Basic Detection Rules by MITRE ATT&CK TTP
This catalog provides vendor-neutral algorithmic logic for basic deterministic detection rules mapped to MITRE ATT&CK Enterprise techniques and sub-techniques. Rules use signatures, fixed thresholds, allowlists, denylists, state changes, and bounded-window correlations. They do not depend on learned baselines or statistical anomaly models.
Each rule is a starting point. Exact thresholds, approved lists, paths, ports, identities, and time windows must be adapted to the environment. Inline links point to log-source definitions capable of supplying the required events.
Rule Logic Conventions
MATCH: exact, substring, regular-expression, category, or field match.COUNT: number of matching events grouped by an entity within a fixed time window.DISTINCT_COUNT: number of unique values observed within a fixed time window.SEQUENCE: ordered events correlated by entity within a fixed time window.STATE_CHANGE: a protected setting, object, permission, or resource changes from an approved state.NOT_IN: value is absent from an explicit approved list.MISSING: an expected heartbeat or event is absent for a fixed duration.SUM: aggregate of a numeric field grouped by an entity within a fixed time window.FOLLOWED_BY: an ordered two-event correlation where event B occurs after event A within a fixed time window, correlated by entity. Equivalent to a two-step SEQUENCE.ALERT: emit a detection with the matched evidence.
Reconnaissance
| ATT&CK TTP | Basic algorithmic detection logic | Relevant log sources |
|---|---|---|
| T1595 Active Scanning | COUNT(denied_or_failed_connections BY source_ip, 5m) >= threshold AND DISTINCT_COUNT(destination_port OR destination_host) >= threshold -> ALERT | Network Firewall Logs, Network Flow Logs, Network Intrusion Detection Logs |
| T1595.002 Vulnerability Scanning | MATCH(scanner_signature OR known_scanner_user_agent OR vulnerability_probe_path) AND source_ip NOT_IN approved_scanners -> ALERT | Web Application Firewall Logs, Web Server Access Logs, Network Intrusion Detection Logs |
| T1595.003 Wordlist Scanning | COUNT(http_status IN [404, 403] BY source_ip, 5m) >= threshold AND DISTINCT_COUNT(uri_path) >= threshold -> ALERT | Web Server Access Logs, Web Application Firewall Logs, API Gateway Logs |
| T1590 Gather Victim Network Information | MATCH(dns_zone_transfer_request OR repeated_public_dns_enumeration) AND source_ip NOT_IN approved_dns_admins -> ALERT | Authoritative DNS Logs, Network Intrusion Detection Logs |
Resource Development
Most resource-development TTPs occur outside defender-controlled systems and lack reliable deterministic internal detection. Detection generally begins when staged infrastructure or content interacts with the environment.
| ATT&CK TTP | Basic algorithmic detection logic | Relevant log sources |
|---|---|---|
| T1583 Acquire Infrastructure | MATCH(domain OR certificate OR address IN threat_intelligence_denylist) -> ALERT | Threat-Intelligence Platform Logs, DNS Resolver Logs, TLS and Certificate Metadata Logs |
| T1608 Stage Capabilities | MATCH(download_hash OR url OR sender IN known_malicious_indicators) -> ALERT | Proxy and Secure Web Gateway Logs, Email Gateway Logs, Content Inspection and Malware Scanning Logs |
Initial Access
| ATT&CK TTP | Basic algorithmic detection logic | Relevant log sources |
|---|---|---|
| T1566.001 Spearphishing Attachment | MATCH(attachment_extension IN blocked_types OR attachment_hash IN denylist OR sandbox_verdict = malicious) -> ALERT | Email Gateway Logs, Content Inspection and Malware Scanning Logs, Sandbox Analysis Logs |
| T1566.002 Spearphishing Link | MATCH(message_url IN denylist OR url_category = malicious) -> ALERT | Email Gateway Logs, Proxy and Secure Web Gateway Logs |
