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, shimcache, signature, suid_bin\n\nWinEvtx: " - }, - { - "techniqueID": "T1055.013", - "score": 3, - "comment": "Auditd: USER_LABELED_EXPORT, USER_UNLABELED_EXPORT\n\nOSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, shimcache, signature, suid_bin\n\nWinEvtx: " - }, - { - "techniqueID": "T1036.002", - "score": 3, - "comment": "Auditd: USER_LABELED_EXPORT, USER_UNLABELED_EXPORT\n\nOSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, shimcache, signature, suid_bin\n\nWinEvtx: " - }, - { - "techniqueID": "T1553.005", - "score": 4, - "comment": "Auditd: USER_LABELED_EXPORT, USER_UNLABELED_EXPORT\n\nOSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, shimcache, signature, suid_bin\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1036.001", - "score": 3, - "comment": "Auditd: USER_LABELED_EXPORT, USER_UNLABELED_EXPORT\n\nOSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, shimcache, signature, suid_bin\n\nWinEvtx: " - }, - { - "techniqueID": "T1195.002", - "score": 3, - "comment": "Auditd: USER_LABELED_EXPORT, USER_UNLABELED_EXPORT\n\nOSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, shimcache, signature, suid_bin\n\nWinEvtx: " - }, - { - "techniqueID": "T1027.003", - "score": 3, - "comment": "Auditd: USER_LABELED_EXPORT, USER_UNLABELED_EXPORT\n\nOSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, shimcache, signature, suid_bin\n\nWinEvtx: " - }, - { - "techniqueID": "T1564.007", - "score": 3, - "comment": "Auditd: USER_LABELED_EXPORT, USER_UNLABELED_EXPORT\n\nOSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, powershell_events, process_file_events, quicklook_cache, shimcache, signature, suid_bin\n\nWinEvtx: " - }, - { - "techniqueID": "T1027.002", - "score": 3, - "comment": "Auditd: USER_LABELED_EXPORT, USER_UNLABELED_EXPORT\n\nOSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, shimcache, signature, suid_bin\n\nWinEvtx: " - }, - { - "techniqueID": "T1036.006", - "score": 3, - "comment": "Auditd: USER_LABELED_EXPORT, USER_UNLABELED_EXPORT\n\nOSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, shimcache, signature, suid_bin\n\nWinEvtx: " - }, - { - "techniqueID": "T1027.007", - "score": 4, - "comment": "Auditd: USER_LABELED_EXPORT, USER_UNLABELED_EXPORT\n\nOSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, shimcache, signature, suid_bin\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1556.003", - "score": 5, - "comment": "Auditd: CRYPTO_SESSION, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_LOGIN, USER_START\n\nCloudTrail: ConsoleLogin\n\nOSQuery: file_events\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1491.002", - "score": 5, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_UNLBL_ALLOW\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, file_events, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents" - }, - { - "techniqueID": "T1600", - "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE\n\nOSQuery: file_events\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1080", - "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD\n\nOSQuery: file_events, mounts, nfs_shares, running_apps, shared_folders, sharing_preferences\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1574.001", - "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE\n\nOSQuery: file_events\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1600.001", - "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE\n\nOSQuery: file_events\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1140", - "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD\n\nOSQuery: file_events, powershell_events, running_apps\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1547.009", - "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD\n\nOSQuery: file_events, running_apps\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1553.003", - "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE\n\nOSQuery: file_events\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1556.007", - "score": 5, - "comment": "Auditd: CRYPTO_SESSION, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_LOGIN, USER_START\n\nCloudTrail: ConsoleLogin\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, file_events, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1574.008", - "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD\n\nOSQuery: file_events, running_apps\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1491", - "score": 5, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_UNLBL_ALLOW\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, file_events, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents" - }, - { - "techniqueID": "T1505.003", - "score": 5, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_UNLBL_ALLOW, USER_CMD\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, file_events, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, running_apps, safari_extensions, socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" - }, - { - "techniqueID": "T1056.003", - "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE\n\nOSQuery: file_events\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1574.005", - "score": 4, - "comment": "Auditd: DAEMON_ABORT, DAEMON_END, DAEMON_RESUME, DAEMON_ROTATE, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, SELINUX_ERR, USER_CMD, USER_TTY\n\nOSQuery: file_events, gatekeeper, gatekeeper_apps, running_apps\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1600.002", - "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE\n\nOSQuery: file_events\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1547.015", - "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD\n\nOSQuery: file_events, running_apps\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1491.001", - "score": 5, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_UNLBL_ALLOW\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, file_events, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents" - }, - { - "techniqueID": "T1574.010", - "score": 4, - "comment": "Auditd: DAEMON_ABORT, DAEMON_END, DAEMON_RESUME, DAEMON_ROTATE, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, SELINUX_ERR, USER_CMD, USER_TTY\n\nOSQuery: file_events, gatekeeper, gatekeeper_apps, running_apps\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1601", - "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE\n\nOSQuery: file_events\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1056", - "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD\n\nOSQuery: background_activities_moderator, file_events, package_receipts, process_envs, process_events, process_memory_map, process_namespaces, process_open_files, process_open_pipes, process_open_sockets, running_apps\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1574.009", - "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD\n\nOSQuery: file_events, running_apps\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1055.009", - "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE\n\nOSQuery: file_events\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1601.001", - "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE\n\nOSQuery: file_events\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1505", - "score": 5, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_UNLBL_ALLOW, USER_CMD\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, file_events, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, running_apps, safari_extensions, socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" - }, - { - "techniqueID": "T1556.001", - "score": 5, - "comment": "Auditd: CRYPTO_SESSION, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, TTY, USER_LOGIN, USER_START\n\nCloudTrail: ConsoleLogin\n\nOSQuery: file_events\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1564.005", - "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE\n\nOSQuery: file_events\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1574.002", - "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD\n\nOSQuery: file_events, running_apps\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1547.008", - "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE\n\nOSQuery: file_events\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1556", - "score": 5, - "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, CRYPTO_SESSION, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, TTY, USER_ACCT, USER_AUTH, USER_CHAUTHTOK, USER_LOGIN, USER_ROLE_CHANGE, USER_START\n\nCloudTrail: AddClientIDToOpenIDConnectProvider, ConsoleLogin, CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, RemoveClientIDFromOpenIDConnectProvider, ResyncMFADevice, SetSecurityTokenPreferences, TagMFADevice, TagOpenIDConnectProvider, TagSAMLProvider, TagUser, UntagMFADevice, UntagOpenIDConnectProvider, UntagSAMLProvider, UntagUser, UpdateAccessKey, UpdateOpenIDConnectProviderThumbprint, UpdateSAMLProvider, UpdateSSHPublicKey, UpdateServiceSpecificCredential, UpdateSigningCertificate, UpdateUser, UploadSSHPublicKey, UploadServerCertificate, UploadSigningCertificate\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, file_events, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, user_events\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1556.004", - "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE\n\nOSQuery: