SHIELDMIND
ProductAI AgentsComparePricingTrust
Sign inGet protectedGet started
MITRE ATT&CK

Coverage. Verifiable. Public.

Most vendors publish a number. We publish the detector. Every covered technique on this page links to the open-source rule that catches it.

139
Production detectors
112 Sigma · 27 behavioural
69
MITRE techniques covered
of 223 in our SMB-priority matrix
30.9%
Coverage of priority matrix
Refreshed on every deploy from the source files
14
ATT&CK tactics tracked
Reconnaissance through Impact

Every detector here ships in the open-source ShieldMind agent. The coverage number is computed at deploy time from the actual detector source — there is no marketing layer between this page and the code that runs on customer laptops.

The full matrix.

Reconnaissance

TA0043
1/12 (8.3%)
T1589+3 sub
Gather Victim Identity Information
T1590+6 sub
Gather Victim Network Information
T1591+4 sub
Gather Victim Org Information
T1592+4 sub
Gather Victim Host Information
T1593+3 sub
Search Open Websites/Domains
T1594
Search Victim-Owned Websites
T1595+3 sub
Active Scanning
sigma.sm-recon-001-active-scanning · sigma
T1596+5 sub
Search Open Technical Databases
T1597+2 sub
Search Closed Sources
T1598+4 sub
Phishing for Information
T1681
Search Threat Vendor Data
T1682
Query Public AI Services

Resource Development

TA0042
1/9 (11.1%)
T1583+8 sub
Acquire Infrastructure
T1584+8 sub
Compromise Infrastructure
T1585+3 sub
Establish Accounts
T1586+3 sub
Compromise Accounts
T1587+4 sub
Develop Capabilities
T1588+7 sub
Obtain Capabilities
sigma.sm-rd-001-offensive-tool-present · sigma
T1608+6 sub
Stage Capabilities
T1650
Acquire Access
T1683+2 sub
Generate Content

Initial Access

TA0001
4/11 (36.4%)
T1078+4 sub
Valid Accounts
id.impossible_travel · pythondecep.honeytoken_access · pythonsigma.sm-cloud-011-no-mfa-login · sigmasigma.sm-005-aws-root-login · sigma
T1091
Replication Through Removable Media
T1133
External Remote Services
sigma.sm-ia-051-remote-access-tool · sigma
T1189
Drive-by Compromise
T1190
Exploit Public-Facing Application
sigma.sm-ia-050-webroot-execution · sigma
T1195+3 sub
Supply Chain Compromise
T1199
Trusted Relationship
T1200
Hardware Additions
T1566+4 sub
Phishing
sigma.sm-ia-010-office-lolbin · sigmasigma.sm-ia-011-iso-lnk · sigmasigma.sm-pers-013-outlook-macro · sigma
T1659
Content Injection
T1669
Wi-Fi Networks

