Live heatmap derived from real threat detections across our intelligence feeds. Techniques are mapped from IOCs, malware signatures, CVE exploitation patterns, and attack categories. MITRE ATT&CK® is a registered trademark of The MITRE Corporation.
Live ATT&CK Heatmap
Building ATT&CK matrix from live detections...
Detected Attack Chains
Multi-step attack sequences correlated across our threat intelligence feeds within 24-hour detection windows.
Detection Coverage Analysis
ATT&CK Matrix Coverage
0%
Coverage based on techniques with at least one detection in the current intelligence window. Increase coverage by adding more threat feeds and detection rules.
SIGMA Detection Rules
Sample SIGMA rules mapped to currently active ATT&CK techniques. Rules sourced from SigmaHQ (© SigmaHQ contributors, Detection Rule License 1.1).
T1110 Brute Force
T1566 Phishing
T1046 Port Scan
T1486 Ransomware
title: SSH Brute Force Detection
id: 5e248060-4a36-4f8e-9f5c-d6f4c7dc7a5b
status: stable
description: Detects SSH brute force attacks from a single source
references:
- https://attack.mitre.org/techniques/T1110/003/
author: SigmaHQ (adapted)
date: 2024/01/01
tags:
- attack.credential_access
- attack.t1110.003
logsource:
product: linux
service: sshd
detection:
selection:
sshd_message|contains: 'Failed password'
timeframe: 1m
condition: selection | count() > 10
falsepositives:
- Legitimate users with multiple failed attempts
level: high
title: Suspicious Email Attachment Download
id: 3b37a6b2-a1c1-4ba7-a2e5-49b55d2f5fde
status: experimental
description: Detects download of suspicious file types via email client processes
references:
- https://attack.mitre.org/techniques/T1566/001/
author: SigmaHQ (adapted)
date: 2024/01/01
tags:
- attack.initial_access
- attack.t1566.001
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\outlook.exe'
- '\thunderbird.exe'
Image|endswith:
- '\wscript.exe'
- '\cscript.exe'
- '\powershell.exe'
- '\cmd.exe'
condition: selection
falsepositives:
- Legitimate macros and scripts run from email clients
level: high
title: Network Port Scan Detection
id: 7d3a2c1e-4b56-4789-abc1-d2e3f4a5b6c7
status: stable
description: Detects port scanning activity targeting multiple ports from a single source
references:
- https://attack.mitre.org/techniques/T1046/
author: SigmaHQ (adapted)
date: 2024/01/01
tags:
- attack.discovery
- attack.t1046
logsource:
category: network_connection
product: zeek
detection:
selection:
proto: 'tcp'
conn_state: 'S0'
timeframe: 30s
condition: selection | count(id.resp_p) by id.orig_h > 50
falsepositives:
- Vulnerability scanners and network inventory tools
level: medium
title: Ransomware File Encryption Activity
id: 8e4b7f2a-1c23-4567-89ab-cdef01234567
status: stable
description: Detects mass file renaming or encryption characteristic of ransomware
references:
- https://attack.mitre.org/techniques/T1486/
author: SigmaHQ (adapted)
date: 2024/01/01
tags:
- attack.impact
- attack.t1486
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith:
- '.locked'
- '.encrypted'
- '.crypto'
- '.enc'
- '.crypted'
timeframe: 30s
condition: selection | count() by ProcessId > 20
falsepositives:
- Legitimate encryption software
level: critical