| T1566.003 Spearphishing via Service | MATCH(external_message_contains_url_or_attachment) AND sender NOT_IN approved_external_senders -> ALERT | Collaboration Platform Audit Logs, Mailbox Audit Logs |
| T1190 Exploit Public-Facing Application | MATCH(waf_exploit_signature OR ids_exploit_signature OR known_exploit_request_pattern) -> ALERT | Web Application Firewall Logs, Network Intrusion Detection Logs, Web Server Access Logs |
| T1078 Valid Accounts | MATCH(successful_login) AND source_country IN blocked_countries -> ALERT; COUNT(failed_login BY account, 10m) >= threshold FOLLOWED_BY successful_login WITHIN 10m -> ALERT | Identity Provider Sign-In Logs, Directory-Service Authentication Logs, Remote Access and VPN Authentication Logs |
| T1133 External Remote Services | MATCH(successful_remote_access) AND source_ip NOT_IN approved_networks -> ALERT | Remote Access and VPN Authentication Logs, Remote Desktop and Remote Support Logs, Network Firewall Logs |
| T1195 Supply Chain Compromise | MATCH(installed_package_hash NOT_IN approved_manifest OR signature_invalid OR publisher NOT_IN approved_publishers) -> ALERT | Package and Software Installation Logs, Application-Control Logs, Artifact Repository Logs |
Execution
| ATT&CK TTP | Basic algorithmic detection logic | Relevant log sources |
|---|---|---|
| T1059 Command and Scripting Interpreter | MATCH(process_name IN command_interpreters) AND command_line MATCHES suspicious_argument_patterns -> ALERT | Process Execution Logs, Command-Line and Shell History Logs, Script-Execution Logs |
| T1059.001 PowerShell | MATCH(powershell_execution) AND command_or_script MATCHES [encoded_command, download_expression, hidden_window, execution_policy_bypass] -> ALERT | Windows PowerShell Logs, Process Execution Logs |
| T1059.003 Windows Command Shell | MATCH(process_name IN [cmd.exe, command.com]) AND command_line MATCHES suspicious_command_patterns -> ALERT | Process Execution Logs, Windows Security Event Logs |
| T1059.004 Unix Shell | MATCH(shell_execution) AND command_line MATCHES suspicious_command_patterns -> ALERT | Linux Audit Logs, Linux Shell History, Process Execution Logs |
| T1059.005 Visual Basic | MATCH(process_name IN [cscript.exe, wscript.exe]) AND script_path NOT_IN approved_script_paths -> ALERT | Process Execution Logs, Script-Execution Logs |
| T1059.006 Python | MATCH(python_execution) AND script_path OR parent_process NOT_IN approved_list -> ALERT | Process Execution Logs, Linux Audit Logs |
| T1059.007 JavaScript | MATCH(script_host_execution) AND script_path IN temporary_or_user_writable_paths -> ALERT | Process Execution Logs, Script-Execution Logs |
| T1204 User Execution | SEQUENCE(file_download_or_attachment_open, process_execution FROM downloaded_file) WITHIN 5m -> ALERT | File-System Activity Logs, Process Execution Logs, Email Gateway Logs |
| T1203 Exploitation for Client Execution | MATCH(exploit_mitigation_block OR application_crash_signature) FOLLOWED_BY child_process_creation WITHIN 2m -> ALERT | Memory-Protection and Exploit-Mitigation Logs, Operating-System Crash and Diagnostic Logs, Process Execution Logs |
| T1218 System Binary Proxy Execution | MATCH(process_name IN proxy_execution_binaries) AND command_line MATCHES known_abuse_patterns -> ALERT | Process Execution Logs, Application-Control Logs |
| T1047 Windows Management Instrumentation | MATCH(wmi_process_or_remote_operation) AND caller_or_command NOT_IN approved_wmi_activity -> ALERT | Windows Remote Management Logs, Process Execution Logs, Windows Security Event Logs |
| T1053 Scheduled Task/Job | MATCH(task_created_or_modified) AND task_action NOT_IN approved_task_actions -> ALERT | Scheduled Task and Job Logs, Windows Task Scheduler Logs |
