Surface And Capability Matrix
Use this page when the starting point is not an actor name. Pick the exposed surface or defender capability, then route to the relevant actors, hunts, detections, and telemetry fields.
Identity, MDM, And Cloud Administration
Capability route: Find privileged identity abuse, destructive device actions, risky MFA changes, and OAuth or session persistence.
Relevant actors: Void Manticore / Handala; APT42; Magic Hound; Pioneer Kitten
Mapped detections: DET-001 Intune Bulk Device Wipe Anomaly; DET-004 Mail Click To Execution Correlation
Mapped hunts: HUNT-001 If identity-plane destructive tradecraft is attempted then privileged role activation or bulk device actions will appear in audit logs; HUNT-004 If VIP phishing is active then mail click events will correlate to risky sign-in or execution
Required telemetry fields: AuditLogs; CloudAppEvents; Entra ID sign-in logs; Intune audit logs; TargetResources; InitiatedBy; OperationName.
Endpoint RMM, Scripting, And User-Path Execution
Capability route: Hunt unauthorized RMM, script execution, signed installer abuse, and phishing-to-execution chains.
Relevant actors: MuddyWater; OilRig; APT42; Imperial Kitten; TA402; WIRTE
Mapped detections: DET-002 Suspicious RMM Installer Download From User Context; DET-004 Mail Click To Execution Correlation
Mapped hunts: HUNT-002 If MuddyWater-style RMM abuse is active then unauthorized RMM execution will appear from user-controlled paths; HUNT-004 If VIP phishing is active then mail click events will correlate to risky sign-in or execution
Required telemetry fields: DeviceProcessEvents; DeviceFileEvents; FolderPath; ProcessCommandLine; Parent process; RemoteUrl; approved RMM inventory.
OT, PLC, HMI, And Exposed Engineering Interfaces
Capability route: Route exposed industrial interfaces to responsible asset owners and relevant IRGC-aligned actor profiles.
Relevant actors: CyberAv3ngers; Cyber Toufan; Lyceum; UNC1860
Mapped detections: DET-003 Unitronics PLC HMI Web Interface Access
Mapped hunts: HUNT-003 If exposed PLC/HMI surfaces are targeted then OT management paths or ports will show external access
Required telemetry fields: Firewall; proxy; OT NDR; VPN; URL; UserAgent; DestinationPort; AssetOwner; approved vendor remote access.
Internet-Facing Servers, Webshells, And Passive Access
Capability route: Pivot from exploited edge services to webshell, IIS module, passive backdoor, and handoff-risk guidance.
Relevant actors: UNC1860; Scarred Manticore; OilRig; Lebanese Cedar; Pioneer Kitten
Mapped detections: None currently mapped.
Mapped hunts: None currently mapped.
Required telemetry fields: Web server logs; IIS configuration; appcmd activity; EDR module loads; file writes under web roots and inetsrv paths.
Destructive Operations, Backup Deletion, And Wipers
Capability route: Connect destructive personas and wiper tradecraft to VSS, backup, and mass file-operation hunts.
Relevant actors: Void Manticore / Handala; Agrius; DarkBit; Cyber Toufan
Mapped detections: None currently mapped.
Mapped hunts: None currently mapped.
Required telemetry fields: Process creation; service control events; file rename/write telemetry; backup admin logs; cloud backup configuration logs.
Email, Cloud-Service, IMAP, And DNS C2
Capability route: Connect cloud-service C2, IMAPLoader behavior, DNS tunneling, and mail-driven intrusion chains.
Relevant actors: Imperial Kitten; OilRig; MuddyWater; APT42
Mapped detections: DET-004 Mail Click To Execution Correlation
Mapped hunts: HUNT-004 If VIP phishing is active then mail click events will correlate to risky sign-in or execution
Required telemetry fields: DNS logs; proxy logs; IMAP/IMAPS egress; process network connections; mail click logs; cloud storage access logs.