Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
TechniqueID Data Source
Technique/T1001 Packet capture,Process use of network,Process monitoring,Network protocol analysis
Technique/T1002 File monitoring,Binary file metadata,Process command-line parameters,Process monitoring
Technique/T1003 API monitoring,Process command-line parameters,Process monitoring,PowerShell logs
Technique/T1004 Windows Registry,File monitoring,Process monitoring
Technique/T1005 File monitoring,Process monitoring,Process command-line parameters
Technique/T1006 API monitoring
Technique/T1007 Process command-line parameters,Process monitoring
Technique/T1008 Packet capture,Netflow/Enclave netflow,Malware reverse engineering,Process use of network,Process monitoring
Technique/T1010 API monitoring,Process command-line parameters,Process monitoring
Technique/T1011 User interface,Process monitoring
Technique/T1012 Windows Registry,Process monitoring,Process command-line parameters
Technique/T1013 File monitoring,API monitoring,DLL monitoring,Windows Registry,Process monitoring
Technique/T1014 BIOS,MBR,System calls
Technique/T1015 Windows Registry,File monitoring,Process monitoring
Technique/T1016 Process command-line parameters,Process monitoring
Technique/T1017 File monitoring,Process use of network,Process monitoring
Technique/T1018 Network protocol analysis,Process command-line parameters,Process monitoring,Process use of network
Technique/T1019 API monitoring,BIOS,EFI
Technique/T1020 File monitoring,Process monitoring,Process use of network
Technique/T1021 Authentication logs
Technique/T1022 File monitoring,Binary file metadata,Process command-line parameters,Process monitoring
Technique/T1023 File monitoring,Process command-line parameters,Process monitoring
Technique/T1024 Packet capture,Netflow/Enclave netflow,Process use of network,Malware reverse engineering,Process monitoring
Technique/T1025 File monitoring,Process monitoring,Process command-line parameters
Technique/T1026 Packet capture,Netflow/Enclave netflow,Process use of network,Malware reverse engineering,Process monitoring
Technique/T1027 Network protocol analysis,Process use of network,Binary file metadata,File monitoring,Malware reverse engineering,Process command-line parameters,Environment variable,Process Monitoring,Windows event logs,Network intrusion detection system,Email gateway,SSL/TLS inspection
Technique/T1028 File monitoring,Authentication logs,Netflow/Enclave netflow,Process command-line parameters,Process monitoring
Technique/T1029 Netflow/Enclave netflow,Process use of network,Process monitoring
Technique/T1030 Packet capture,Netflow/Enclave netflow,Process use of network,Process monitoring
Technique/T1031 Windows Registry,File monitoring,Process command-line parameters,Process monitoring
Technique/T1032 Packet capture,Netflow/Enclave netflow,Malware reverse engineering,Process use of network,Process monitoring,SSL/TLS inspection
Technique/T1033 File monitoring,Process monitoring,Process command-line parameters
Technique/T1034 File monitoring,Process monitoring
Technique/T1035 Windows Registry,Process command-line parameters,Process monitoring
Technique/T1036 File monitoring,Process monitoring,Binary file metadata
Technique/T1037 File monitoring,Process monitoring
Technique/T1038 File monitoring,DLL monitoring,Process command-line parameters,Process monitoring
Technique/T1039 File monitoring,Process monitoring,Process command-line parameters
Technique/T1040 Network device logs,Host network interface,Netflow/Enclave netflow
Technique/T1041 User interface,Process monitoring
Technique/T1042 Windows Registry,Process command-line parameters,Process monitoring
Technique/T1043 Packet capture,Netflow/Enclave netflow,Process use of network,Process monitoring
Technique/T1044 File monitoring,Process command-line parameters,Services
Technique/T1045 Binary file metadata
Technique/T1046 Netflow/Enclave netflow,Network protocol analysis,Packet capture,Process command-line parameters,Process use of network
Technique/T1047 Authentication logs,Netflow/Enclave netflow,Process command-line parameters,Process monitoring
Technique/T1048 User interface,Process monitoring,Process use of network,Packet capture,Netflow/Enclave netflow,Network protocol analysis
Technique/T1049 Process command-line parameters,Process monitoring