| T1609 Container Administration Command | MATCH(orchestrator_request_subresource = exec) AND actor NOT_IN approved_container_admins -> ALERT | Orchestrator Audit Logs, Container Runtime Logs |
Persistence
| ATT&CK TTP | Basic algorithmic detection logic | Relevant log sources |
|---|---|---|
| T1136 Create Account | MATCH(account_created) AND creator NOT_IN approved_account_provisioners -> ALERT | Windows Security Event Logs, Directory-Service Audit Logs, Identity Provider Audit Logs |
| T1098 Account Manipulation | MATCH(credential_added OR role_added OR group_membership_changed) AND actor NOT_IN approved_identity_admins -> ALERT | Directory-Service Audit Logs, Identity Provider Audit Logs, Cloud Identity and Access Management Logs |
| T1547.001 Registry Run Keys / Startup Folder | MATCH(registry_or_startup_path IN autostart_locations) AND executable NOT_IN approved_autostart_programs -> ALERT | Registry and Configuration-Store Logs, File-System Activity Logs |
| T1543 Create or Modify System Process | MATCH(service_created_or_modified) AND service_binary NOT_IN approved_service_binaries -> ALERT | Service and Daemon Management Logs, Windows System Event Logs, Linux System Logs |
| T1053 Scheduled Task/Job | MATCH(task_created_or_modified) AND creator NOT_IN approved_schedulers -> ALERT | Scheduled Task and Job Logs, Windows Task Scheduler Logs, Linux Service-Manager Logs |
| T1505.003 Web Shell | MATCH(new_or_modified_file IN web_root) AND extension IN executable_server_extensions -> ALERT; SEQUENCE(web_request, web_server_child_process) WITHIN 1m -> ALERT | File-Integrity Monitoring Logs, Web Server Access Logs, Process Execution Logs |
| T1114.003 Email Forwarding Rule | MATCH(forwarding_rule_created) AND destination_domain NOT_IN approved_domains -> ALERT | Mailbox Audit Logs, Application Audit Logs |
| T1610 Deploy Container | MATCH(workload_created) AND (image NOT_IN approved_images OR privileged = true OR host_mount = true) -> ALERT | Orchestrator Audit Logs, Container Image Registry Logs, Container Admission-Control Logs |
Privilege Escalation
| ATT&CK TTP | Basic algorithmic detection logic | Relevant log sources |
|---|---|---|
| T1548 Abuse Elevation Control Mechanism | MATCH(privilege_elevation) AND user_or_binary NOT_IN approved_elevation_list -> ALERT | Windows Security Event Logs, Linux Authentication Logs, Process Execution Logs |
| T1548.001 Setuid and Setgid | MATCH(file_permission_change_sets_setuid_or_setgid) AND file NOT_IN approved_setuid_files -> ALERT | Linux Audit Logs, File-Integrity Monitoring Logs |
| T1548.002 Bypass User Account Control | MATCH(process_or_registry_pattern IN known_uac_bypass_patterns) -> ALERT | Process Execution Logs, Registry and Configuration-Store Logs, Endpoint Detection and Response Telemetry |
| T1068 Exploitation for Privilege Escalation | MATCH(exploit_mitigation_alert OR known_local_exploit_signature) -> ALERT; SEQUENCE(unprivileged_process, privileged_child_process) WITHIN 1m -> ALERT | Memory-Protection and Exploit-Mitigation Logs, Endpoint Detection and Response Telemetry |
| T1134 Access Token Manipulation | MATCH(token_duplication_or_impersonation_event) AND process NOT_IN approved_impersonation_processes -> ALERT | Windows Security Event Logs, Endpoint Detection and Response Telemetry |
| T1611 Escape to Host | MATCH(container_process_accesses_host_namespace_or_protected_host_path) -> ALERT | Container Runtime Security Logs, System-Call Telemetry, Container Runtime Logs |
Defense Evasion
| ATT&CK TTP | Basic algorithmic detection logic | Relevant log sources |
|---|---|---|
| T1036 Masquerading | MATCH(filename_or_service_name IN trusted_names) AND hash_or_path_or_publisher NOT_IN approved_values -> ALERT | Process Execution Logs, File-System Activity Logs, Application-Control Logs |
