Detection ATT&CK coverage
Generated by tools/scripts/detection/attack_coverage.py (ADR 040). Do not
edit by hand; run the generator to refresh.
- Rules: 21
- Techniques covered: 25
| ATT&CK technique | Rules |
|---|---|
| T1003.008 | /etc/shadow read by non-root or unusual process |
| T1021.004 | SSH process with batch-mode flags (lateral movement) |
| T1027 | Inline base64 decode piped to shell |
| T1036.005 | Masquerading system process executing from a temp path |
| T1048 | Data exfiltration via curl upload to external host |
| T1053.003 | Cron persistence via /etc/cron.d or user crontab write |
| T1059.001 | PowerShell encoded command on Linux |
| T1059.004 | Inline base64 decode piped to shell; Reverse shell via bash /dev/tcp; Suspicious curl-piped-to-shell execution |
| T1070.003 | Shell history tampering and anti-forensics |
| T1071.004 | DNS query with long subdomain (probable exfiltration) |
| T1083 | Path traversal / local file inclusion in HTTP request |
| T1098 | Local account creation or privileged group manipulation |
| T1105 | Suspicious curl-piped-to-shell execution |
| T1136.001 | Local account creation or privileged group manipulation |
| T1190 | Log4Shell JNDI probe in HTTP request; Path traversal / local file inclusion in HTTP request; SQL injection pattern in HTTP request |
| T1204.002 | Suspicious curl-piped-to-shell execution |
| T1486 | Mass file rename to ransomware extension |
| T1547.006 | systemd unit drop-in for persistence |
| T1548.003 | Sudoers privilege escalation via sudoers file write |
| T1562.001 | Disable Linux security tooling |
| T1562.003 | Shell history tampering and anti-forensics |
| T1567.002 | Data exfiltration via curl upload to external host |
| T1571 | Reverse shell via bash /dev/tcp |
| T1574.006 | Dynamic linker hijack via LD_PRELOAD |
| T1611 | Container escape via nsenter into host namespaces |