TTP To Detection Matrix
Use this page when the starting point is a technique. For mapping discipline, use the Field Manual ATT&CK as a Working Tool. Each technique links back to relevant actors, mapped repository detections, mapped hunts, and MITRE ATT&CK.
A missing detection means the technique is tracked for intelligence context but does not yet have a repository rule or hunt mapped to it.
Coverage Summary
| Technique | Actors | Mapped Detections | Mapped Hunts |
|---|---|---|---|
| T0832 | 1 | 0 | 0 |
| T0836 | 1 | 0 | 0 |
| T0883 | 1 | 0 | 0 |
| T1003.001 | 2 | 0 | 0 |
| T1021.001 | 1 | 0 | 0 |
| T1021.002 | 1 | 0 | 0 |
| T1049 | 1 | 0 | 0 |
| T1059.001 | 1 | 0 | 0 |
| T1059.005 | 1 | 0 | 0 |
| T1071.001 | 1 | 0 | 0 |
| T1071.003 | 1 | 0 | 0 |
| T1071.004 | 1 | 0 | 0 |
| T1078 | 1 | 0 | 0 |
| T1078.004 | 1 | 0 | 0 |
| T1102 | 1 | 0 | 0 |
| T1105 | 2 | 0 | 0 |
| T1189 | 2 | 0 | 0 |
| T1190 | 4 | 1 | 1 |
| T1199 | 1 | 0 | 0 |
| T1204 | 1 | 0 | 0 |
| T1204.002 | 2 | 0 | 0 |
| T1219 | 2 | 1 | 1 |
| T1485 | 3 | 1 | 1 |
| T1486 | 2 | 0 | 0 |
| T1490 | 2 | 0 | 0 |
| T1491 | 1 | 0 | 0 |
| T1505.003 | 4 | 0 | 0 |
| T1505.004 | 1 | 0 | 0 |
| T1530 | 1 | 0 | 0 |
| T1566 | 4 | 1 | 1 |
| T1566.001 | 2 | 0 | 0 |
| T1566.002 | 2 | 0 | 0 |
| T1567 | 1 | 0 | 0 |
| T1567.002 | 2 | 0 | 0 |
| T1572 | 1 | 0 | 0 |
| T1574.001 | 2 | 0 | 0 |
| T1583.001 | 1 | 0 | 0 |
| T1585 | 1 | 0 | 0 |
| T1595 | 1 | 0 | 0 |
| T1660 | 1 | 0 | 0 |
Technique Drilldowns
T0832 - Manipulation of View
MITRE ATT&CK: T0832
Tactic(s): Impact
Mapped actors: CyberAv3ngers
Mapped detections: None currently mapped.
Mapped hunts: None currently mapped.
Mapping quality levels in repository: M2
Source IDs: SRC-CISA-AA23-335A
T0836 - Modify Parameter
MITRE ATT&CK: T0836
Tactic(s): Impact
Mapped actors: CyberAv3ngers
Mapped detections: None currently mapped.
Mapped hunts: None currently mapped.
Mapping quality levels in repository: M2
Source IDs: SRC-CISA-AA26-097A
T0883 - Internet Accessible Device
MITRE ATT&CK: T0883
Tactic(s): Initial Access
Mapped actors: CyberAv3ngers
Mapped detections: None currently mapped.
Mapped hunts: None currently mapped.
Mapping quality levels in repository: M2
Source IDs: SRC-CISA-AA23-335A
T1003.001 - LSASS Memory
MITRE ATT&CK: T1003.001
Tactic(s): Credential Access
Mapped detections: None currently mapped.
Mapped hunts: None currently mapped.
Mapping quality levels in repository: M2
Source IDs: SRC-MITRE-G0087, SRC-MITRE-G1001
T1021.001 - Remote Services: RDP
MITRE ATT&CK: T1021.001
Tactic(s): Lateral Movement
Mapped actors: UNC1860
Mapped detections: None currently mapped.
Mapped hunts: None currently mapped.
Mapping quality levels in repository: M2
Source IDs: SRC-MANDIANT-UNC1860
T1021.002 - SMB/Windows Admin Shares
MITRE ATT&CK: T1021.002
Tactic(s): Lateral Movement
Mapped actors: Cyber Toufan
Mapped detections: None currently mapped.