Technique/T1050 Windows Registry,Process monitoring,Process command-line parameters
Technique/T1051 File monitoring,Process monitoring
Technique/T1052 Data loss prevention,File monitoring
Technique/T1053 File monitoring,Process command-line parameters,Process monitoring,Windows event logs
Technique/T1054 Sensor health and status,Process command-line parameters,Process monitoring
Technique/T1055 API monitoring,Windows Registry,File monitoring,DLL monitoring,Named Pipes,Process Monitoring
Technique/T1056 Windows Registry,Kernel drivers,Process monitoring,API monitoring
Technique/T1057 Process command-line parameters,Process monitoring
Technique/T1058 Process command-line parameters,Services,Windows Registry
Technique/T1059 Process command-line parameters,Process monitoring
Technique/T1060 Windows Registry,File monitoring
Technique/T1061 File monitoring,Binary file metadata,Process command-line parameters,Process monitoring
Technique/T1062 System calls
Technique/T1063 File monitoring,Process command-line parameters,Process monitoring
Technique/T1064 Process monitoring,File monitoring,Process command-line parameters
Technique/T1065 Netflow/Enclave netflow,Process use of network,Process monitoring
Technique/T1066 Process use of network,Anti-virus,Binary file metadata,Process command-line parameters,Process monitoring
Technique/T1067 API monitoring,MBR,VBR
Technique/T1068 Windows Error Reporting,Process monitoring,Application Logs
Technique/T1069 API monitoring,Process command-line parameters,Process monitoring
Technique/T1070 File monitoring,Process command-line parameters,Process monitoring
Technique/T1071 Packet capture,Netflow/Enclave netflow,Process use of network,Malware reverse engineering,Process monitoring
Technique/T1072 Binary file metadata,File monitoring,Process monitoring,Process use of network,Third-party application logs,Windows Registry
Technique/T1073 Process use of network,Process monitoring,Loaded DLLs
Technique/T1074 File monitoring,Process monitoring,Process command-line parameters
Technique/T1075 Authentication logs
Technique/T1076 Authentication logs,Netflow/Enclave netflow,Process monitoring
Technique/T1077 Process use of network,Authentication logs,Process command-line parameters,Process monitoring
Technique/T1078 Authentication logs,Process monitoring
Technique/T1079 Packet capture,Process use of network,Malware reverse engineering,Process monitoring
Technique/T1080 File monitoring,Process monitoring
Technique/T1081 File monitoring,Process command-line parameters
Technique/T1082 Process command-line parameters,Process monitoring
Technique/T1083 File monitoring,Process command-line parameters,Process monitoring
Technique/T1084 WMI Objects
Technique/T1085 File monitoring,Binary file metadata,Process command-line parameters,Process monitoring
Technique/T1086 Windows Registry,File monitoring,Process command-line parameters,Process monitoring
Technique/T1087 API monitoring,Process command-line parameters,Process monitoring
Technique/T1088 System calls,Process monitoring,Authentication logs,Process command-line parameters
Technique/T1089 API monitoring,Anti-virus,File monitoring,Services,Windows Registry,Process command-line parameters
Technique/T1090 Process use of network,Process monitoring,Netflow/Enclave netflow,Packet capture
Technique/T1091 File monitoring,Data loss prevention
Technique/T1092 File monitoring,Data loss prevention
Technique/T1093 Process monitoring,API monitoring
Technique/T1094 Packet capture,Netflow/Enclave netflow,Process use of network,Process monitoring
Technique/T1096 File monitoring,Kernel drivers,API monitoring
Technique/T1097 Authentication logs
Technique/T1098 Authentication logs,API monitoring,Windows event logs,Packet capture
Technique/T1099 File monitoring,Process monitoring,Process command-line parameters
Technique/T1100 Anti-virus,File monitoring,Process monitoring,Authentication logs,Netflow/Enclave netflow
Technique/T1101 DLL monitoring,Windows Registry,Loaded DLLs
Technique/T1102 Host network interface,Netflow/Enclave netflow,Network protocol analysis,Packet capture,SSL/TLS inspection
Technique/T1103 Loaded DLLs,Process monitoring,Windows Registry
Technique/T1104 Netflow/Enclave netflow,Network device logs,Network protocol analysis,Packet capture,Process use of network
Technique/T1105 File monitoring,Packet capture,Process use of network,Netflow/Enclave netflow,Network protocol analysis,Process monitoring