Execution

TA0002
14/55 (25.5%)
T1006
Direct Volume Access
T1014
Rootkit
pers.unsigned_driver · python
T1027+18 sub
Obfuscated Files or Information
sigma.sm-ia-011-iso-lnk · sigmasigma.sm-exec-003-cmd-caret-obfuscation · sigmasigma.sm-exec-010-pwsh-encoded · sigmasigma.sm-mac-014-unsigned-tmp · sigmasigma.sm-001-pwsh-enc · sigma
T1036+12 sub
Masquerading
sigma.sm-de-006-masquerade-sysbin · sigma
T1047
Windows Management Instrumentation
sigma.sm-exec-017-wmic-remote · sigma
T1053+5 sub
Scheduled Task/Job
sigma.sm-pers-007-cron-odd · sigmapersistence.new_autorun · pythonpers.schtask_hidden · pythonsigma.sm-exec-019-schtasks-remote · sigmasigma.sm-pers-008-scheduled-task · sigma
T1059+13 sub
Command and Scripting Interpreter
exec.parent_child_anomaly · pythonexec.process_tree_depth · pythonsigma.sm-exec-005-python-revshell · sigmalolbin.download_exec · pythonsigma.sm-exec-003-cmd-caret-obfuscation · sigmasigma.sm-004-osascript-remote · sigmasigma.sm-exec-004-bash-reverse-shell · sigmasigma.sm-lin-010-curl-pipe-sh · sigmasigma.sm-003-curl-pipe-sh · sigmasigma.sm-exec-010-pwsh-encoded · sigmasigma.sm-exec-001-pwsh-iex-download · sigmasigma.sm-exec-002-pwsh-iwr-external · sigmasigma.sm-exec-018-winrm-session · sigmasigma.sm-001-pwsh-enc · sigma
T1070+8 sub
Indicator Removal
defense.audit_tamper · pythonsigma.sm-de-002-clear-bash-history · sigmasigma.sm-lin-013-history-clear · sigma
T1072
Software Deployment Tools
T1106
Native API
sigma.sm-exec-050-native-api-pinvoke · sigma
T1127+3 sub
Trusted Developer Utilities Proxy Execution
sigma.sm-exec-016-msbuild-inline · sigma
T1129
Shared Modules
T1140
Deobfuscate/Decode Files or Information
sigma.sm-de-030-certutil-decode · sigma
T1197
BITS Jobs
sigma.sm-exec-012-bitsadmin-download · sigma
T1202
Indirect Command Execution
T1203
Exploitation for Client Execution
T1204+5 sub
User Execution
exec.parent_child_anomaly · pythonsigma.sm-ia-010-office-lolbin · sigma
T1207
Rogue Domain Controller
T1211
Exploitation for Stealth
T1216+2 sub
System Script Proxy Execution
T1218+14 sub
System Binary Proxy Execution
sigma.sm-exec-014-regsvr32-squiblydoo · sigmasigma.sm-exec-006-mshta-remote · sigmasigma.sm-exec-013-mshta-remote · sigmalolbin.download_exec · pythonexec.process_tree_depth · pythonsigma.sm-exec-007-wmic-pcc · sigmasigma.sm-exec-015-rundll32-js · sigmasigma.sm-002-rundll32-js · sigma
T1220
XSL Script Processing
T1221
Template Injection
T1222+2 sub
File and Directory Permissions Modification
T1480+2 sub
Execution Guardrails
T1535
Unused/Unsupported Cloud Regions
T1553+6 sub
Subvert Trust Controls
T1559+3 sub
Inter-Process Communication
T1564+14 sub
Hide Artifacts
pers.schtask_hidden · python
T1569+3 sub
System Services
T1574+12 sub
Hijack Execution Flow
T1578+5 sub
Modify Cloud Compute Infrastructure
T1599+1 sub
Network Boundary Bridging
T1600+2 sub
Weaken Encryption
T1601+2 sub
Modify System Image
T1609
Container Administration Command
T1610
Deploy Container
T1612
Build Image on Host
T1620
Reflective Code Loading
T1647
Plist File Modification
T1648
Serverless Execution
T1651
Cloud Administration Command
T1666
Modify Cloud Resource Hierarchy
T1674
Input Injection
T1675
ESXi Administration Command
T1677
Poisoned Pipeline Execution
T1678
Delay Execution
T1679
Selective Exclusion
T1684+2 sub
Social Engineering
T1685+6 sub
Disable or Modify Tools
T1686+3 sub
Disable or Modify System Firewall
T1687
Exploitation for Defense Impairment
T1688
Safe Mode Boot
T1689
Downgrade Attack
T1690
Prevent Command History Logging