Mapped hunts: None currently mapped.
Mapping quality levels in repository: M3
Source IDs: SRC-OPI-CYBER-TOUFAN
T1049 - System Network Connections Discovery
MITRE ATT&CK: T1049
Tactic(s): Discovery
Mapped actors: OilRig
Mapped detections: None currently mapped.
Mapped hunts: None currently mapped.
Mapping quality levels in repository: M1
Source IDs: SRC-MITRE-G0049
T1059.001 - PowerShell
MITRE ATT&CK: T1059.001
Tactic(s): Execution
Mapped actors: MuddyWater
Mapped detections: None currently mapped.
Mapped hunts: None currently mapped.
Mapping quality levels in repository: M2
Source IDs: SRC-MITRE-G0069
T1059.005 - Visual Basic
MITRE ATT&CK: T1059.005
Tactic(s): Execution
Mapped actors: Imperial Kitten
Mapped detections: None currently mapped.
Mapped hunts: None currently mapped.
Mapping quality levels in repository: M2
Source IDs: SRC-PWC-YELLOW-LIDERC-2023
T1071.001 - Web Protocols
MITRE ATT&CK: T1071.001
Tactic(s): Command and Control
Mapped actors: Scarred Manticore
Mapped detections: None currently mapped.
Mapped hunts: None currently mapped.
Mapping quality levels in repository: M2
Source IDs: SRC-CP-VOID-2024
T1071.003 - Mail Protocols
MITRE ATT&CK: T1071.003
Tactic(s): Command and Control
Mapped actors: Imperial Kitten
Mapped detections: None currently mapped.
Mapped hunts: None currently mapped.
Mapping quality levels in repository: M3
Source IDs: SRC-PWC-YELLOW-LIDERC-2023
T1071.004 - DNS
MITRE ATT&CK: T1071.004
Tactic(s): Command and Control
Mapped actors: Lyceum
Mapped detections: None currently mapped.
Mapped hunts: None currently mapped.
Mapping quality levels in repository: M2
Source IDs: SRC-MITRE-G1001
T1078 - Valid Accounts
MITRE ATT&CK: T1078
Tactic(s): Defense Evasion
Mapped actors: UNC1860
Mapped detections: None currently mapped.
Mapped hunts: None currently mapped.
Mapping quality levels in repository: M2
Source IDs: SRC-MANDIANT-UNC1860
T1078.004 - Valid Accounts: Cloud Accounts
MITRE ATT&CK: T1078.004
Tactic(s): Initial Access
Mapped actors: Void Manticore / Handala
Mapped detections: None currently mapped.
Mapped hunts: None currently mapped.
Mapping quality levels in repository: M3
Source IDs: SRC-PUSH-STRYKER-HANDALA
T1102 - Web Service
MITRE ATT&CK: T1102
Tactic(s): Command and Control
Mapped actors: APT42
Mapped detections: None currently mapped.
Mapped hunts: None currently mapped.
Mapping quality levels in repository: M1
Source IDs: SRC-MITRE-G1044
T1105 - Ingress Tool Transfer
MITRE ATT&CK: T1105
Tactic(s): Command and Control
Mapped detections: None currently mapped.
Mapped hunts: None currently mapped.
Mapping quality levels in repository: M2, M3
Source IDs: SRC-MANDIANT-UNC1860, SRC-UNIT42-ASHTAG-2025
T1189 - Drive-by Compromise
MITRE ATT&CK: T1189
Tactic(s): Initial Access
Mapped actors: Imperial Kitten; UNC3890
Mapped detections: None currently mapped.
Mapped hunts: None currently mapped.
Mapping quality levels in repository: M2
Source IDs: SRC-CS-IMPERIAL-KITTEN-2023, SRC-SECWEEK-UNC3890
T1190 - Exploit Public-Facing Application
MITRE ATT&CK: T1190
Tactic(s): Initial Access
Mapped actors: Lebanese Cedar; Pioneer Kitten; Scarred Manticore; UNC1860
Mapped detections: DET-003 Unitronics PLC HMI Web Interface Access (Hunt, DRL-4)
Mapped hunts: HUNT-003 If exposed PLC/HMI surfaces are targeted then OT management paths or ports will show external access
Mapping quality levels in repository: M2
Source IDs: SRC-CISA-AA24-241A, SRC-CLEARSKY-LEBANESE-CEDAR, SRC-CP-VOID-2024, SRC-MANDIANT-UNC1860
T1199 - Trusted Relationship
MITRE ATT&CK: T1199
Tactic(s): Initial Access
Mapped actors: Scarred Manticore
Mapped detections: None currently mapped.