Technique/T1106 API monitoring,Process monitoring
Technique/T1107 Binary file metadata,File monitoring,Process command-line parameters
Technique/T1108 Process monitoring,Process use of network,Packet capture,Network protocol analysis,File monitoring,Binary file metadata,Authentication logs
Technique/T1110 Authentication logs
Technique/T1112 Windows Registry,File monitoring,Process monitoring,Process command-line parameters
Technique/T1113 API monitoring,Process monitoring,File monitoring
Technique/T1114 Authentication logs,File monitoring,Process monitoring,Process use of network
Technique/T1115 API monitoring
Technique/T1116 Binary file metadata
Technique/T1117 Loaded DLLs,Process monitoring,Process command-line parameters,Windows Registry
Technique/T1118 Process monitoring,Process command-line parameters
Technique/T1119 File monitoring,Process command-line parameters,Data loss prevention
Technique/T1121 Process monitoring,Process command-line parameters
Technique/T1122 Windows Registry,DLL monitoring,Loaded DLLs
Technique/T1123 API monitoring,Process monitoring,File monitoring
Technique/T1124 Process monitoring,Process command-line parameters,API monitoring
Technique/T1125 Process monitoring,File monitoring,API monitoring
Technique/T1126 Process monitoring,Process command-line parameters,Packet capture,Authentication logs
Technique/T1127 Process monitoring
Technique/T1128 Process monitoring,DLL monitoring,Windows Registry
Technique/T1129 Process Monitoring,API monitoring,File monitoring,DLL monitoring
Technique/T1130 SSL/TLS inspection,Digital Certificate Logs
Technique/T1131 DLL monitoring,Windows Registry,Loaded DLLs
Technique/T1132 Packet capture,Process use of network,Process Monitoring,Network protocol analysis
Technique/T1133 Authentication logs
Technique/T1134 API monitoring,Access Tokens
Technique/T1135 Process Monitoring,Process command-line parameters,Network protocol analysis,Process use of network
Technique/T1136 Process Monitoring,Process command-line parameters,Authentication logs,Windows event logs
Technique/T1137 Process monitoring,Process command-line parameters,Windows Registry,File monitoring
Technique/T1138 Loaded DLLs,System calls,Windows Registry,Process Monitoring,Process command-line parameters
Technique/T1139 File monitoring,Process monitoring,Process command-line parameters
Technique/T1140 File monitoring,Process Monitoring,Process command-line parameters
Technique/T1141 User interface,Process Monitoring
Technique/T1142 System calls,Process Monitoring
Technique/T1143 File monitoring
Technique/T1145 File monitoring
Technique/T1146 Authentication logs,File monitoring
Technique/T1147 Authentication logs,File monitoring
Technique/T1148 Process Monitoring,Authentication logs,File monitoring,Environment variable
Technique/T1149 Binary file metadata,Malware reverse engineering,Process Monitoring
Technique/T1150 File monitoring,Process Monitoring,Process command-line parameters
Technique/T1151 File monitoring,Process Monitoring
Technique/T1152 File monitoring,Process Monitoring,Process command-line parameters
Technique/T1153 Process Monitoring,File monitoring,Process command-line parameters
Technique/T1154 File monitoring,Process Monitoring,Process command-line parameters
Technique/T1155 API monitoring,System calls,Process Monitoring,Process command-line parameters
Technique/T1156 File monitoring,Process Monitoring,Process command-line parameters,Process use of network
Technique/T1157 File monitoring
Technique/T1158 File monitoring,Process Monitoring,Process command-line parameters
Technique/T1159 File monitoring,Process Monitoring
Technique/T1160 Process Monitoring,File monitoring
Technique/T1161 Binary file metadata,Process Monitoring,Process command-line parameters,File monitoring
Technique/T1163 File monitoring,Process Monitoring
Technique/T1165 File monitoring,Process Monitoring
Technique/T1166 File monitoring,Process Monitoring,Process command-line parameters
Technique/T1167 Process Monitoring
Technique/T1168 File monitoring,Process Monitoring
Technique/T1169 File monitoring
Technique/T1170 Process monitoring,Process command-line parameters
Technique/T1171 Windows Registry,Packet capture,Netflow/Enclave netflow
Technique/T1172 SSL/TLS inspection,Packet capture
Technique/T1173 API monitoring,DLL monitoring,Process Monitoring,Windows Registry,Windows event logs