| T1027 Obfuscated Files or Information | MATCH(command_line_contains_encoding_flags OR script_matches_obfuscation_signature OR file_packer_signature) -> ALERT | Script-Execution Logs, Content Inspection and Malware Scanning Logs, Sandbox Analysis Logs |
| T1055 Process Injection | MATCH(remote_thread_creation OR cross_process_memory_write OR suspicious_process_access) AND source_process NOT_IN approved_injectors -> ALERT | Endpoint Detection and Response Telemetry, Memory-Protection and Exploit-Mitigation Logs, System-Call Telemetry |
| T1070.001 Clear Windows Event Logs | MATCH(event_log_cleared OR process_command_matches_log_clear_command) -> ALERT | Windows Security Event Logs, Process Execution Logs, Central Log Collector Logs |
| T1070.004 File Deletion | MATCH(deletion_of_executable_script_or_log_file) AND actor_or_path NOT_IN approved_deletion_activity -> ALERT | File-System Activity Logs, File-Integrity Monitoring Logs |
| T1070.006 Timestomp | MATCH(file_timestamp_change) AND timestamp_precedes_creation_or_differs_from_known_metadata -> ALERT | File-System Activity Logs, File-Integrity Monitoring Logs |
| T1218 System Binary Proxy Execution | MATCH(proxy_execution_binary) AND command_line MATCHES known_abuse_signature -> ALERT | Process Execution Logs, Application-Control Logs |
| T1562.001 Disable or Modify Tools | MATCH(security_service_stopped OR security_setting_disabled OR exclusion_added) AND actor NOT_IN approved_security_admins -> ALERT | Endpoint Sensor Health Logs, Antivirus and Antimalware Logs, Service and Daemon Management Logs |
| T1562.002 Disable Windows Event Logging | MATCH(event_logging_service_stopped_or_disabled) OR MISSING(expected_windows_events, fixed_duration) -> ALERT | Windows System Event Logs, Central Log Collector Logs, Security Information and Event Management Logs |
| T1562.004 Disable or Modify System Firewall | STATE_CHANGE(firewall_enabled = false OR allow_rule_added) AND actor NOT_IN approved_firewall_admins -> ALERT | Local Firewall Logs, Network Firewall Logs, Cloud Firewall and Security-Group Logs |
| T1562.010 Downgrade Attack | MATCH(installed_or_selected_version < approved_minimum_version) -> ALERT | Package and Software Installation Logs, Configuration and Compliance Scanner Logs |
| T1222 File and Directory Permissions Modification | MATCH(permission_or_owner_change_on_protected_path) AND actor NOT_IN approved_admins -> ALERT | File-System Activity Logs, Linux Audit Logs, File-Integrity Monitoring Logs |
Credential Access
| ATT&CK TTP | Basic algorithmic detection logic | Relevant log sources |
|---|---|---|
| T1110.001 Password Guessing | COUNT(failed_authentication BY source_ip AND account, 5m) >= threshold -> ALERT | Identity Provider Sign-In Logs, Directory-Service Authentication Logs, Application Authentication Logs |
| T1110.003 Password Spraying | DISTINCT_COUNT(account BY source_ip, 10m WHERE authentication_failed) >= threshold AND failures_per_account <= small_threshold -> ALERT | Identity Provider Sign-In Logs, Directory-Service Authentication Logs |
| T1110.004 Credential Stuffing | COUNT(authentication_failed BY source_ip, 10m) >= threshold AND DISTINCT_COUNT(account) >= threshold -> ALERT | Application Authentication Logs, Identity Provider Sign-In Logs, Web Application Firewall Logs |
| T1621 Multi-Factor Authentication Request Generation | COUNT(mfa_challenge BY account, 10m) >= threshold OR COUNT(mfa_denied BY account, 10m) >= threshold -> ALERT | Multi-Factor Authentication Logs, Identity Provider Sign-In Logs |
| T1003 OS Credential Dumping | MATCH(process_access_to_credential_process OR known_dump_tool_signature OR dump_file_pattern) -> ALERT | Endpoint Detection and Response Telemetry, Process Execution Logs, Memory-Protection and Exploit-Mitigation Logs |