Mapped hunts: None currently mapped.
Mapping quality levels in repository: M2
Source IDs: SRC-CP-VOID-2024
T1204 - User Execution
MITRE ATT&CK: T1204
Tactic(s): Execution
Mapped actors: Void Manticore / Handala
Mapped detections: None currently mapped.
Mapped hunts: None currently mapped.
Mapping quality levels in repository: M2
Source IDs: SRC-AP-HANDALA
T1204.002 - User Execution: Malicious File
MITRE ATT&CK: T1204.002
Tactic(s): Execution
Mapped actors: Cotton Sandstorm; APT-C-23
Mapped detections: None currently mapped.
Mapped hunts: None currently mapped.
Mapping quality levels in repository: M3
Source IDs: SRC-CP-WEZRAT, SRC-ESET-ARIDSPY
T1219 - Remote Access Software
MITRE ATT&CK: T1219
Tactic(s): Command and Control
Mapped actors: MuddyWater; Pioneer Kitten
Mapped detections: DET-002 Suspicious RMM Installer Download From User Context (Pilot, DRL-6)
Mapped hunts: HUNT-002 If MuddyWater-style RMM abuse is active then unauthorized RMM execution will appear from user-controlled paths
Mapping quality levels in repository: M2, M3
Source IDs: SRC-CISA-AA24-241A, SRC-MITRE-G0069
T1485 - Data Destruction
MITRE ATT&CK: T1485
Tactic(s): Impact
Mapped actors: Agrius; Void Manticore / Handala; WIRTE
Mapped detections: DET-001 Intune Bulk Device Wipe Anomaly (Hunt, DRL-5)
Mapped hunts: HUNT-001 If identity-plane destructive tradecraft is attempted then privileged role activation or bulk device actions will appear in audit logs
Mapping quality levels in repository: M2
Source IDs: SRC-AP-HANDALA, SRC-CP-WIRTE-2024, SRC-MITRE-G1030, SRC-PUSH-STRYKER-HANDALA
T1486 - Data Encrypted for Impact
MITRE ATT&CK: T1486
Tactic(s): Impact
Mapped actors: DarkBit; Agrius
Mapped detections: None currently mapped.
Mapped hunts: None currently mapped.
Mapping quality levels in repository: M2
Source IDs: SRC-INCD-DARKBIT-MUDDYWATER-2023, SRC-MITRE-G1030
T1490 - Inhibit System Recovery
MITRE ATT&CK: T1490
Tactic(s): Impact
Mapped actors: DarkBit; Void Manticore / Handala
Mapped detections: None currently mapped.
Mapped hunts: None currently mapped.
Mapping quality levels in repository: M2
Source IDs: SRC-AP-HANDALA, SRC-MS-MERCURY-DEV1084-2023
T1491 - Defacement
MITRE ATT&CK: T1491
Tactic(s): Impact
Mapped actors: Cyber Toufan
Mapped detections: None currently mapped.
Mapped hunts: None currently mapped.
Mapping quality levels in repository: M2
Source IDs: SRC-MS-IRAN-HAMAS
T1505.003 - Web Shell
MITRE ATT&CK: T1505.003
Tactic(s): Persistence
Mapped actors: OilRig; Lebanese Cedar; Scarred Manticore; UNC1860
Mapped detections: None currently mapped.
Mapped hunts: None currently mapped.
Mapping quality levels in repository: M2, M3
Source IDs: SRC-CLEARSKY-LEBANESE-CEDAR, SRC-CP-VOID-2024, SRC-MANDIANT-UNC1860, SRC-MITRE-G0049
T1505.004 - IIS Components
MITRE ATT&CK: T1505.004
Tactic(s): Persistence
Mapped actors: Scarred Manticore
Mapped detections: None currently mapped.
Mapped hunts: None currently mapped.
Mapping quality levels in repository: M2
Source IDs: SRC-CP-VOID-2024
T1530 - Data from Cloud Storage
MITRE ATT&CK: T1530
Tactic(s): Collection
Mapped actors: APT42
Mapped detections: None currently mapped.