Technique/T1174 DLL monitoring,Windows Registry,Process monitoring
Technique/T1175 API monitoring,Authentication logs,DLL monitoring,Packet capture,Process monitoring,Windows Registry,Windows event logs
Technique/T1176 Network protocol analysis,Packet capture,System calls,Process use of network,Process monitoring,Browser extensions
Technique/T1177 API monitoring,DLL monitoring,File monitoring,Kernel drivers,Loaded DLLs,Process Monitoring
Technique/T1178 API monitoring,Authentication logs,Windows event logs
Technique/T1179 API monitoring,Binary file metadata,DLL monitoring,Loaded DLLs,Process Monitoring,Windows event logs
Technique/T1180 Process Monitoring,Process command-line parameters,Windows Registry,File monitoring
Technique/T1182 Loaded DLLs,Process Monitoring,Windows Registry
Technique/T1183 Process Monitoring,Windows Registry,Windows event logs
Technique/T1184 Authentication logs
Technique/T1185 Authentication logs,Packet capture,Process Monitoring,API monitoring
Technique/T1186 API monitoring,Process Monitoring
Technique/T1187 File monitoring,Network protocol analysis,Network device logs,Process use of network
Technique/T1188 Network protocol analysis,Netflow/Enclave netflow
Technique/T1189 Packet capture,Network device logs,Process use of network,Web proxy,Network intrusion detection system,SSL/TLS inspection
Technique/T1190 Application logs,Packet capture,Web logs,Web application firewall logs
Technique/T1191 Process Monitoring,Process command-line parameters
Technique/T1192 Packet capture,Web proxy,Email gateway,Detonation chamber,SSL/TLS inspection,DNS records,Mail server
Technique/T1193 File monitoring,Packet capture,Mail server,Network intrusion detection system,Detonation chamber,Email gateway
Technique/T1194 SSL/TLS inspection,Anti-virus,Web proxy
Technique/T1195 Web proxy,File monitoring
Technique/T1196 API monitoring,Binary file metadata,DLL monitoring,Process command-line parameters,Process Monitoring,Windows Registry,Windows event logs
Technique/T1197 API monitoring,Packet capture,Windows event logs
Technique/T1198 API monitoring,Application Logs,DLL monitoring,Loaded DLLs,Process Monitoring,Windows Registry,Windows event logs
Technique/T1199 Application Logs,Authentication logs,Third-party application logs
Technique/T1200 Asset Management,Data loss prevention
Technique/T1201 Process command-line parameters,Process Monitoring
Technique/T1202 Process Monitoring,Process command-line parameters,Windows event logs
Technique/T1203 Anti-virus,System calls,Process Monitoring
Technique/T1204 Anti-virus,Process command-line parameters,Process monitoring
Technique/T1206 File monitoring,Process command-line parameters
Technique/T1207 API monitoring,Authentication logs,Network protocol analysis,Packet capture
Technique/T1208 Windows event logs
Technique/T1209 API monitoring,Binary file metadata,DLL monitoring,File monitoring,Loaded DLLs,Process Monitoring
Technique/T1210 Windows Error Reporting,Process Monitoring,File monitoring
Technique/T1211 Windows Error Reporting,Process Monitoring,File monitoring
Technique/T1212 Authentication logs,Windows Error Reporting,Process Monitoring
Technique/T1213 Application Logs,Authentication logs,Data loss prevention,Third-party application logs
Technique/T1214 Windows Registry,Process command-line parameters,Process Monitoring
Technique/T1215 System calls,Process Monitoring,Process command-line parameters
Technique/T1216 Process monitoring,Process command-line parameters
Technique/T1217 API monitoring,File monitoring,Process command-line parameters,Process Monitoring
Technique/T1218 Process monitoring,Process command-line parameters
Technique/T1219 Network intrusion detection system,Network protocol analysis,Process use of network,Process Monitoring
TechniqueID DataSource
T1001 Packet capture
T1001 Process use of network
T1001 Process monitoring
T1001 Network protocol analysis
T1002 File monitoring
T1002 Binary file metadata
T1002 Process command-line parameters
T1002 Process monitoring
T1003 API monitoring
T1003 Process command-line parameters
T1003 Process monitoring
T1003 PowerShell logs
T1004 Windows Registry
T1004 File monitoring
T1004 Process monitoring
T1005 File monitoring
T1005 Process monitoring
T1005 Process command-line parameters
T1006 API monitoring
T1007 Process command-line parameters
T1007 Process monitoring