| T1555 Credentials from Password Stores | MATCH(access_to_password_store_path_or_api) AND process NOT_IN approved_password_clients -> ALERT | File-System Activity Logs, Endpoint Detection and Response Telemetry, Password-Management and Credential-Vault Logs |
| T1558.003 Kerberoasting | COUNT(service_ticket_request BY account, 10m) >= threshold AND DISTINCT_COUNT(service_name) >= threshold -> ALERT; MATCH(weak_ticket_encryption_type) -> ALERT | Directory-Service Authentication Logs, Windows Security Event Logs |
| T1003.006 DCSync | MATCH(directory_replication_request) AND source_host NOT_IN approved_domain_controllers -> ALERT | Directory-Service Audit Logs, Windows Security Event Logs, Network Intrusion Detection Logs |
| T1552 Unsecured Credentials | MATCH(file_content_or_path_matches_credential_pattern) OR MATCH(secret_retrieval BY unauthorized_identity) -> ALERT | File-System Activity Logs, Secrets-Management Logs, Cloud Secrets-Manager Logs |
Discovery
| ATT&CK TTP | Basic algorithmic detection logic | Relevant log sources |
|---|---|---|
| T1087 Account Discovery | MATCH(process_or_api_operation IN account_enumeration_operations) AND actor NOT_IN approved_admin_tools -> ALERT | Process Execution Logs, Directory-Service Audit Logs, Cloud Identity and Access Management Logs |
| T1069 Permission Groups Discovery | MATCH(process_or_api_operation IN group_enumeration_operations) AND actor NOT_IN approved_admin_tools -> ALERT | Process Execution Logs, Directory-Service Audit Logs |
| T1083 File and Directory Discovery | COUNT(directory_listing_or_object_list BY actor, 5m) >= threshold -> ALERT | File-System Activity Logs, Cloud Object-Storage Access Logs, Process Execution Logs |
| T1046 Network Service Discovery | DISTINCT_COUNT(destination_port OR destination_host BY source_host, 5m) >= threshold -> ALERT | Network Flow Logs, Network Firewall Logs, Network Detection and Response Telemetry |
| T1057 Process Discovery | MATCH(command_or_api IN process_enumeration_operations) AND caller NOT_IN approved_tools -> ALERT | Process Execution Logs, Endpoint Detection and Response Telemetry |
| T1518 Software Discovery | MATCH(command_or_api IN software_inventory_operations) AND caller NOT_IN approved_inventory_tools -> ALERT | Process Execution Logs, Asset Inventory and Discovery Logs |
| T1518.001 Security Software Discovery | MATCH(command_queries_security_products_or_services) -> ALERT | Process Execution Logs, Endpoint Detection and Response Telemetry |
| T1580 Cloud Infrastructure Discovery | COUNT(cloud_list_or_describe_operations BY identity, 10m) >= threshold AND identity NOT_IN approved_inventory_roles -> ALERT | Cloud Control-Plane Audit Logs, Cloud Resource-Configuration Inventory |
| T1613 Container and Resource Discovery | COUNT(orchestrator_list_or_get_requests BY identity, 5m) >= threshold AND identity NOT_IN approved_cluster_admins -> ALERT | Orchestrator Audit Logs, Orchestrator Control-Plane Component Logs |
Lateral Movement
| ATT&CK TTP | Basic algorithmic detection logic | Relevant log sources |
|---|---|---|
| T1021.001 Remote Desktop Protocol | MATCH(successful_rdp_session) AND source_host NOT_IN approved_rdp_sources -> ALERT | Remote Desktop and Remote Support Logs, Windows Security Event Logs, Network Flow Logs |
| T1021.002 SMB/Windows Admin Shares | MATCH(admin_share_access OR remote_service_creation) AND source_host NOT_IN approved_admin_hosts -> ALERT | Windows Security Event Logs, File-System Activity Logs, Network Flow Logs |
| T1021.004 SSH | MATCH(successful_ssh_login) AND source_host NOT_IN approved_ssh_sources -> ALERT | Linux Authentication Logs, Network Flow Logs |
| T1021.006 Windows Remote Management | MATCH(remote_management_session_or_command) AND source_host NOT_IN approved_management_hosts -> ALERT | Windows Remote Management Logs, Windows Security Event Logs |