Persistence

TA0003
11/22 (50%)
T1037+5 sub
Boot or Logon Initialization Scripts
T1053+5 sub
Scheduled Task/Job
sigma.sm-pers-007-cron-odd · sigmapersistence.new_autorun · pythonpers.schtask_hidden · pythonsigma.sm-exec-019-schtasks-remote · sigmasigma.sm-pers-008-scheduled-task · sigma
T1078+4 sub
Valid Accounts
id.impossible_travel · pythondecep.honeytoken_access · pythonsigma.sm-cloud-011-no-mfa-login · sigmasigma.sm-005-aws-root-login · sigma
T1098+7 sub
Account Manipulation
sigma.sm-pers-004-authorized-keys · sigmasigma.sm-cloud-010-iam-key-burst · sigma
T1112
Modify Registry
sigma.sm-pers-013-outlook-macro · sigma
T1133
External Remote Services
sigma.sm-ia-051-remote-access-tool · sigma
T1136+3 sub
Create Account
sigma.sm-pers-020-local-account-create · sigma
T1137+6 sub
Office Application Startup
T1176+2 sub
Browser Extensions
sigma.sm-web-010-extension-burst · sigma
T1197
BITS Jobs
sigma.sm-exec-012-bitsadmin-download · sigma
T1205+2 sub
Traffic Signaling
T1505+6 sub
Server Software Component
T1525
Implant Internal Image
T1542+5 sub
Pre-OS Boot
T1543+5 sub
Create or Modify System Process
sigma.sm-mac-010-launchagent · sigmasigma.sm-pers-006-launch-agent · sigmapersistence.new_autorun · pythonpers.unsigned_driver · pythonpers.new_service_local_acct · pythonsigma.sm-lin-012-systemd-create · sigmasigma.sm-pers-005-systemd-create · sigma
T1546+18 sub
Event Triggered Execution
sigma.sm-pers-011-ifeo-hijack · sigmasigma.sm-pers-003-wmi-subscription · sigma
T1547+14 sub
Boot or Logon Autostart Execution
persistence.new_autorun · pythonsigma.sm-pers-001-run-key-write · sigmasigma.sm-pers-002-startup-drop · sigmasigma.sm-pers-012-winlogon-modify · sigmasigma.sm-lin-014-kmod-load · sigma
T1554
Compromise Host Software Binary
T1556+9 sub
Modify Authentication Process
T1653
Power Settings
T1668
Exclusive Control
T1671
Cloud Application Integration

Privilege Escalation

TA0004
11/13 (84.6%)
T1037+5 sub
Boot or Logon Initialization Scripts
T1053+5 sub
Scheduled Task/Job
sigma.sm-pers-007-cron-odd · sigmapersistence.new_autorun · pythonpers.schtask_hidden · pythonsigma.sm-exec-019-schtasks-remote · sigmasigma.sm-pers-008-scheduled-task · sigma
T1055+12 sub
Process Injection
de.process_hollowing · pythonsigma.sm-de-005-process-hollowing · sigma
T1068
Exploitation for Privilege Escalation
sigma.sm-pe-050-known-lpe-tool · sigma
T1078+4 sub
Valid Accounts
id.impossible_travel · pythondecep.honeytoken_access · pythonsigma.sm-cloud-011-no-mfa-login · sigmasigma.sm-005-aws-root-login · sigma
T1098+7 sub
Account Manipulation
sigma.sm-pers-004-authorized-keys · sigmasigma.sm-cloud-010-iam-key-burst · sigma
T1134+5 sub
Access Token Manipulation
sigma.sm-pe-003-runas-savecred · sigma
T1484+2 sub
Domain or Tenant Policy Modification
T1543+5 sub
Create or Modify System Process
sigma.sm-mac-010-launchagent · sigmasigma.sm-pers-006-launch-agent · sigmapersistence.new_autorun · pythonpers.unsigned_driver · pythonpers.new_service_local_acct · pythonsigma.sm-lin-012-systemd-create · sigmasigma.sm-pers-005-systemd-create · sigma
T1546+18 sub
Event Triggered Execution
sigma.sm-pers-011-ifeo-hijack · sigmasigma.sm-pers-003-wmi-subscription · sigma
T1547+14 sub
Boot or Logon Autostart Execution
persistence.new_autorun · pythonsigma.sm-pers-001-run-key-write · sigmasigma.sm-pers-002-startup-drop · sigmasigma.sm-pers-012-winlogon-modify · sigmasigma.sm-lin-014-kmod-load · sigma
T1548+6 sub
Abuse Elevation Control Mechanism
sigma.sm-lin-011-sudoers-nopasswd · sigmasigma.sm-pe-002-sudoers-perm · sigmasigma.sm-de-013-uac-disable · sigmasigma.sm-pe-001-uac-fodhelper · sigma
T1611
Escape to Host
priv.container_escape · python