T1008 Packet capture
T1008 Netflow/Enclave netflow
T1008 Malware reverse engineering
T1008 Process use of network
T1008 Process monitoring
T1010 API monitoring
T1010 Process command-line parameters
T1010 Process monitoring
T1011 User interface
T1011 Process monitoring
T1012 Windows Registry
T1012 Process monitoring
T1012 Process command-line parameters
T1013 File monitoring
T1013 API monitoring
T1013 DLL monitoring
T1013 Windows Registry
T1013 Process monitoring
T1014 BIOS
T1014 MBR
T1014 System calls
T1015 Windows Registry
T1015 File monitoring
T1015 Process monitoring
T1016 Process command-line parameters
T1016 Process monitoring
T1017 File monitoring
T1017 Process use of network
T1017 Process monitoring
T1018 Network protocol analysis
T1018 Process command-line parameters
T1018 Process monitoring
T1018 Process use of network
T1019 API monitoring
T1019 BIOS
T1019 EFI
T1020 File monitoring
T1020 Process monitoring
T1020 Process use of network
T1021 Authentication logs
T1022 File monitoring
T1022 Binary file metadata
T1022 Process command-line parameters
T1022 Process monitoring
T1023 File monitoring
T1023 Process command-line parameters
T1023 Process monitoring
T1024 Packet capture
T1024 Netflow/Enclave netflow
T1024 Process use of network
T1024 Malware reverse engineering
T1024 Process monitoring
T1025 File monitoring
T1025 Process monitoring
T1025 Process command-line parameters
T1026 Packet capture
T1026 Netflow/Enclave netflow
T1026 Process use of network
T1026 Malware reverse engineering
T1026 Process monitoring
T1027 Network protocol analysis
T1027 Process use of network
T1027 Binary file metadata
T1027 File monitoring
T1027 Malware reverse engineering
T1027 Process command-line parameters
T1027 Environment variable
T1027 Process Monitoring
T1027 Windows event logs
T1027 Network intrusion detection system
T1027 Email gateway
T1027 SSL/TLS inspection
T1028 File monitoring
T1028 Authentication logs
T1028 Netflow/Enclave netflow
T1028 Process command-line parameters
T1028 Process monitoring
T1029 Netflow/Enclave netflow
T1029 Process use of network
T1029 Process monitoring
T1030 Packet capture
T1030 Netflow/Enclave netflow
T1030 Process use of network
T1030 Process monitoring
T1031 Windows Registry
T1031 File monitoring
T1031 Process command-line parameters
T1031 Process monitoring
T1032 Packet capture
T1032 Netflow/Enclave netflow
T1032 Malware reverse engineering
T1032 Process use of network
T1032 Process monitoring
T1032 SSL/TLS inspection
T1033 File monitoring
T1033 Process monitoring
T1033 Process command-line parameters
T1034 File monitoring
T1034 Process monitoring
T1035 Windows Registry
T1035 Process command-line parameters
T1035 Process monitoring
T1036 File monitoring
T1036 Process monitoring
T1036 Binary file metadata
T1037 File monitoring
T1037 Process monitoring
T1038 File monitoring
T1038 DLL monitoring
T1038 Process command-line parameters
T1038 Process monitoring
T1039 File monitoring
T1039 Process monitoring
T1039 Process command-line parameters
T1040 Network device logs
T1040 Host network interface
T1040 Netflow/Enclave netflow
T1041 User interface
T1041 Process monitoring
T1042 Windows Registry
T1042 Process command-line parameters
T1042 Process monitoring
T1043 Packet capture
T1043 Netflow/Enclave netflow
T1043 Process use of network
T1043 Process monitoring
T1044 File monitoring
T1044 Process command-line parameters
T1044 Services
T1045 Binary file metadata
T1046 Netflow/Enclave netflow
T1046 Network protocol analysis
T1046 Packet capture
T1046 Process command-line parameters
T1046 Process use of network
T1047 Authentication logs
T1047 Netflow/Enclave netflow
T1047 Process command-line parameters
T1047 Process monitoring
T1048 User interface
T1048 Process monitoring
T1048 Process use of network
T1048 Packet capture
T1048 Netflow/Enclave netflow
T1048 Network protocol analysis
T1049 Process command-line parameters
T1049 Process monitoring
T1050 Windows Registry
T1050 Process monitoring
T1050 Process command-line parameters
T1051 File monitoring
T1051 Process monitoring
T1052 Data loss prevention
T1052 File monitoring
T1053 File monitoring
T1053 Process command-line parameters
T1053 Process monitoring
T1053 Windows event logs
T1054 Sensor health and status
T1054 Process command-line parameters
T1054 Process monitoring
T1055 API monitoring
T1055 Windows Registry