file_events\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1574.004", - "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE\n\nOSQuery: file_events\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1601.002", - "score": 4, - "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE\n\nOSQuery: file_events\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1562.007", - "score": 3, - "comment": "Auditd: NETFILTER_CFG\n\nOSQuery: alf_exceptions\n\nWinEvtx: " - }, - { - "techniqueID": "T1498.001", - "score": 4, - "comment": "Auditd: SYSTEM_RUNLEVEL, SYSTEM_SHUTDOWN\n\nOSQuery: app_schemes, apparmor_events, apparmor_profiles, apps, apt_sources, asl, battery, block_devices, chassis_info, connectivity, cpu_info, cpu_time, cpuid, crashes, cups_destinations, cups_jobs, deb_packages, default_environment, device_firmware, event_taps, fan_speed_sensors, hardware_events, hvci_status, ibridge_info, intel_me_info, kernel_panics, keychain_acls, keychain_items, memory_error_info, memory_info, memory_map, npm_packages, ntdomains, os_version, patches, portage_keywords, portage_packages, portage_use, preferences, programs, python_packages, rpm_package_files, rpm_packages, selinux_events, selinux_settings, shared_resources, sip_config, sudoers, syslog_events, system_controls, system_info, ulimit_info, video_info, winbaseobj, windows_crashes, windows_optional_features, windows_security_center, windows_security_products, xprotect_entries, xprotect_meta, xprotect_reports\n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_reply, http_request, icmp_echo_reply, icmp_echo_request, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_headers, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_reply, sip_request, smb2_close_response, smb2_create_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_get_bulk_request, snmp_get_next_request, snmp_inform_request, snmp_response, socks_reply, socks_request, ssh_auth_attempted, ssh_client_version, ssh_server_version, ssl_change_cipher_spec, ssl_extension, ssl_handshake_message, ssl_heartbeat, tcp_rexmit, udp_reply, udp_request" - }, - { - "techniqueID": "T1499.001", - "score": 4, - "comment": "Auditd: MAC_UNLBL_ALLOW, SYSTEM_RUNLEVEL, SYSTEM_SHUTDOWN\n\nOSQuery: app_schemes, apparmor_events, apparmor_profiles, apps, apt_sources, asl, battery, block_devices, chassis_info, connectivity, cpu_info, cpu_time, cpuid, crashes, cups_destinations, cups_jobs, deb_packages, default_environment, device_firmware, event_taps, fan_speed_sensors, hardware_events, hvci_status, ibridge_info, intel_me_info, kernel_panics, keychain_acls, keychain_items, memory_error_info, memory_info, memory_map, npm_packages, ntdomains, os_version, patches, portage_keywords, portage_packages, portage_use, preferences, programs, python_packages, rpm_package_files, rpm_packages, selinux_events, selinux_settings, shared_resources, sip_config, socket_events, sudoers, syslog_events, system_controls, system_info, ulimit_info, video_info, winbaseobj, windows_crashes, windows_optional_features, windows_security_center, windows_security_products, xprotect_entries, xprotect_meta, xprotect_reports\n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" - }, - { - "techniqueID": "T1499.003", - "score": 4, - "comment": "Auditd: MAC_UNLBL_ALLOW, SYSTEM_RUNLEVEL, SYSTEM_SHUTDOWN\n\nOSQuery: app_schemes, apparmor_events, apparmor_profiles, apps, apt_sources, asl, battery, block_devices, browser_plugins, chassis_info, chrome_extension_content_scripts, chrome_extensions, connectivity, cpu_info, cpu_time, cpuid, crashes, cups_destinations, cups_jobs, deb_packages, default_environment, device_firmware, event_taps, fan_speed_sensors, firefox_addons, hardware_events, homebrew_packages, hvci_status, ibridge_info, ie_extensions, intel_me_info, kernel_panics, keychain_acls, keychain_items, memory_error_info, memory_info, memory_map, npm_packages, ntdomains, opera_extensions, os_version, patches, portage_keywords, portage_packages, portage_use, preferences, programs, python_packages, rpm_package_files, rpm_packages, safari_extensions, selinux_events, selinux_settings, shared_resources, sip_config, socket_events, sudoers, syslog_events, system_controls, system_info, ulimit_info, video_info, winbaseobj, windows_crashes, windows_optional_features, windows_security_center, windows_security_products, xprotect_entries, xprotect_meta, xprotect_reports\n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" - }, - { - "techniqueID": "T1499.004", - "score": 4, - "comment": "Auditd: MAC_UNLBL_ALLOW, SYSTEM_RUNLEVEL, SYSTEM_SHUTDOWN\n\nOSQuery: app_schemes, apparmor_events, apparmor_profiles, apps, apt_sources, asl, battery, block_devices, browser_plugins, chassis_info, chrome_extension_content_scripts, chrome_extensions, connectivity, cpu_info, cpu_time, cpuid, crashes, cups_destinations, cups_jobs, deb_packages, default_environment, device_firmware, event_taps, fan_speed_sensors, firefox_addons, hardware_events, homebrew_packages, hvci_status, ibridge_info, ie_extensions, intel_me_info, kernel_panics, keychain_acls, keychain_items, memory_error_info, memory_info, memory_map, npm_packages, ntdomains, opera_extensions, os_version, patches, portage_keywords, portage_packages, portage_use, preferences, programs, python_packages, rpm_package_files, rpm_packages, safari_extensions, selinux_events, selinux_settings, shared_resources, sip_config, socket_events, sudoers, syslog_events, system_controls, system_info, ulimit_info, video_info, winbaseobj, windows_crashes, windows_optional_features, windows_security_center, windows_security_products, xprotect_entries, xprotect_meta, xprotect_reports\n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" - }, - { - "techniqueID": "T1498.002", - "score": 4, - "comment": "Auditd: SYSTEM_RUNLEVEL, SYSTEM_SHUTDOWN\n\nOSQuery: app_schemes, apparmor_events, apparmor_profiles, apps, apt_sources, asl, battery, block_devices, chassis_info, connectivity, cpu_info, cpu_time, cpuid, crashes, cups_destinations, cups_jobs, deb_packages, default_environment, device_firmware, event_taps, fan_speed_sensors, hardware_events, hvci_status, ibridge_info, intel_me_info, kernel_panics, keychain_acls, keychain_items, memory_error_info, memory_info, memory_map, npm_packages, ntdomains, os_version, patches, portage_keywords, portage_packages, portage_use, preferences, programs, python_packages, rpm_package_files, rpm_packages, selinux_events, selinux_settings, shared_resources, sip_config, sudoers, syslog_events, system_controls, system_info, ulimit_info, video_info, winbaseobj, windows_crashes, windows_optional_features, windows_security_center, windows_security_products, xprotect_entries, xprotect_meta, xprotect_reports\n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_reply, http_request, icmp_echo_reply, icmp_echo_request, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_headers, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_reply, sip_request, smb2_close_response, smb2_create_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_get_bulk_request, snmp_get_next_request, snmp_inform_request, snmp_response, socks_reply, socks_request, ssh_auth_attempted, ssh_client_version, ssh_server_version, ssl_change_cipher_spec, ssl_extension, ssl_handshake_message, ssl_heartbeat, tcp_rexmit, udp_reply, udp_request" - }, - { - "techniqueID": "T1499.002", - "score": 4, - "comment": "Auditd: MAC_UNLBL_ALLOW, SYSTEM_RUNLEVEL, SYSTEM_SHUTDOWN\n\nOSQuery: app_schemes, apparmor_events, apparmor_profiles, apps, apt_sources, asl, battery, block_devices, browser_plugins, chassis_info, chrome_extension_content_scripts, chrome_extensions, connectivity, cpu_info, cpu_time, cpuid, crashes, cups_destinations, cups_jobs, deb_packages, default_environment, device_firmware, event_taps, fan_speed_sensors, firefox_addons, hardware_events, homebrew_packages, hvci_status, ibridge_info, ie_extensions, intel_me_info, kernel_panics, keychain_acls, keychain_items, memory_error_info, memory_info, memory_map, npm_packages, ntdomains, opera_extensions, os_version, patches, portage_keywords, portage_packages, portage_use, preferences, programs, python_packages, rpm_package_files, rpm_packages, safari_extensions, selinux_events, selinux_settings, shared_resources, sip_config, socket_events, sudoers, syslog_events, system_controls, system_info, ulimit_info, video_info, winbaseobj, windows_crashes, windows_optional_features, windows_security_center, windows_security_products, xprotect_entries, xprotect_meta, xprotect_reports\n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" - }, - { - "techniqueID": "T1195.003", - "score": 3, - "comment": "Auditd: SYSTEM_RUNLEVEL, SYSTEM_SHUTDOWN\n\nOSQuery: app_schemes, apparmor_events, apparmor_profiles, apps, apt_sources, asl, battery, block_devices, chassis_info, connectivity, cpu_info, cpu_time, cpuid, crashes, cups_destinations, cups_jobs, deb_packages, default_environment, device_firmware, event_taps, fan_speed_sensors, hardware_events, hvci_status, ibridge_info, intel_me_info, kernel_panics, keychain_acls, keychain_items, memory_error_info, memory_info, memory_map, npm_packages, ntdomains, os_version, patches, portage_keywords, portage_packages, portage_use, preferences, programs, python_packages, rpm_package_files, rpm_packages, selinux_events, selinux_settings, shared_resources, sip_config, sudoers, syslog_events, system_controls, system_info, ulimit_info, video_info, winbaseobj, windows_crashes, windows_optional_features, windows_security_center, windows_security_products, xprotect_entries, xprotect_meta, xprotect_reports\n\nWinEvtx: " - }, - { - "techniqueID": "T1562.011", - "score": 4, - "comment": "Auditd: SYSTEM_RUNLEVEL, SYSTEM_SHUTDOWN, USER_CMD\n\nOSQuery: app_schemes, apparmor_events, apparmor_profiles, apps, apt_sources, asl, battery, block_devices, chassis_info, connectivity, cpu_info, cpu_time, cpuid, crashes, cups_destinations, cups_jobs, deb_packages, default_environment, device_firmware, event_taps, fan_speed_sensors, hardware_events, hvci_status, ibridge_info, intel_me_info, kernel_panics, keychain_acls, keychain_items, memory_error_info, memory_info, memory_map, npm_packages, ntdomains, os_version, patches, portage_keywords, portage_packages, portage_use, preferences, programs, python_packages, rpm_package_files, rpm_packages, running_apps, selinux_events, selinux_settings, shared_resources, sip_config, sudoers, syslog_events, system_controls, system_info, ulimit_info, video_info, winbaseobj, windows_crashes, windows_optional_features, windows_security_center, windows_security_products, xprotect_entries, xprotect_meta, xprotect_reports\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1499", - "score": 4, - "comment": "Auditd: MAC_UNLBL_ALLOW, SYSTEM_RUNLEVEL, SYSTEM_SHUTDOWN\n\nOSQuery: app_schemes, apparmor_events, apparmor_profiles, apps, apt_sources, asl, battery, block_devices, browser_plugins, chassis_info, chrome_extension_content_scripts, chrome_extensions, connectivity, cpu_info, cpu_time, cpuid, crashes, cups_destinations, cups_jobs, deb_packages, default_environment, device_firmware, event_taps, fan_speed_sensors, firefox_addons, hardware_events, homebrew_packages, hvci_status, ibridge_info, ie_extensions, intel_me_info, kernel_panics, keychain_acls, keychain_items, memory_error_info, memory_info, memory_map, npm_packages, ntdomains, opera_extensions, os_version, patches, portage_keywords, portage_packages, portage_use, preferences, programs, python_packages, rpm_package_files, rpm_packages, safari_extensions, selinux_events, selinux_settings, shared_resources, sip_config, socket_events, sudoers, syslog_events, system_controls, system_info, ulimit_info, video_info, winbaseobj, windows_crashes, windows_optional_features, windows_security_center, windows_security_products, xprotect_entries, xprotect_meta, xprotect_reports\n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" - }, - { - "techniqueID": "T1498", - "score": 4, - "comment": "Auditd: SYSTEM_RUNLEVEL, SYSTEM_SHUTDOWN\n\nOSQuery: app_schemes, apparmor_events, apparmor_profiles, apps, apt_sources, asl, battery, block_devices, chassis_info, connectivity, cpu_info, cpu_time, cpuid, crashes, cups_destinations, cups_jobs, deb_packages, default_environment, device_firmware, event_taps, fan_speed_sensors, hardware_events, hvci_status, ibridge_info, intel_me_info, kernel_panics, keychain_acls, keychain_items, memory_error_info, memory_info, memory_map, npm_packages, ntdomains, os_version, patches, portage_keywords, portage_packages, portage_use, preferences, programs, python_packages, rpm_package_files, rpm_packages, selinux_events, selinux_settings, shared_resources, sip_config, sudoers, syslog_events, system_controls, system_info, ulimit_info, video_info, winbaseobj, windows_crashes, windows_optional_features, windows_security_center, windows_security_products, xprotect_entries, xprotect_meta, xprotect_reports\n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_reply, http_request, icmp_echo_reply, icmp_echo_request, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_headers, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_reply, sip_request, smb2_close_response, smb2_create_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_get_bulk_request, snmp_get_next_request, snmp_inform_request, snmp_response, socks_reply, socks_request, ssh_auth_attempted, ssh_client_version, ssh_server_version, ssl_change_cipher_spec, ssl_extension, ssl_handshake_message, ssl_heartbeat, tcp_rexmit, udp_reply, udp_request" - }, - { - "techniqueID": "T1021.005", - "score": 6, - "comment": "Auditd: CRYPTO_SESSION, USER_CMD, USER_LOGIN, USER_START\n\nCloudTrail: ConsoleLogin\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: \n\nZeek: connection_SYN_packet, connection_established, connection_first_ack, ntlm_authenticate, ntlm_challenge, pop3_login_success, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, socks_login_userpass_reply, socks_login_userpass_request, ssh2_dh_server_params, ssh_auth_successful, ssl_client_hello, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake" - }, - { - "techniqueID": "T1213.002", - "score": 4, - "comment": "Auditd: CRYPTO_SESSION, USER_LOGIN, USER_START\n\nCloudTrail: ConsoleLogin\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions\n\nWinEvtx: " - }, - { - "techniqueID": "T1606.002", - "score": 4, - "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, CRYPTO_KEY_USER, CRYPTO_SESSION, LOGIN, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USER_END, USER_LOGIN, USER_LOGOUT, USER_START\n\nCloudTrail: ConsoleLogin, CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice\n\nOSQuery: last, logged_in_users, logon_sessions, user_events\n\nWinEvtx: " - }, - { - "techniqueID": "T1021.004", - "score": 6, - "comment": "Auditd: CRYPTO_SESSION, USER_CMD, USER_LOGIN, USER_START\n\nCloudTrail: ConsoleLogin\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: \n\nZeek: connection_SYN_packet, connection_established, connection_first_ack, ntlm_authenticate, ntlm_challenge, pop3_login_success, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, socks_login_userpass_reply, socks_login_userpass_request, ssh2_dh_server_params, ssh_auth_successful, ssl_client_hello, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake" - }, - { - "techniqueID": "T1550", - "score": 4, - "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, CRYPTO_SESSION, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USER_LOGIN, USER_START\n\nCloudTrail: ConsoleLogin, CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, user_events\n\nWinEvtx: " - }, - { - "techniqueID": "T1185", - "score": 4, - "comment": "Auditd: CRYPTO_SESSION, TTY, USER_LOGIN, USER_START\n\nCloudTrail: ConsoleLogin\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1078.001", - "score": 4, - "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, CRYPTO_SESSION, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USER_LOGIN, USER_START\n\nCloudTrail: ConsoleLogin, CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice\n\nOSQuery: user_events\n\nWinEvtx: " - }, - { - "techniqueID": "T1213.001", - "score": 4, - "comment": "Auditd: CRYPTO_SESSION, USER_LOGIN, USER_START\n\nCloudTrail: ConsoleLogin\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions\n\nWinEvtx: " - }, - { - "techniqueID": "T1550.003", - "score": 4, - "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, CRYPTO_SESSION, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USER_LOGIN, USER_START\n\nCloudTrail: ConsoleLogin, CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice\n\nOSQuery: user_events\n\nWinEvtx: " - }, - { - "techniqueID": "T1606.001", - "score": 3, - "comment": "Auditd: CRYPTO_SESSION, USER_LOGIN, USER_START\n\nCloudTrail: ConsoleLogin\n\nWinEvtx: " - }, - { - "techniqueID": "T1021.007", - "score": 3, - "comment": "Auditd: CRYPTO_SESSION, USER_LOGIN, USER_START\n\nCloudTrail: ConsoleLogin\n\nWinEvtx: " - }, - { - "techniqueID": "T1606", - "score": 3, - "comment": "Auditd: CRYPTO_SESSION, USER_LOGIN, USER_START\n\nCloudTrail: ConsoleLogin\n\nWinEvtx: " - }, - { - "techniqueID": "T1621", - "score": 4, - "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, CRYPTO_KEY_USER, CRYPTO_SESSION, LOGIN, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USER_END, USER_LOGIN, USER_LOGOUT, USER_START\n\nCloudTrail: ConsoleLogin, CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, last, logged_in_users, logon_sessions, opera_extensions, safari_extensions, user_events\n\nWinEvtx: " - }, - { - "techniqueID": "T1199", - "score": 5, - "comment": "Auditd: CRYPTO_KEY_USER, CRYPTO_SESSION, LOGIN, MAC_UNLBL_ALLOW, USER_END, USER_LOGIN, USER_LOGOUT, USER_START\n\nCloudTrail: ConsoleLogin\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, last, logged_in_users, logon_sessions, opera_extensions, safari_extensions, socket_events\n\nWinEvtx: \n\nZeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents" - }, - { - "techniqueID": "T1078", - "score": 4, - "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, CRYPTO_KEY_USER, CRYPTO_SESSION, LOGIN, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USER_END, USER_LOGIN, USER_LOGOUT, USER_START\n\nCloudTrail: ConsoleLogin, CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice\n\nOSQuery: last, logged_in_users, logon_sessions, user_events\n\nWinEvtx: " - }, - { - "techniqueID": "T1556.006", - "score": 4, - "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, CRYPTO_SESSION, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USER_CHAUTHTOK, USER_LOGIN, USER_ROLE_CHANGE, USER_START\n\nCloudTrail: AddClientIDToOpenIDConnectProvider, ConsoleLogin, CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, RemoveClientIDFromOpenIDConnectProvider, ResyncMFADevice, SetSecurityTokenPreferences, TagMFADevice, TagOpenIDConnectProvider, TagSAMLProvider, TagUser, UntagMFADevice, UntagOpenIDConnectProvider, UntagSAMLProvider, UntagUser, UpdateAccessKey, UpdateOpenIDConnectProviderThumbprint, UpdateSAMLProvider, UpdateSSHPublicKey, UpdateServiceSpecificCredential, UpdateSigningCertificate, UpdateUser, UploadSSHPublicKey, UploadServerCertificate, UploadSigningCertificate\n\nOSQuery: user_events\n\nWinEvtx: " - }, - { - "techniqueID": "T1078.002", - "score": 4, - "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, CRYPTO_KEY_USER, CRYPTO_SESSION, LOGIN, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USER_END, USER_LOGIN, USER_LOGOUT, USER_START\n\nCloudTrail: ConsoleLogin, CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice\n\nOSQuery: last, logged_in_users, logon_sessions, user_events\n\nWinEvtx: " - }, - { - "techniqueID": "T1213.003", - "score": 4, - "comment": "Auditd: CRYPTO_SESSION, USER_LOGIN, USER_START\n\nCloudTrail: ConsoleLogin\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions\n\nWinEvtx: " - }, - { - "techniqueID": "T1213", - "score": 4, - "comment": "Auditd: CRYPTO_SESSION, USER_LOGIN, USER_START\n\nCloudTrail: ConsoleLogin\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions\n\nWinEvtx: " - }, - { - "techniqueID": "T1538", - "score": 4, - "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, CRYPTO_SESSION, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USER_LOGIN, USER_START\n\nCloudTrail: ConsoleLogin, CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice\n\nOSQuery: user_events\n\nWinEvtx: " - }, - { - "techniqueID": "T1550.002", - "score": 4, - "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, CRYPTO_SESSION, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USER_LOGIN, USER_START\n\nCloudTrail: ConsoleLogin, CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice\n\nOSQuery: user_events\n\nWinEvtx: " - }, - { - "techniqueID": "T1021.001", - "score": 6, - "comment": "Auditd: CRYPTO_SESSION, USER_CMD, USER_LOGIN, USER_START\n\nCloudTrail: ConsoleLogin\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_reply, http_request, icmp_echo_reply, icmp_echo_request, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_headers, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_reply, sip_request, smb2_close_response, smb2_create_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_get_bulk_request, snmp_get_next_request, snmp_inform_request, snmp_response, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh2_dh_server_params, ssh_auth_attempted, ssh_auth_successful, ssh_client_version, ssh_server_version, ssl_change_cipher_spec, ssl_client_hello, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake, tcp_rexmit, udp_reply, udp_request" - }, - { - "techniqueID": "T1078.004", - "score": 4, - "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, CRYPTO_KEY_USER, CRYPTO_SESSION, LOGIN, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USER_END, USER_LOGIN, USER_LOGOUT, USER_START\n\nCloudTrail: ConsoleLogin, CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice\n\nOSQuery: last, logged_in_users, logon_sessions, user_events\n\nWinEvtx: " - }, - { - "techniqueID": "T1078.003", - "score": 4, - "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, CRYPTO_KEY_USER, CRYPTO_SESSION, LOGIN, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USER_END, USER_LOGIN, USER_LOGOUT, USER_START\n\nCloudTrail: ConsoleLogin, CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice\n\nOSQuery: last, logged_in_users, logon_sessions, user_events\n\nWinEvtx: " - }, - { - "techniqueID": "T1133", - "score": 5, - "comment": "Auditd: CRYPTO_KEY_USER, LOGIN, MAC_UNLBL_ALLOW, USER_END, USER_LOGOUT\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, last, logged_in_users, logon_sessions, opera_extensions, safari_extensions, socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" - }, - { - "techniqueID": "T1558.001", - "score": 3, - "comment": "Auditd: CRYPTO_KEY_USER, LOGIN, USER_END, USER_LOGOUT\n\nOSQuery: last, logged_in_users, logon_sessions\n\nWinEvtx: " - }, - { - "techniqueID": "T1558.002", - "score": 3, - "comment": "Auditd: CRYPTO_KEY_USER, LOGIN, USER_END, USER_LOGOUT\n\nOSQuery: last, logged_in_users, logon_sessions\n\nWinEvtx: " - }, - { - "techniqueID": "T1557", - "score": 5, - "comment": "Auditd: DAEMON_START, MAC_POLICY_LOAD, MAC_UNLBL_ALLOW\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" - }, - { - "techniqueID": "T1132.001", - "score": 3, - "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: socket_events\n\nZeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents" - }, - { - "techniqueID": "T1602", - "score": 5, - "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: connection_SYN_packet, connection_established, connection_first_ack, http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, ntlm_authenticate, ntlm_challenge, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_login_success, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_successful, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, udp_contents" - }, - { - "techniqueID": "T1071.004", - "score": 3, - "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: socket_events\n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" - }, - { - "techniqueID": "T1573.001", - "score": 3, - "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: socket_events\n\nZeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents" - }, - { - "techniqueID": "T1586.001", - "score": 3, - "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: socket_events\n\nZeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents" - }, - { - "techniqueID": "T1566.002", - "score": 3, - "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, socket_events\n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" - }, - { - "techniqueID": "T1598.003", - "score": 3, - "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, socket_events\n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" - }, - { - "techniqueID": "T1566.001", - "score": 5, - "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, file_events, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" - }, - { - "techniqueID": "T1071", - "score": 3, - "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: socket_events\n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" - }, - { - "techniqueID": "T1190", - "score": 3, - "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, socket_events\n\nZeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents" - }, - { - "techniqueID": "T1219", - "score": 5, - "comment": "Auditd: MAC_UNLBL_ALLOW, USER_CMD\n\nOSQuery: running_apps, socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" - }, - { - "techniqueID": "T1205", - "score": 5, - "comment": "Auditd: MAC_UNLBL_ALLOW, USER_CMD\n\nOSQuery: running_apps, socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" - }, - { - "techniqueID": "T1572", - "score": 5, - "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" - }, - { - "techniqueID": "T1599.001", - "score": 3, - "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: socket_events\n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" - }, - { - "techniqueID": "T1602.002", - "score": 5, - "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: connection_SYN_packet, connection_established, connection_first_ack, http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, ntlm_authenticate, ntlm_challenge, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_login_success, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_successful, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, udp_contents" - }, - { - "techniqueID": "T1589", - "score": 3, - "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: socket_events\n\nZeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents" - }, - { - "techniqueID": "T1071.003", - "score": 3, - "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: socket_events\n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" - }, - { - "techniqueID": "T1595.002", - "score": 3, - "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: socket_events\n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" - }, - { - "techniqueID": "T1207", - "score": 5, - "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, MAC_UNLBL_ALLOW, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH\n\nCloudTrail: AddClientIDToOpenIDConnectProvider, CreateOpenIDConnectProvider, CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, RemoveClientIDFromOpenIDConnectProvider, ResyncMFADevice, TagMFADevice, TagOpenIDConnectProvider, TagSAMLProvider, UntagMFADevice, UntagOpenIDConnectProvider, UntagSAMLProvider, UpdateOpenIDConnectProviderThumbprint, UpdateSAMLProvider\n\nOSQuery: socket_events, user_events\n\nWinEvtx: \n\nZeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents" - }, - { - "techniqueID": "T1557.003", - "score": 3, - "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, socket_events\n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" - }, - { - "techniqueID": "T1557.001", - "score": 5, - "comment": "Auditd: DAEMON_START, MAC_POLICY_LOAD, MAC_UNLBL_ALLOW\n\nOSQuery: socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" - }, - { - "techniqueID": "T1595", - "score": 3, - "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: socket_events\n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" - }, - { - "techniqueID": "T1090.002", - "score": 5, - "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" - }, - { - "techniqueID": "T1589.002", - "score": 3, - "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: socket_events\n\nZeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents" - }, - { - "techniqueID": "T1090", - "score": 5, - "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" - }, - { - "techniqueID": "T1568", - "score": 5, - "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" - }, - { - "techniqueID": "T1612", - "score": 6, - "comment": "Auditd: MAC_UNLBL_ALLOW\n\nCloudTrail: CreateImage\n\nOSQuery: socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" - }, - { - "techniqueID": "T1586", - "score": 3, - "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: socket_events\n\nZeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents" - }, - { - "techniqueID": "T1102", - "score": 5, - "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" - }, - { - "techniqueID": "T1568.003", - "score": 3, - "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: socket_events\n\nZeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents" - }, - { - "techniqueID": "T1598.002", - "score": 3, - "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, socket_events\n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" - }, - { - "techniqueID": "T1071.002", - "score": 3, - "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: socket_events\n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" - }, - { - "techniqueID": "T1102.003", - "score": 5, - "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" - }, - { - "techniqueID": "T1210", - "score": 3, - "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, socket_events\n\nZeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents" - }, - { - "techniqueID": "T1534", - "score": 3, - "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, socket_events\n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" - }, - { - "techniqueID": "T1566", - "score": 5, - "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, file_events, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" - }, - { - "techniqueID": "T1090.003", - "score": 5, - "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" - }, - { - "techniqueID": "T1001", - "score": 3, - "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: socket_events\n\nZeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents" - }, - { - "techniqueID": "T1571", - "score": 3, - "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: socket_events\n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" - }, - { - "techniqueID": "T1585.001", - "score": 3, - "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: socket_events\n\nZeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents" - }, - { - "techniqueID": "T1599", - "score": 3, - "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: socket_events\n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" - }, - { - "techniqueID": "T1573", - "score": 3, - "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: socket_events\n\nZeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents" - }, - { - "techniqueID": "T1567.003", - "score": 3, - "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: socket_events\n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" - }, - { - "techniqueID": "T1102.002", - "score": 5, - "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" - }, - { - "techniqueID": "T1595.003", - "score": 3, - "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: socket_events\n\nZeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents" - }, - { - "techniqueID": "T1573.002", - "score": 3, - "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: socket_events\n\nZeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents" - }, - { - "techniqueID": "T1095", - "score": 3, - "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: socket_events\n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" - }, - { - "techniqueID": "T1001.003", - "score": 3, - "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: socket_events\n\nZeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents" - }, - { - "techniqueID": "T1090.004", - "score": 3, - "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: socket_events\n\nZeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents" - }, - { - "techniqueID": "T1557.002", - "score": 3, - "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: socket_events\n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" - }, - { - "techniqueID": "T1132", - "score": 3, - "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: socket_events\n\nZeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents" - }, - { - "techniqueID": "T1598", - "score": 3, - "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, socket_events\n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" - }, - { - "techniqueID": "T1585", - "score": 3, - "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: socket_events\n\nZeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents" - }, - { - "techniqueID": "T1565.002", - "score": 3, - "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: socket_events\n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" - }, - { - "techniqueID": "T1132.002", - "score": 3, - "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: socket_events\n\nZeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents" - }, - { - "techniqueID": "T1537", - "score": 4, - "comment": "Auditd: MAC_UNLBL_ALLOW\n\nCloudTrail: CreateSnapshot, ModifySnapshotAttribute\n\nOSQuery: socket_events\n\nZeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents" - }, - { - "techniqueID": "T1189", - "score": 5, - "comment": "Auditd: MAC_UNLBL_ALLOW, USER_CMD\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, file_events, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, running_apps, safari_extensions, socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: connection_SYN_packet, connection_established, connection_first_ack, http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, ntlm_authenticate, ntlm_challenge, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_login_success, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_successful, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, udp_contents" - }, - { - "techniqueID": "T1221", - "score": 5, - "comment": "Auditd: MAC_UNLBL_ALLOW, USER_CMD\n\nOSQuery: running_apps, socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: connection_SYN_packet, connection_established, connection_first_ack, http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, ntlm_authenticate, ntlm_challenge, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_login_success, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_successful, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, udp_contents" - }, - { - "techniqueID": "T1071.001", - "score": 3, - "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: socket_events\n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" - }, - { - "techniqueID": "T1105", - "score": 5, - "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: file_events, socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" - }, - { - "techniqueID": "T1602.001", - "score": 5, - "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: connection_SYN_packet, connection_established, connection_first_ack, http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, ntlm_authenticate, ntlm_challenge, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_login_success, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_successful, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, udp_contents" - }, - { - "techniqueID": "T1001.002", - "score": 3, - "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: socket_events\n\nZeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents" - }, - { - "techniqueID": "T1204.001", - "score": 5, - "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: file_events, socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: connection_SYN_packet, connection_established, connection_first_ack, http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, ntlm_authenticate, ntlm_challenge, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_login_success, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_successful, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, udp_contents" - }, - { - "techniqueID": "T1003.006", - "score": 5, - "comment": "Auditd: MAC_UNLBL_ALLOW\n\nCloudTrail: GetOpenIDConnectProvider\n\nOSQuery: managed_policies, socket_events\n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" - }, - { - "techniqueID": "T1566.003", - "score": 3, - "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, socket_events\n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" - }, - { - "techniqueID": "T1090.001", - "score": 5, - "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" - }, - { - "techniqueID": "T1102.001", - "score": 3, - "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: socket_events\n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" - }, - { - "techniqueID": "T1001.001", - "score": 3, - "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: socket_events\n\nZeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents" - }, - { - "techniqueID": "T1598.001", - "score": 3, - "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, socket_events\n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" - }, - { - "techniqueID": "T1055.003", - "score": 3, - "comment": "Auditd: TTY\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1055.004", - "score": 3, - "comment": "Auditd: TTY\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1055.002", - "score": 3, - "comment": "Auditd: TTY\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1559.003", - "score": 3, - "comment": "Auditd: TTY\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1559", - "score": 4, - "comment": "Auditd: TTY, USER_CMD\n\nOSQuery: powershell_events, running_apps\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1055.012", - "score": 3, - "comment": "Auditd: TTY\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1055.005", - "score": 3, - "comment": "Auditd: TTY\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1055.008", - "score": 3, - "comment": "Auditd: TTY\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1055.001", - "score": 4, - "comment": "Auditd: TTY\n\nOSQuery: background_activities_moderator, package_receipts, process_envs, process_events, process_memory_map, process_namespaces, process_open_files, process_open_pipes, process_open_sockets\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1205.002", - "score": 5, - "comment": "Auditd: USER_CMD\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: \n\nZeek: connection_SYN_packet, connection_established, connection_first_ack, ntlm_authenticate, ntlm_challenge, pop3_login_success, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, socks_login_userpass_reply, socks_login_userpass_request, ssh2_dh_server_params, ssh_auth_successful, ssl_client_hello, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake" - }, - { - "techniqueID": "T1574.007", - "score": 4, - "comment": "Auditd: USER_CMD\n\nOSQuery: file_events, running_apps\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1559.002", - "score": 4, - "comment": "Auditd: USER_CMD\n\nOSQuery: powershell_events, running_apps\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1204.002", - "score": 4, - "comment": "Auditd: USER_CMD\n\nOSQuery: file_events, running_apps\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1559.001", - "score": 4, - "comment": "Auditd: USER_CMD\n\nOSQuery: powershell_events, running_apps\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1611", - "score": 5, - "comment": "Auditd: USER_CMD\n\nCloudTrail: DetachVolume, ModifyVolume\n\nOSQuery: authorization_mechanisms, fbsd_kmods, kernel_modules, running_apps\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1021.003", - "score": 5, - "comment": "Auditd: USER_CMD\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: \n\nZeek: connection_SYN_packet, connection_established, connection_first_ack, ntlm_authenticate, ntlm_challenge, pop3_login_success, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, socks_login_userpass_reply, socks_login_userpass_request, ssh2_dh_server_params, ssh_auth_successful, ssl_client_hello, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake" - }, - { - "techniqueID": "T1072", - "score": 4, - "comment": "Auditd: USER_CMD\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, running_apps, safari_extensions\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1134.004", - "score": 4, - "comment": "Auditd: USER_CMD\n\nOSQuery: background_activities_moderator, package_receipts, process_envs, process_events, process_memory_map, process_namespaces, process_open_files, process_open_pipes, process_open_sockets, running_apps\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1212", - "score": 5, - "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USER_CMD\n\nCloudTrail: CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, running_apps, safari_extensions, user_events\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1068", - "score": 4, - "comment": "Auditd: USER_CMD\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1548.004", - "score": 4, - "comment": "Auditd: USER_CMD\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1203", - "score": 4, - "comment": "Auditd: USER_CMD\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, running_apps, safari_extensions\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1220", - "score": 4, - "comment": "Auditd: USER_CMD\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1211", - "score": 4, - "comment": "Auditd: USER_CMD\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, running_apps, safari_extensions\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1564.010", - "score": 4, - "comment": "Auditd: USER_CMD\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1110.001", - "score": 4, - "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH\n\nCloudTrail: CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, user_events\n\nWinEvtx: " - }, - { - "techniqueID": "T1552.005", - "score": 4, - "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH\n\nCloudTrail: CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice\n\nOSQuery: user_events\n\nWinEvtx: " - }, - { - "techniqueID": "T1110.002", - "score": 4, - "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH\n\nCloudTrail: CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, user_events\n\nWinEvtx: " - }, - { - "techniqueID": "T1110.003", - "score": 4, - "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH\n\nCloudTrail: CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, user_events\n\nWinEvtx: " - }, - { - "techniqueID": "T1110.004", - "score": 4, - "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH\n\nCloudTrail: CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, user_events\n\nWinEvtx: " - }, - { - "techniqueID": "T1136.003", - "score": 3, - "comment": "Auditd: ADD_USER, ANOM_ADD_ACCOUNT, USER_ROLE_CHANGE\n\nCloudTrail: CreateUser\n\nWinEvtx: " - }, - { - "techniqueID": "T1531", - "score": 3, - "comment": "Auditd: ANOM_DEL_ACCOUNT, DEL_USER, USER_CHAUTHTOK, USER_ROLE_CHANGE\n\nCloudTrail: AddClientIDToOpenIDConnectProvider, DeleteUser, RemoveClientIDFromOpenIDConnectProvider, SetSecurityTokenPreferences, TagOpenIDConnectProvider, TagSAMLProvider, TagUser, UntagOpenIDConnectProvider, UntagSAMLProvider, UntagUser, UpdateAccessKey, UpdateOpenIDConnectProviderThumbprint, UpdateSAMLProvider, UpdateSSHPublicKey, UpdateServiceSpecificCredential, UpdateSigningCertificate, UpdateUser, UploadSSHPublicKey, UploadServerCertificate, UploadSigningCertificate\n\nWinEvtx: " - }, - { - "techniqueID": "T1134.005", - "score": 4, - "comment": "Auditd: CRED_ACQ, CRED_DISP, USER_CHAUTHTOK, USER_ERR\n\nCloudTrail: AddClientIDToOpenIDConnectProvider, AttachRolePolicy, AttachUserPolicy, ChangePassword, CreateAccessKey, CreateAccountAlias, CreateLoginProfile, CreatePolicy, CreatePolicyVersion, CreateRole, CreateServiceLinkedRole, CreateServiceSpecificCredential, DeleteAccessKey, DeleteAccountAlias, DeleteAccountPasswordPolicy, DeleteLoginProfile, DeletePolicyVersion, DeleteRole, DeleteRolePermissionsBoundary, DeleteRolePolicy, DeleteSSHPublicKey, DeleteServiceSpecificCredential, DeleteSigningCertificate, DeleteUserPermissionsBoundary, DeleteUserPolicy, DetachRolePolicy, DetachUserPolicy, GenerateCredentialReport, GetAccountAuthorizationDetails, GetAccountPasswordPolicy, GetContextKeysForCustomPolicy, GetContextKeysForPrincipalPolicy, GetCredentialReport, GetLoginprofile, GetPolicy, GetPolicyVersion, GetRole, GetRolePolicy, GetUserPolicy, ListAttachedRolePolicies, ListEntitiesForPolicy, ListPoliciesGrantingServiceAccess, ListPolicyTags, ListPolicyVersions, ListRolePolicies, ListRoleTags, ListRoles, PutRolePermissionsBoundary, PutRolePolicy, PutUserPermissionsBoundary, PutUserPolicy, RemoveClientIDFromOpenIDConnectProvider, SetDefaultPolicyVersion, SimulateCustomPolicy, SimulatePrincipalPolicy, TagOpenIDConnectProvider, TagPolicy, TagRole, TagSAMLProvider, Untag