Defense Evasion

TA0005
1/1 (100%)
T1562+3 sub
Impair Defenses
sigma.sm-de-004-firewall-disable · sigmasigma.sm-de-012-etw-disable · sigmadefense.edr_tamper · pythonsigma.sm-de-011-amsi-bypass · sigmasigma.sm-de-003-defender-tamper · sigmasigma.sm-mac-013-gatekeeper-off · sigma

Credential Access

TA0006
8/17 (47.1%)
T1003+8 sub
OS Credential Dumping
credaccess.dump_attempt · pythonsigma.sm-cred-003-ntds-dit · sigmasigma.sm-cred-004-mimikatz · sigmasigma.sm-cred-002-sam-save · sigmacredential.lsass_handle · pythonsigma.sm-cred-001-lsass-minidump · sigma
T1040
Network Sniffing
T1056+4 sub
Input Capture
coll.screen_lock_toggle · python
T1110+4 sub
Brute Force
credential.bruteforce_rate · python
T1111
Multi-Factor Authentication Interception
T1187
Forced Authentication
T1212
Exploitation for Credential Access
T1528
Steal Application Access Token
id.oauth_grant_burst · python
T1539
Steal Web Session Cookie
T1552+8 sub
Unsecured Credentials
exfil.cloud_credential · pythoncred.cleartext_secret_commit · pythonsigma.sm-cred-013-aws-creds · sigmasigma.sm-exfil-001-github-secret · sigmadecep.honeytoken_access · pythonsigma.sm-cred-007-ssh-key-access · sigmasigma.sm-cred-012-ssh-key-read · sigma
T1555+6 sub
Credentials from Password Stores
credaccess.dump_attempt · pythonsigma.sm-cred-005-keychain-dump · sigmasigma.sm-mac-012-keychain-dump · sigmasigma.sm-cred-006-browser-creds · sigmasigma.sm-cred-011-browser-logins · sigmasigma.sm-cred-010-dpapi-masterkey · sigma
T1556+9 sub
Modify Authentication Process
T1557+4 sub
Adversary-in-the-Middle
T1558+5 sub
Steal or Forge Kerberos Tickets
cred.golden_ticket · pythonsigma.sm-cred-014-kerberoast-spn · sigma
T1606+2 sub
Forge Web Credentials
T1621
Multi-Factor Authentication Request Generation
id.sso_fatigue · python
T1649
Steal or Forge Authentication Certificates

Discovery

TA0007
8/34 (23.5%)
T1007
System Service Discovery
T1010
Application Window Discovery
T1012
Query Registry
T1016+2 sub
System Network Configuration Discovery
sigma.sm-disc-002-systeminfo · sigmasigma.sm-disc-011-quartet · sigma
T1018
Remote System Discovery
sigma.sm-disc-002-remote-system-discovery · sigma
T1033
System Owner/User Discovery
T1040
Network Sniffing
T1046
Network Service Discovery
T1049
System Network Connections Discovery
T1057
Process Discovery
sigma.sm-disc-001-process-discovery · sigma
T1069+3 sub
Permission Groups Discovery
sigma.sm-disc-010-domain-admins · sigma
T1082
System Information Discovery
sigma.sm-disc-002-systeminfo · sigmasigma.sm-disc-011-quartet · sigma
T1083
File and Directory Discovery
sigma.sm-disc-011-quartet · sigma
T1087+4 sub
Account Discovery
sigma.sm-disc-001-net-enum · sigma
T1120
Peripheral Device Discovery
T1124
System Time Discovery
T1135
Network Share Discovery
sigma.sm-disc-012-share-enum · sigma
T1201
Password Policy Discovery
T1217
Browser Information Discovery
T1482
Domain Trust Discovery
T1497+3 sub
Virtualization/Sandbox Evasion
T1518+2 sub
Software Discovery
T1526
Cloud Service Discovery
T1538
Cloud Service Dashboard
T1580
Cloud Infrastructure Discovery
T1613
Container and Resource Discovery
T1614+1 sub
System Location Discovery
T1615
Group Policy Discovery
T1619
Cloud Storage Object Discovery
T1622
Debugger Evasion
T1652
Device Driver Discovery
T1654
Log Enumeration
T1673
Virtual Machine Discovery
T1680
Local Storage Discovery