T1055 File monitoring
T1055 DLL monitoring
T1055 Named Pipes
T1055 Process Monitoring
T1056 Windows Registry
T1056 Kernel drivers
T1056 Process monitoring
T1056 API monitoring
T1057 Process command-line parameters
T1057 Process monitoring
T1058 Process command-line parameters
T1058 Services
T1058 Windows Registry
T1059 Process command-line parameters
T1059 Process monitoring
T1060 Windows Registry
T1060 File monitoring
T1061 File monitoring
T1061 Binary file metadata
T1061 Process command-line parameters
T1061 Process monitoring
T1062 System calls
T1063 File monitoring
T1063 Process command-line parameters
T1063 Process monitoring
T1064 Process monitoring
T1064 File monitoring
T1064 Process command-line parameters
T1065 Netflow/Enclave netflow
T1065 Process use of network
T1065 Process monitoring
T1066 Process use of network
T1066 Anti-virus
T1066 Binary file metadata
T1066 Process command-line parameters
T1066 Process monitoring
T1067 API monitoring
T1067 MBR
T1067 VBR
T1068 Windows Error Reporting
T1068 Process monitoring
T1068 Application Logs
T1069 API monitoring
T1069 Process command-line parameters
T1069 Process monitoring
T1070 File monitoring
T1070 Process command-line parameters
T1070 Process monitoring
T1071 Packet capture
T1071 Netflow/Enclave netflow
T1071 Process use of network
T1071 Malware reverse engineering
T1071 Process monitoring
T1072 Binary file metadata
T1072 File monitoring
T1072 Process monitoring
T1072 Process use of network
T1072 Third-party application logs
T1072 Windows Registry
T1073 Process use of network
T1073 Process monitoring
T1073 Loaded DLLs
T1074 File monitoring
T1074 Process monitoring
T1074 Process command-line parameters
T1075 Authentication logs
T1076 Authentication logs
T1076 Netflow/Enclave netflow
T1076 Process monitoring
T1077 Process use of network
T1077 Authentication logs
T1077 Process command-line parameters
T1077 Process monitoring
T1078 Authentication logs
T1078 Process monitoring
T1079 Packet capture
T1079 Process use of network
T1079 Malware reverse engineering
T1079 Process monitoring
T1080 File monitoring
T1080 Process monitoring
T1081 File monitoring
T1081 Process command-line parameters
T1082 Process command-line parameters
T1082 Process monitoring
T1083 File monitoring
T1083 Process command-line parameters
T1083 Process monitoring
T1084 WMI Objects
T1085 File monitoring
T1085 Binary file metadata
T1085 Process command-line parameters
T1085 Process monitoring
T1086 Windows Registry
T1086 File monitoring
T1086 Process command-line parameters
T1086 Process monitoring
T1087 API monitoring
T1087 Process command-line parameters
T1087 Process monitoring
T1088 System calls
T1088 Process monitoring
T1088 Authentication logs
T1088 Process command-line parameters
T1089 API monitoring
T1089 Anti-virus
T1089 File monitoring
T1089 Services
T1089 Windows Registry
T1089 Process command-line parameters
T1090 Process use of network
T1090 Process monitoring
T1090 Netflow/Enclave netflow
T1090 Packet capture
T1091 File monitoring
T1091 Data loss prevention
T1092 File monitoring
T1092 Data loss prevention
T1093 Process monitoring
T1093 API monitoring
T1094 Packet capture
T1094 Netflow/Enclave netflow
T1094 Process use of network
T1094 Process monitoring
T1096 File monitoring
T1096 Kernel drivers
T1096 API monitoring
T1097 Authentication logs
T1098 Authentication logs
T1098 API monitoring
T1098 Windows event logs
T1098 Packet capture
T1099 File monitoring
T1099 Process monitoring
T1099 Process command-line parameters
T1100 Anti-virus
T1100 File monitoring
T1100 Process monitoring
T1100 Authentication logs
T1100 Netflow/Enclave netflow
T1101 DLL monitoring
T1101 Windows Registry
T1101 Loaded DLLs
T1102 Host network interface
T1102 Netflow/Enclave netflow
T1102 Network protocol analysis
T1102 Packet capture
T1102 SSL/TLS inspection
T1103 Loaded DLLs
T1103 Process monitoring
T1103 Windows Registry
T1104 Netflow/Enclave netflow
T1104 Network device logs
T1104 Network protocol analysis
T1104 Packet capture
T1104 Process use of network
T1105 File monitoring
T1105 Packet capture
T1105 Process use of network
T1105 Netflow/Enclave netflow
T1105 Network protocol analysis
T1105 Process monitoring
T1106 API monitoring
T1106 Process monitoring
T1107 Binary file metadata
T1107 File monitoring
T1107 Process command-line parameters
T1108 Process monitoring
T1108 Process use of network