Mapped hunts: None currently mapped.
Mapping quality levels in repository: M1
Source IDs: SRC-MITRE-G1044
T1566 - Phishing
MITRE ATT&CK: T1566
Tactic(s): Initial Access
Mapped actors: Cotton Sandstorm; MuddyWater; Void Manticore / Handala; WIRTE
Mapped detections: DET-004 Mail Click To Execution Correlation (Hunt, DRL-4)
Mapped hunts: HUNT-004 If VIP phishing is active then mail click events will correlate to risky sign-in or execution
Mapping quality levels in repository: M2, M3
Source IDs: SRC-AP-HANDALA, SRC-CP-WIRTE-2024, SRC-FBI-EMENNET-2024, SRC-MITRE-G0069
T1566.001 - Spearphishing Attachment
MITRE ATT&CK: T1566.001
Tactic(s): Initial Access
Mapped detections: None currently mapped.
Mapped hunts: None currently mapped.
Mapping quality levels in repository: M2, M3
Source IDs: SRC-MITRE-G0087, SRC-PROOFPOINT-TA402-IRONWIND
T1566.002 - Spearphishing Link
MITRE ATT&CK: T1566.002
Tactic(s): Initial Access
Mapped actors: Magic Hound; APT42
Mapped detections: None currently mapped.
Mapped hunts: None currently mapped.
Mapping quality levels in repository: M2, M3
Source IDs: SRC-GOOGLE-APT42-PHISHING, SRC-MITRE-G0059
T1567 - Exfiltration Over Web Service
MITRE ATT&CK: T1567
Tactic(s): Exfiltration
Mapped actors: Void Manticore / Handala
Mapped detections: None currently mapped.
Mapped hunts: None currently mapped.
Mapping quality levels in repository: M2
Source IDs: SRC-AP-HANDALA
T1567.002 - Exfiltration to Cloud Storage
MITRE ATT&CK: T1567.002
Tactic(s): Exfiltration
Mapped actors: MuddyWater; WIRTE
Mapped detections: None currently mapped.
Mapped hunts: None currently mapped.
Mapping quality levels in repository: M2, M3
Source IDs: SRC-THREAT-HUNTER-V3, SRC-UNIT42-ASHTAG-2025
T1572 - Protocol Tunneling
MITRE ATT&CK: T1572
Tactic(s): Command and Control
Mapped actors: Pioneer Kitten
Mapped detections: None currently mapped.
Mapped hunts: None currently mapped.
Mapping quality levels in repository: M2
Source IDs: SRC-CISA-AA24-241A
T1574.001 - DLL Search Order Hijacking
MITRE ATT&CK: T1574.001
Tactic(s): Defense Evasion
Mapped detections: None currently mapped.
Mapped hunts: None currently mapped.
Mapping quality levels in repository: M3
Source IDs: SRC-CP-WIRTE-2024, SRC-PROOFPOINT-TA402-IRONWIND
T1583.001 - Acquire Domains
MITRE ATT&CK: T1583.001
Tactic(s): Resource Development
Mapped actors: Magic Hound
Mapped detections: None currently mapped.
Mapped hunts: None currently mapped.
Mapping quality levels in repository: M1
Source IDs: SRC-MITRE-G0059
T1585 - Establish Accounts
MITRE ATT&CK: T1585
Tactic(s): Resource Development
Mapped actors: Cotton Sandstorm
Mapped detections: None currently mapped.
Mapped hunts: None currently mapped.
Mapping quality levels in repository: M1
Source IDs: SRC-MS-IRAN-IO
T1595 - Active Scanning
MITRE ATT&CK: T1595
Tactic(s): Reconnaissance
Mapped actors: Cyber Toufan
Mapped detections: None currently mapped.
Mapped hunts: None currently mapped.
Mapping quality levels in repository: M1
Source IDs: SRC-OPI-CYBER-TOUFAN
T1660 - Phishing
MITRE ATT&CK: T1660
Tactic(s): Initial Access (Mobile)
Mapped actors: APT-C-23
Mapped detections: None currently mapped.
Mapped hunts: None currently mapped.
Mapping quality levels in repository: M2
Source IDs: SRC-ESET-ARIDSPY