Policy, UntagOpenIDConnectProvider, UntagRole, UntagSAMLProvider, UpdateAccountPasswordPolicy, UpdateAssumeRolePolicy, UpdateLoginProfile, UpdateOpenIDConnectProviderThumbprint, UpdateRole, UpdateSAMLProvider\n\nOSQuery: account_policy_data, authorizations, authorized_keys, shadow, user_ssh_keys\n\nWinEvtx: " - }, - { - "techniqueID": "T1098.003", - "score": 3, - "comment": "Auditd: USER_CHAUTHTOK, USER_ROLE_CHANGE\n\nCloudTrail: SetSecurityTokenPreferences, TagUser, UntagUser, UpdateAccessKey, UpdateSSHPublicKey, UpdateServiceSpecificCredential, UpdateSigningCertificate, UpdateUser, UploadSSHPublicKey, UploadServerCertificate, UploadSigningCertificate\n\nWinEvtx: " - }, - { - "techniqueID": "T1098.005", - "score": 4, - "comment": "Auditd: USER_CHAUTHTOK, USER_ROLE_CHANGE\n\nCloudTrail: CreateOpenIDConnectProvider, SetSecurityTokenPreferences, TagUser, UntagUser, UpdateAccessKey, UpdateSSHPublicKey, UpdateServiceSpecificCredential, UpdateSigningCertificate, UpdateUser, UploadSSHPublicKey, UploadServerCertificate, UploadSigningCertificate\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions\n\nWinEvtx: " - }, - { - "techniqueID": "T1528", - "score": 3, - "comment": "Auditd: USER_CHAUTHTOK, USER_ROLE_CHANGE\n\nCloudTrail: SetSecurityTokenPreferences, TagUser, UntagUser, UpdateAccessKey, UpdateSSHPublicKey, UpdateServiceSpecificCredential, UpdateSigningCertificate, UpdateUser, UploadSSHPublicKey, UploadServerCertificate, UploadSigningCertificate\n\nWinEvtx: " - }, - { - "techniqueID": "T1098.001", - "score": 3, - "comment": "Auditd: USER_CHAUTHTOK, USER_ROLE_CHANGE\n\nCloudTrail: SetSecurityTokenPreferences, TagUser, UntagUser, UpdateAccessKey, UpdateSSHPublicKey, UpdateServiceSpecificCredential, UpdateSigningCertificate, UpdateUser, UploadSSHPublicKey, UploadServerCertificate, UploadSigningCertificate\n\nWinEvtx: " - }, - { - "techniqueID": "T1562.008", - "score": 3, - "comment": "Auditd: USER_CHAUTHTOK, USER_ROLE_CHANGE\n\nCloudTrail: SetSecurityTokenPreferences, StopLogging, TagUser, UntagUser, UpdateAccessKey, UpdateSSHPublicKey, UpdateServiceSpecificCredential, UpdateSigningCertificate, UpdateUser, UploadSSHPublicKey, UploadServerCertificate, UploadSigningCertificate\n\nWinEvtx: " - }, - { - "techniqueID": "T1098.002", - "score": 4, - "comment": "Auditd: USER_CHAUTHTOK, USER_ROLE_CHANGE\n\nCloudTrail: AddUserToGroup, AttachGroupPolicy, RemoveUserFromGroup, SetSecurityTokenPreferences, TagUser, UntagUser, UpdateAccessKey, UpdateGroup, UpdateSSHPublicKey, UpdateServiceSpecificCredential, UpdateSigningCertificate, UpdateUser, UploadSSHPublicKey, UploadServerCertificate, UploadSigningCertificate\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions\n\nWinEvtx: " - }, - { - "techniqueID": "T1525", - "score": 2, - "comment": "CloudTrail: CreateImage, ModifyImageAttribute\n\nOSQuery: sandboxes" - }, - { - "techniqueID": "T1578.004", - "score": 1, - "comment": "CloudTrail: AddRoleToInstanceProfile, CreateInstanceProfile, DeleteInstanceProfile, GetInstanceProfile, ListInstanceProfileTags, ListInstanceProfiles, ListInstanceProfilesForRole, RemoveRoleFromInstanceProfile, RunInstances, StartInstances, StopInstances, TagInstanceProfile, UntagInstanceProfile", - "color": "#BC5627" - }, - { - "techniqueID": "T1578", - "score": 1, - "comment": "CloudTrail: AddRoleToInstanceProfile, CreateInstanceProfile, CreateSnapshot, CreateVolume, DeleteInstanceProfile, DeleteSnapshot, DetachVolume, GetInstanceProfile, ListInstanceProfileTags, ListInstanceProfiles, ListInstanceProfilesForRole, ModifySnapshotAttribute, ModifyVolume, RemoveRoleFromInstanceProfile, RunInstances, StartInstances, StopInstances, TagInstanceProfile, UntagInstanceProfile", - "color": "#BC5627" - }, - { - "techniqueID": "T1535", - "score": 1, - "comment": "CloudTrail: AddRoleToInstanceProfile, CreateInstanceProfile, DeleteInstanceProfile, GetInstanceProfile, ListInstanceProfileTags, ListInstanceProfiles, ListInstanceProfilesForRole, RemoveRoleFromInstanceProfile, TagInstanceProfile, UntagInstanceProfile", - "color": "#BC5627" - }, - { - "techniqueID": "T1578.003", - "score": 1, - "comment": "CloudTrail: AddRoleToInstanceProfile, CreateInstanceProfile, DeleteInstanceProfile, GetInstanceProfile, ListInstanceProfileTags, ListInstanceProfiles, ListInstanceProfilesForRole, RemoveRoleFromInstanceProfile, TagInstanceProfile, UntagInstanceProfile", - "color": "#BC5627" - }, - { - "techniqueID": "T1578.002", - "score": 1, - "comment": "CloudTrail: AddRoleToInstanceProfile, CreateInstanceProfile, DeleteInstanceProfile, GetInstanceProfile, ListInstanceProfileTags, ListInstanceProfiles, ListInstanceProfilesForRole, RemoveRoleFromInstanceProfile, TagInstanceProfile, UntagInstanceProfile", - "color": "#BC5627" - }, - { - "techniqueID": "T1578.001", - "score": 1, - "comment": "CloudTrail: CreateSnapshot", - "color": "#BC5627" - }, - { - "techniqueID": "T1594", - "score": 1, - "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions", - "color": "#B03FD6" - }, - { - "techniqueID": "T1505.002", - "score": 3, - "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, file_events, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1610", - "score": 1, - "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions", - "color": "#B03FD6" - }, - { - "techniqueID": "T1552.008", - "score": 1, - "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions", - "color": "#B03FD6" - }, - { - "techniqueID": "T1027.005", - "score": 1, - "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions", - "color": "#B03FD6" - }, - { - "techniqueID": "T1550.004", - "score": 1, - "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions", - "color": "#B03FD6" - }, - { - "techniqueID": "T1200", - "score": 3, - "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, usb_devices\n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_reply, http_request, icmp_echo_reply, icmp_echo_request, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_headers, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_reply, sip_request, smb2_close_response, smb2_create_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_get_bulk_request, snmp_get_next_request, snmp_inform_request, snmp_response, socks_reply, socks_request, ssh_auth_attempted, ssh_client_version, ssh_server_version, ssl_change_cipher_spec, ssl_extension, ssl_handshake_message, ssl_heartbeat, tcp_rexmit, udp_reply, udp_request" - }, - { - "techniqueID": "T1648", - "score": 1, - "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions", - "color": "#B03FD6" - }, - { - "techniqueID": "T1505.001", - "score": 1, - "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions", - "color": "#B03FD6" - }, - { - "techniqueID": "T1588.004", - "score": 1, - "comment": "OSQuery: certificates", - "color": "#B03FD6" - }, - { - "techniqueID": "T1588", - "score": 1, - "comment": "OSQuery: certificates", - "color": "#B03FD6" - }, - { - "techniqueID": "T1092", - "score": 2, - "comment": "OSQuery: device_file, device_partitions, disk_encryption, disk_events, disk_info, logical_drives, usb_devices\n\nWinEvtx: " - }, - { - "techniqueID": "T1542.002", - "score": 1, - "comment": "OSQuery: bitlocker_info, drivers, iokit_devicetree, iokit_registry", - "color": "#B03FD6" - }, - { - "techniqueID": "T1053.007", - "score": 3, - "comment": "OSQuery: file_events\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1560.003", - "score": 3, - "comment": "OSQuery: file_events, powershell_events\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1547.012", - "score": 3, - "comment": "OSQuery: file_events\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1556.002", - "score": 3, - "comment": "OSQuery: file_events\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1560.002", - "score": 3, - "comment": "OSQuery: file_events, powershell_events\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1547.010", - "score": 3, - "comment": "OSQuery: file_events\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1556.008", - "score": 3, - "comment": "OSQuery: file_events\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1027.006", - "score": 3, - "comment": "OSQuery: file_events\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1056.004", - "score": 2, - "comment": "OSQuery: background_activities_moderator, package_receipts, process_envs, process_events, process_memory_map, process_namespaces, process_open_files, process_open_pipes, process_open_sockets\n\nSysmon: " - }, - { - "techniqueID": "T1620", - "score": 3, - "comment": "OSQuery: powershell_events\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1027.011", - "score": 3, - "comment": "OSQuery: wmi_cli_event_consumers, wmi_script_event_consumers\n\nSysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1056.001", - "score": 2, - "comment": "Sysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1111", - "score": 2, - "comment": "Sysmon: \n\nWinEvtx: " - }, - { - "techniqueID": "T1129", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1106", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1055.014", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1568.001", - "score": 