T1108 Packet capture
T1108 Network protocol analysis
T1108 File monitoring
T1108 Binary file metadata
T1108 Authentication logs
T1110 Authentication logs
T1112 Windows Registry
T1112 File monitoring
T1112 Process monitoring
T1112 Process command-line parameters
T1113 API monitoring
T1113 Process monitoring
T1113 File monitoring
T1114 Authentication logs
T1114 File monitoring
T1114 Process monitoring
T1114 Process use of network
T1115 API monitoring
T1116 Binary file metadata
T1117 Loaded DLLs
T1117 Process monitoring
T1117 Process command-line parameters
T1117 Windows Registry
T1118 Process monitoring
T1118 Process command-line parameters
T1119 File monitoring
T1119 Process command-line parameters
T1119 Data loss prevention
T1121 Process monitoring
T1121 Process command-line parameters
T1122 Windows Registry
T1122 DLL monitoring
T1122 Loaded DLLs
T1123 API monitoring
T1123 Process monitoring
T1123 File monitoring
T1124 Process monitoring
T1124 Process command-line parameters
T1124 API monitoring
T1125 Process monitoring
T1125 File monitoring
T1125 API monitoring
T1126 Process monitoring
T1126 Process command-line parameters
T1126 Packet capture
T1126 Authentication logs
T1127 Process monitoring
T1128 Process monitoring
T1128 DLL monitoring
T1128 Windows Registry
T1129 Process Monitoring
T1129 API monitoring
T1129 File monitoring
T1129 DLL monitoring
T1130 SSL/TLS inspection
T1130 Digital Certificate Logs
T1131 DLL monitoring
T1131 Windows Registry
T1131 Loaded DLLs
T1132 Packet capture
T1132 Process use of network
T1132 Process Monitoring
T1132 Network protocol analysis
T1133 Authentication logs
T1134 API monitoring
T1134 Access Tokens
T1135 Process Monitoring
T1135 Process command-line parameters
T1135 Network protocol analysis
T1135 Process use of network
T1136 Process Monitoring
T1136 Process command-line parameters
T1136 Authentication logs
T1136 Windows event logs
T1137 Process monitoring
T1137 Process command-line parameters
T1137 Windows Registry
T1137 File monitoring
T1138 Loaded DLLs
T1138 System calls
T1138 Windows Registry
T1138 Process Monitoring
T1138 Process command-line parameters
T1139 File monitoring
T1139 Process monitoring
T1139 Process command-line parameters
T1140 File monitoring
T1140 Process Monitoring
T1140 Process command-line parameters
T1141 User interface
T1141 Process Monitoring
T1142 System calls
T1142 Process Monitoring
T1143 File monitoring
T1145 File monitoring
T1146 Authentication logs
T1146 File monitoring
T1147 Authentication logs
T1147 File monitoring
T1148 Process Monitoring
T1148 Authentication logs
T1148 File monitoring
T1148 Environment variable
T1149 Binary file metadata
T1149 Malware reverse engineering
T1149 Process Monitoring
T1150 File monitoring
T1150 Process Monitoring
T1150 Process command-line parameters
T1151 File monitoring
T1151 Process Monitoring
T1152 File monitoring
T1152 Process Monitoring
T1152 Process command-line parameters
T1153 Process Monitoring
T1153 File monitoring
T1153 Process command-line parameters
T1154 File monitoring
T1154 Process Monitoring
T1154 Process command-line parameters
T1155 API monitoring
T1155 System calls
T1155 Process Monitoring
T1155 Process command-line parameters
T1156 File monitoring
T1156 Process Monitoring
T1156 Process command-line parameters
T1156 Process use of network
T1157 File monitoring
T1158 File monitoring
T1158 Process Monitoring
T1158 Process command-line parameters
T1159 File monitoring
T1159 Process Monitoring
T1160 Process Monitoring
T1160 File monitoring
T1161 Binary file metadata
T1161 Process Monitoring
T1161 Process command-line parameters
T1161 File monitoring
T1163 File monitoring
T1163 Process Monitoring
T1165 File monitoring
T1165 Process Monitoring
T1166 File monitoring
T1166 Process Monitoring
T1166 Process command-line parameters
T1167 Process Monitoring
T1168 File monitoring
T1168 Process Monitoring
T1169 File monitoring
T1170 Process monitoring
T1170 Process command-line parameters
T1171 Windows Registry
T1171 Packet capture
T1171 Netflow/Enclave netflow
T1172 SSL/TLS inspection
T1172 Packet capture
T1173 API monitoring
T1173 DLL monitoring
T1173 Process Monitoring
T1173 Windows Registry
T1173 Windows event logs
T1174 DLL monitoring
T1174 Windows Registry
T1174 Process monitoring
T1175 API monitoring
T1175 Authentication logs
T1175 DLL monitoring
T1175 Packet capture