| T1550.002 Pass the Hash | MATCH(ntlm_network_logon_pattern_without_expected_interactive_context) AND source_host NOT_IN approved_admin_hosts -> ALERT | Windows Security Event Logs, Directory-Service Authentication Logs |
| T1570 Lateral Tool Transfer | MATCH(file_written_to_remote_share_or_host) AND file_hash_or_extension IN monitored_types -> ALERT | File-System Activity Logs, File Transfer Service Logs, Network Flow Logs |
Collection
| ATT&CK TTP | Basic algorithmic detection logic | Relevant log sources |
|---|---|---|
| T1005 Data from Local System | COUNT(reads_of_protected_files BY process_or_user, 10m) >= threshold -> ALERT | File-System Activity Logs, Storage-System Audit Logs |
| T1039 Data from Network Shared Drive | COUNT(network_share_file_reads BY user, 10m) >= threshold -> ALERT | File-System Activity Logs, Storage-System Audit Logs, Network Flow Logs |
| T1114 Email Collection | COUNT(message_read_or_export BY actor, 10m) >= threshold OR MATCH(mailbox_export_operation) -> ALERT | Mailbox Audit Logs, Application Audit Logs |
| T1213 Data from Information Repositories | COUNT(repository_reads_or_exports BY actor, 10m) >= threshold OR MATCH(bulk_export_operation) -> ALERT | Database Audit Logs, Data Warehouse Audit Logs, Application Audit Logs |
| T1530 Data from Cloud Storage | COUNT(object_read_or_list BY identity, 10m) >= threshold OR MATCH(snapshot_or_bucket_export) -> ALERT | Cloud Object-Storage Access Logs, Cloud Data-Plane Access Logs |
| T1119 Automated Collection | COUNT(data_access_event BY actor, fixed_window) >= threshold AND process_or_identity NOT_IN approved_collectors -> ALERT | File-System Activity Logs, Database Audit Logs, Cloud Data-Plane Access Logs |
| T1074 Data Staged | MATCH(archive_or_compression_process) AND output_path IN staging_paths -> ALERT; COUNT(files_created_in_staging_path, 10m) >= threshold -> ALERT | Process Execution Logs, File-System Activity Logs |
| T1113 Screen Capture | MATCH(screen_capture_api_or_known_capture_tool) AND process NOT_IN approved_capture_apps -> ALERT | Endpoint Detection and Response Telemetry, Process Execution Logs |
Command and Control
| ATT&CK TTP | Basic algorithmic detection logic | Relevant log sources |
|---|---|---|
| T1071.001 Web Protocols | MATCH(destination_or_url IN denylist OR http_signature IN known_c2_patterns) -> ALERT | Proxy and Secure Web Gateway Logs, Network Intrusion Detection Logs, Network Metadata Logs |
| T1071.004 DNS | MATCH(dns_query_signature IN known_c2_patterns) OR COUNT(long_or_txt_queries BY source_host, 5m) >= threshold -> ALERT | DNS Resolver Logs, Packet-Capture Data, Network Detection and Response Telemetry |
| T1573 Encrypted Channel | MATCH(certificate_fingerprint OR tls_fingerprint IN denylist) OR MATCH(disallowed_tls_version_or_cipher) -> ALERT | TLS and Certificate Metadata Logs, Network Metadata Logs |
| T1102 Web Service | MATCH(connection_to_disallowed_web_service_category OR known_c2_account_or_url) -> ALERT | Proxy and Secure Web Gateway Logs, Collaboration Platform Audit Logs |
| T1105 Ingress Tool Transfer | MATCH(download_hash_or_url IN denylist) OR SEQUENCE(network_download, executable_file_creation) WITHIN 2m -> ALERT | Proxy and Secure Web Gateway Logs, File-System Activity Logs, Content Inspection and Malware Scanning Logs |
| T1090 Proxy | MATCH(proxy_or_tunnel_process_or_configuration) AND actor_or_binary NOT_IN approved_proxy_tools -> ALERT | Process Execution Logs, Network Configuration Change Logs, Network Flow Logs |
| T1572 Protocol Tunneling | MATCH(tunneling_protocol_signature OR disallowed_protocol_over_allowed_port) -> ALERT | Packet-Capture Data, Network Intrusion Detection Logs, Network Metadata Logs |
Exfiltration