3, - "comment": "Sysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_reply, http_request, icmp_echo_reply, icmp_echo_request, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_headers, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_reply, sip_request, smb2_close_response, smb2_create_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_get_bulk_request, snmp_get_next_request, snmp_inform_request, snmp_response, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh2_dh_server_params, ssh_auth_attempted, ssh_auth_successful, ssh_client_version, ssh_server_version, ssl_change_cipher_spec, ssl_client_hello, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake, tcp_rexmit, udp_reply, udp_request" - }, - { - "techniqueID": "T1029", - "score": 3, - "comment": "Sysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_reply, http_request, icmp_echo_reply, icmp_echo_request, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_headers, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_reply, sip_request, smb2_close_response, smb2_create_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_get_bulk_request, snmp_get_next_request, snmp_inform_request, snmp_response, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh2_dh_server_params, ssh_auth_attempted, ssh_auth_successful, ssh_client_version, ssh_server_version, ssl_change_cipher_spec, ssl_client_hello, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake, tcp_rexmit, udp_reply, udp_request" - }, - { - "techniqueID": "T1020.001", - "score": 3, - "comment": "Sysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_reply, http_request, icmp_echo_reply, icmp_echo_request, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_headers, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_reply, sip_request, smb2_close_response, smb2_create_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_get_bulk_request, snmp_get_next_request, snmp_inform_request, snmp_response, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh2_dh_server_params, ssh_auth_attempted, ssh_auth_successful, ssh_client_version, ssh_server_version, ssl_change_cipher_spec, ssl_client_hello, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake, tcp_rexmit, udp_reply, udp_request" - }, - { - "techniqueID": "T1104", - "score": 3, - "comment": "Sysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_reply, http_request, icmp_echo_reply, icmp_echo_request, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_headers, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_reply, sip_request, smb2_close_response, smb2_create_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_get_bulk_request, snmp_get_next_request, snmp_inform_request, snmp_response, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh2_dh_server_params, ssh_auth_attempted, ssh_auth_successful, ssh_client_version, ssh_server_version, ssl_change_cipher_spec, ssl_client_hello, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake, tcp_rexmit, udp_reply, udp_request" - }, - { - "techniqueID": "T1205.001", - "score": 3, - "comment": "Sysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_reply, http_request, icmp_echo_reply, icmp_echo_request, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_headers, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_reply, sip_request, smb2_close_response, smb2_create_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_get_bulk_request, snmp_get_next_request, snmp_inform_request, snmp_response, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh2_dh_server_params, ssh_auth_attempted, ssh_auth_successful, ssh_client_version, ssh_server_version, ssl_change_cipher_spec, ssl_client_hello, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake, tcp_rexmit, udp_reply, udp_request" - }, - { - "techniqueID": "T1030", - "score": 3, - "comment": "Sysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_reply, http_request, icmp_echo_reply, icmp_echo_request, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_headers, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_reply, sip_request, smb2_close_response, smb2_create_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_get_bulk_request, snmp_get_next_request, snmp_inform_request, snmp_response, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh2_dh_server_params, ssh_auth_attempted, ssh_auth_successful, ssh_client_version, ssh_server_version, ssl_change_cipher_spec, ssl_client_hello, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake, tcp_rexmit, udp_reply, udp_request" - }, - { - "techniqueID": "T1008", - "score": 3, - "comment": "Sysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_reply, http_request, icmp_echo_reply, icmp_echo_request, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_headers, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_reply, sip_request, smb2_close_response, smb2_create_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_get_bulk_request, snmp_get_next_request, snmp_inform_request, snmp_response, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh2_dh_server_params, ssh_auth_attempted, ssh_auth_successful, ssh_client_version, ssh_server_version, ssl_change_cipher_spec, ssl_client_hello, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake, tcp_rexmit, udp_reply, udp_request" - }, - { - "techniqueID": "T1055.015", - "score": 1, - "comment": "Sysmon: ", - "color": "#636AD2" - }, - { - "techniqueID": "T1558.004", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1558.003", - "score": 1, - "comment": "WinEvtx: ", - "color": "#9B6956" - }, - { - "techniqueID": "T1568.002", - "score": 1, - "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_reply, http_request, icmp_echo_reply, icmp_echo_request, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_headers, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_reply, sip_request, smb2_close_response, smb2_create_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_get_bulk_request, snmp_get_next_request, snmp_inform_request, snmp_response, socks_reply, socks_request, ssh_auth_attempted, ssh_client_version, ssh_server_version, ssl_change_cipher_spec, ssl_extension, ssl_handshake_message, ssl_heartbeat, tcp_rexmit, udp_reply, udp_request", - "color": "#757575" - }, - { - "techniqueID": "T1595.001", - "score": 1, - "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_reply, http_request, icmp_echo_reply, icmp_echo_request, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_headers, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_reply, sip_request, smb2_close_response, smb2_create_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_get_bulk_request, snmp_get_next_request, snmp_inform_request, snmp_response, socks_reply, socks_request, ssh_auth_attempted, ssh_client_version, ssh_server_version, ssl_change_cipher_spec, ssl_extension, ssl_handshake_message, ssl_heartbeat, tcp_rexmit, udp_reply, udp_request", - "color": "#757575" - } - ], - "gradient": { - "colors": [ - "#b7ffbf", - "#063b00" - ], - "minValue": 1, - "maxValue": 6 - }, - "legendItems": [ { "label": "Auditd", - "color": "#79709F" - }, - { - "label": "CloudTrail", - "color": "#BC5627" - }, - { - "label": "OSQuery", - "color": "#B03FD6" - }, - { - "label": "Sysmon", - "color": "#636AD2" - }, - { - "label": "WinEvtx", - "color": "#9B6956" - }, - { - "label": "Zeek", - "color": "#757575" + "color": "#ed0858" } ] } \ No newline at end of file diff --git a/src/util/create_mappings.py b/src/util/create_mappings.py index 8e8f643..4145877 100644 --- a/src/util/create_mappings.py +++ b/src/util/create_mappings.py @@ -46,7 +46,7 @@ def get_sheets(spreadsheet_location, config_location): # Merge in the Data Source ID's from the ATT&CK Data Source CSV datasource_csv_location = spreadsheet_location.parent.parent.parent data_source_ids = pd.read_csv(Path(datasource_csv_location, f"enterprise-attack-v{version}-datasources.csv"), usecols=[0, 1]) - + df = df.merge(data_source_ids, how="left", left_on="Data Source", right_on="name") df.drop(columns=["name"], inplace=True) df.rename(columns={"ID":"Data Source ID"}, inplace=True) @@ -69,13 +69,13 @@ def generate_csv_spreadsheet(sheets, mappings_location): mappings_location.mkdir(parents=True) for sheet, name in sheets: - with mappings_location.joinpath(f"{name}-sensors-mappings-enterprise.csv").open('w', newline='\n', encoding='utf-8') as csvfile: + with mappings_location.joinpath(f"{name}-sensors-mappings-enterprise.csv").open('w', newline='', encoding='utf-8') as csvfile: fieldnames = ['EVENT ID', 'EVENT DESCRIPTION', 'ATT&CK DATA SOURCE ID', 'ATT&CK DATA SOURCE', 'ATT&CK DATA COMPONENT', 'SOURCE', 'RELATIONSHIP', 'TARGET'] dataframe_fields = ['Event ID', 'Event Description', 'Data Source ID', 'Data Source', 'Data Component', 'Source', 'Relationship', 'Target'] writer = csv.DictWriter(csvfile, fieldnames=fieldnames) writer.writeheader() - + for idx, row in sheet.iterrows(): csv_row = {} for i in range(len(fieldnames)): @@ -101,7 +101,7 @@ def _parse_args(): dest="spreadsheet_location", help="filepath to the Excel spreadsheet for the mappings", type=Path, - default=Path(ROOT_DIR, "mappings", "input", + default=Path(ROOT_DIR, "mappings", "input", "enterprise", "xlsx", "Sensor ID to Data Source to API v2.xlsx")) parser.add_argument("-mappings_location", dest="mappings_location",