Lateral Movement

TA0008
2/9 (22.2%)
T1021+8 sub
Remote Services
lateral.first_seen · pythonlat.smb_admin_share_write · pythonsigma.sm-exec-019-schtasks-remote · sigmasigma.sm-exec-017-wmic-remote · sigmasigma.sm-lat-010-psexec · sigmasigma.sm-lat-002-smb-admin-share · sigmasigma.sm-exec-018-winrm-session · sigmasigma.sm-lat-001-rdp-explicit · sigmasigma.sm-lat-011-rdp-burst · sigmasigma.sm-exec-007-wmic-pcc · sigmasigma.sm-lat-003-wmi-remote-exec · sigma
T1072
Software Deployment Tools
T1080
Taint Shared Content
T1091
Replication Through Removable Media
T1210
Exploitation of Remote Services
T1534
Internal Spearphishing
T1550+4 sub
Use Alternate Authentication Material
T1563+2 sub
Remote Service Session Hijacking
T1570
Lateral Tool Transfer
lat.smb_admin_share_write · python

Collection

TA0009
4/17 (23.5%)
T1005
Data from Local System
sigma.sm-coll-050-local-data-harvest · sigma
T1025
Data from Removable Media
T1039
Data from Network Shared Drive
T1056+4 sub
Input Capture
coll.screen_lock_toggle · python
T1074+2 sub
Data Staged
T1113
Screen Capture
sigma.sm-coll-011-screenshot-burst · sigmasigma.sm-coll-001-screenshot · sigma
T1114+3 sub
Email Collection
T1115
Clipboard Data
T1119
Automated Collection
T1123
Audio Capture
T1125
Video Capture
T1185
Browser Session Hijacking
T1213+6 sub
Data from Information Repositories
T1530
Data from Cloud Storage
T1557+4 sub
Adversary-in-the-Middle
T1560+3 sub
Archive Collected Data
sigma.sm-coll-010-archive-passwd · sigma
T1602+2 sub
Data from Configuration Repository

Command and Control

TA0011
7/18 (38.9%)
T1001+3 sub
Data Obfuscation
T1008
Fallback Channels
T1071+5 sub
Application Layer Protocol
sigma.sm-c2-011-known-c2 · sigmasigma.sm-c2-010-beacon-jitter · sigmasigma.sm-c2-002-beacon-periodic · sigmasigma.sm-exec-002-pwsh-iwr-external · sigmac2.dns_tunnel · pythonsigma.sm-exfil-011-dns-tunnel-subdomain · sigma
T1090+4 sub
Proxy
sigma.sm-c2-040-netsh-portproxy · sigma
T1092
Communication Through Removable Media
T1095
Non-Application Layer Protocol
T1102+3 sub
Web Service
sigma.sm-c2-011-known-c2 · sigma
T1104
Multi-Stage Channels
T1105
Ingress Tool Transfer
lolbin.download_exec · pythonsigma.sm-exec-012-bitsadmin-download · sigmasigma.sm-exec-011-certutil-download · sigmasigma.sm-exec-001-pwsh-iex-download · sigmasigma.sm-003-curl-pipe-sh · sigmasigma.sm-004-osascript-remote · sigma
T1132+2 sub
Data Encoding
T1205+2 sub
Traffic Signaling
T1219+3 sub
Remote Access Tools
T1568+3 sub
Dynamic Resolution
c2.dns_tunnel · pythonsigma.sm-c2-001-dga · sigma
T1571
Non-Standard Port
T1572
Protocol Tunneling
c2.dns_tunnel · python
T1573+2 sub
Encrypted Channel
sigma.sm-c2-002-beacon-periodic · sigma
T1659
Content Injection
T1665
Hide Infrastructure