T1175 Process monitoring
T1175 Windows Registry
T1175 Windows event logs
T1176 Network protocol analysis
T1176 Packet capture
T1176 System calls
T1176 Process use of network
T1176 Process monitoring
T1176 Browser extensions
T1177 API monitoring
T1177 DLL monitoring
T1177 File monitoring
T1177 Kernel drivers
T1177 Loaded DLLs
T1177 Process Monitoring
T1178 API monitoring
T1178 Authentication logs
T1178 Windows event logs
T1179 API monitoring
T1179 Binary file metadata
T1179 DLL monitoring
T1179 Loaded DLLs
T1179 Process Monitoring
T1179 Windows event logs
T1180 Process Monitoring
T1180 Process command-line parameters
T1180 Windows Registry
T1180 File monitoring
T1182 Loaded DLLs
T1182 Process Monitoring
T1182 Windows Registry
T1183 Process Monitoring
T1183 Windows Registry
T1183 Windows event logs
T1184 Authentication logs
T1185 Authentication logs
T1185 Packet capture
T1185 Process Monitoring
T1185 API monitoring
T1186 API monitoring
T1186 Process Monitoring
T1187 File monitoring
T1187 Network protocol analysis
T1187 Network device logs
T1187 Process use of network
T1188 Network protocol analysis
T1188 Netflow/Enclave netflow
T1189 Packet capture
T1189 Network device logs
T1189 Process use of network
T1189 Web proxy
T1189 Network intrusion detection system
T1189 SSL/TLS inspection
T1190 Application logs
T1190 Packet capture
T1190 Web logs
T1190 Web application firewall logs
T1191 Process Monitoring
T1191 Process command-line parameters
T1192 Packet capture
T1192 Web proxy
T1192 Email gateway
T1192 Detonation chamber
T1192 SSL/TLS inspection
T1192 DNS records
T1192 Mail server
T1193 File monitoring
T1193 Packet capture
T1193 Mail server
T1193 Network intrusion detection system
T1193 Detonation chamber
T1193 Email gateway
T1194 SSL/TLS inspection
T1194 Anti-virus
T1194 Web proxy
T1195 Web proxy
T1195 File monitoring
T1196 API monitoring
T1196 Binary file metadata
T1196 DLL monitoring
T1196 Process command-line parameters
T1196 Process Monitoring
T1196 Windows Registry
T1196 Windows event logs
T1197 API monitoring
T1197 Packet capture
T1197 Windows event logs
T1198 API monitoring
T1198 Application Logs
T1198 DLL monitoring
T1198 Loaded DLLs
T1198 Process Monitoring
T1198 Windows Registry
T1198 Windows event logs
T1199 Application Logs
T1199 Authentication logs
T1199 Third-party application logs
T1200 Asset Management
T1200 Data loss prevention
T1201 Process command-line parameters
T1201 Process Monitoring
T1202 Process Monitoring
T1202 Process command-line parameters
T1202 Windows event logs
T1203 Anti-virus
T1203 System calls
T1203 Process Monitoring
T1204 Anti-virus
T1204 Process command-line parameters
T1204 Process monitoring
T1206 File monitoring
T1206 Process command-line parameters
T1207 API monitoring
T1207 Authentication logs
T1207 Network protocol analysis
T1207 Packet capture
T1208 Windows event logs
T1209 API monitoring
T1209 Binary file metadata
T1209 DLL monitoring
T1209 File monitoring
T1209 Loaded DLLs
T1209 Process Monitoring
T1210 Windows Error Reporting
T1210 Process Monitoring
T1210 File monitoring
T1211 Windows Error Reporting
T1211 Process Monitoring
T1211 File monitoring
T1212 Authentication logs
T1212 Windows Error Reporting
T1212 Process Monitoring
T1213 Application Logs
T1213 Authentication logs
T1213 Data loss prevention
T1213 Third-party application logs
T1214 Windows Registry
T1214 Process command-line parameters
T1214 Process Monitoring
T1215 System calls
T1215 Process Monitoring
T1215 Process command-line parameters
T1216 Process monitoring
T1216 Process command-line parameters
T1217 API monitoring
T1217 File monitoring
T1217 Process command-line parameters
T1217 Process Monitoring
T1218 Process monitoring
T1218 Process command-line parameters
T1219 Network intrusion detection system
T1219 Network protocol analysis
T1219 Process use of network
T1219 Process Monitoring
. .\Invoke-ATTACKAPI.ps1
$ATTACK = Invoke-ATTACKAPI -All | Select-Object -Property TechniqueID, @{Name='Data Source';Expression={[string]::join(",", ($_."Data Source"))}} -Unique #| Export-Csv -Path mappings-all.csv
#$ATTACK = Import-CSV mappings-all.csv
for($i = 0; $i -lt $ATTACK.Count; $i++)
$DataSourceList = $ATTACK[$i]."Data Source".Split(",")
for($j = 0 ; $j -lt $DataSourceList.Count;$j++)
Write-Host $ATTACK[$i].TechniqueID "," $DataSourceList[$j]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.