| ATT&CK TTP | Basic algorithmic detection logic | Relevant log sources |
|---|---|---|
| T1041 Exfiltration Over C2 Channel | SUM(outbound_bytes BY source_host AND destination, 15m) >= threshold AND destination NOT_IN approved_destinations -> ALERT | Network Flow Logs, Network Firewall Logs, Data Loss Prevention Logs |
| T1048 Exfiltration Over Alternative Protocol | MATCH(outbound_protocol NOT_IN approved_protocols) AND outbound_bytes >= threshold -> ALERT | Network Flow Logs, DNS Resolver Logs, Network Metadata Logs |
| T1567 Exfiltration Over Web Service | MATCH(upload_to_disallowed_web_service) OR SUM(upload_bytes BY user, 15m) >= threshold -> ALERT | Proxy and Secure Web Gateway Logs, Data Loss Prevention Logs, Cloud Data-Plane Access Logs |
| T1052 Exfiltration Over Physical Medium | SEQUENCE(removable_media_connected, protected_file_written_to_media) WITHIN session -> ALERT | Removable-Media and Peripheral Device Logs, File-System Activity Logs, Data Loss Prevention Logs |
| T1020 Automated Exfiltration | MATCH(scheduled_or_automated_transfer_job) AND destination NOT_IN approved_destinations -> ALERT | Scheduled Task and Job Logs, Network Flow Logs, File Transfer Service Logs |
| T1030 Data Transfer Size Limits | COUNT(outbound_transfers_with_similar_small_size BY source AND destination, 30m) >= threshold -> ALERT | Network Flow Logs, Proxy and Secure Web Gateway Logs |
Impact
| ATT&CK TTP | Basic algorithmic detection logic | Relevant log sources |
|---|---|---|
| T1485 Data Destruction | COUNT(delete_operation BY actor_or_process, 5m) >= threshold OR MATCH(delete_on_protected_resource) -> ALERT | File-System Activity Logs, Database Audit Logs, Cloud Object-Storage Access Logs |
| T1486 Data Encrypted for Impact | COUNT(file_write_or_rename BY process, 5m) >= threshold AND DISTINCT_COUNT(file_extension BY process, 5m) >= threshold -> ALERTMATCH(known_ransomware_signature) -> ALERT | File-System Activity Logs, Endpoint Detection and Response Telemetry, Antivirus and Antimalware Logs |
| T1490 Inhibit System Recovery | MATCH(backup_deleted OR snapshot_deleted OR recovery_setting_disabled OR known_recovery_disable_command) -> ALERT | Backup and Recovery Logs, Process Execution Logs, Cloud Control-Plane Audit Logs |
| T1531 Account Access Removal | MATCH(account_disabled_or_deleted OR credential_reset OR role_removed) AND actor NOT_IN approved_identity_admins -> ALERT | Identity Provider Audit Logs, Directory-Service Audit Logs, Cloud Identity and Access Management Logs |
| T1499 Endpoint Denial of Service | COUNT(request_or_connection BY source, 1m) >= threshold AND service_error_or_unavailable = true -> ALERT | Network Firewall Logs, Web Server Access Logs, Metrics and Monitoring-System Logs |
| T1496 Resource Hijacking | MATCH(known_mining_process_or_pool_destination) OR resource_usage >= fixed_threshold FOR fixed_duration -> ALERT | Process Execution Logs, Network Flow Logs, Metrics and Monitoring-System Logs, Cloud Billing and Usage Logs |
| T1565 Data Manipulation | MATCH(update_or_delete_on_protected_record) AND actor NOT_IN approved_writers -> ALERT | Database Audit Logs, Application Audit Logs, File-Integrity Monitoring Logs |
Deterministic Detection Limitations
- Fixed thresholds require environment-specific tuning and can be evaded by reducing activity rate.
- Signatures and denylists detect known patterns but do not reliably detect novel implementations.
- Allowlists reduce noise but become unsafe when they are broad, stale, or poorly governed.
- Deterministic correlations require reliable timestamps and stable entity identifiers.
- Some ATT&CK TTPs occur outside the monitored environment or produce no reliable deterministic event.
- A matched rule indicates observable behavior, not confirmed malicious intent.