Exfiltration

TA0010
3/9 (33.3%)
T1011+1 sub
Exfiltration Over Other Network Medium
T1020+1 sub
Automated Exfiltration
T1029
Scheduled Transfer
T1030
Data Transfer Size Limits
T1041
Exfiltration over C2 Channel
exfil.large_upload_off_hours · pythonsigma.sm-exfil-010-curl-post · sigma
T1048+3 sub
Exfiltration over Alternative Protocol
exfil.large_upload_off_hours · pythonsigma.sm-exfil-011-dns-tunnel-subdomain · sigma
T1052+1 sub
Exfiltration Over Physical Medium
T1537
Transfer Data to Cloud Account
T1567+4 sub
Exfiltration over Web Service
exfil.cloud_credential · pythonsigma.sm-exfil-012-personal-cloud · sigmasigma.sm-exfil-001-github-secret · sigma

Impact

TA0040
5/15 (33.3%)
T1485+1 sub
Data Destruction
sigma.sm-impact-020-data-destruction · sigma
T1486
Data Encrypted for Impact (Ransomware)
ransomware.mass_encryption · python
T1489
Service Stop
sigma.sm-imp-002-service-stop-mass · sigma
T1490
Inhibit System Recovery
sigma.sm-imp-001-vss-delete · sigmasigma.sm-impact-010-vss-delete · sigma
T1491+2 sub
Defacement
sigma.sm-impact-011-wallpaper · sigma
T1495
Firmware Corruption
T1496+4 sub
Resource Hijacking
T1498+2 sub
Network Denial of Service
T1499+4 sub
Endpoint Denial of Service
T1529
System Shutdown/Reboot
T1531
Account Access Removal
T1561+2 sub
Disk Wipe
T1565+3 sub
Data Manipulation
T1657
Financial Theft
T1667
Email Bombing

How this number is computed.

No marketing layer. The number on this page is generated at deploy time by walking the detector source files in the open-source agent and matching themitre_techniques field on each one against the published MITRE ATT&CK Enterprise matrix. There is no human editing the number before it ships.

Audit-able. Click any covered technique above and the link takes you to the YAML or Python source on GitHub. Read the rule. Test it against your own telemetry. We invite the audit.

Priority over breadth. Our matrix tracks the SMB-priority subset of MITRE ATT&CK — the techniques the CrowdStrikes and SentinelOnes detect, the ones CISOs ask about in evaluations — not every entry in the full corpus. Most enterprise EDRs claim 10,000+ signatures; most of those are duplicates or for nation-state TTPs that don't target an SMB. We optimised for the techniques that actually matter.

False-positive baselines. Every Sigma rule we ship includes a falsepositives block and an FP-rate baseline. Pull requests that regress the baseline by more than 2% don't merge.

When this updates. Every deploy. The "last updated" timestamp lives in the page footer; the backend serves a 5-minute-cached payload to keep this page fast.

Browse Sigma rules Browse behavioural detectors Back to Security
SHIELDMINDONE AGENT, ONE BRAIN

The unified endpoint + AI security platform for the GenAI era. One agent, one brain.

Product
  • Shadow IT
  • Endpoint DLP
  • AI Defense
  • AI Agent Firewall
  • XDR
Company
  • About
  • Careers
  • Press
  • Contact
Resources
  • Docs
  • API Reference
  • ROI Calculator
  • MDM Install
  • Security
  • Changelog
Trust
  • Trust Center
  • HIPAA BAA
  • GDPR DPA + SCCs
  • DPDPA (India)
  • CCPA Notice
  • Support SLA
  • Vuln. Disclosure
Legal
  • Privacy
  • Terms
  • Sub-processors
  • Sub-proc. updates
  • Data request
© 2026 DTRAS-G Solutions Private Limited. All rights reserved. ShieldMind® is a brand operated by DTRAS-G Solutions Private Limited.
All systems operational·v1.0.0