{ "name": "/lab/threat-hunting — covered techniques", "versions": { "attack": "16", "navigator": "5.1.0", "layer": "4.5" }, "domain": "enterprise-attack", "description": "Techniques operationalized by the framework-of-frameworks walkthrough at /lab/threat-hunting on austinrose.me. Source: California CDT detection methodology applied to synthetic telemetry.", "filters": { "platforms": ["Windows", "Linux", "macOS", "Network", "Containers"] }, "sorting": 0, "layout": { "layout": "side", "aggregateFunction": "average", "showID": true, "showName": true, "showAggregateScores": false, "countUnscored": false }, "hideDisabled": false, "techniques": [ { "techniqueID": "T1110", "score": 100, "color": "#0e7490", "comment": "Brute Force — covered. Sigma rule + SPL search + playbook deployed via /lab/threat-hunting use case.", "enabled": true }, { "techniqueID": "T1110.001", "score": 100, "color": "#0e7490", "comment": "Password Guessing — three sub-source variants demonstrated: Windows AD (4625), FTP (530), WordPress (wp-login.php).", "enabled": true }, { "techniqueID": "T1078", "score": 50, "color": "#5ee3ff", "comment": "Valid Accounts — observed downstream when the brute force succeeds and credentials are reused. Not directly detected by this use case; flagged for adjacent coverage.", "enabled": true }, { "techniqueID": "T1078.002", "score": 50, "color": "#5ee3ff", "comment": "Domain Accounts — the success in the Windows scenario maps here.", "enabled": true } ], "gradient": { "colors": ["#5ee3ff", "#0e7490"], "minValue": 0, "maxValue": 100 }, "legendItems": [ { "label": "Covered (detection-as-code deployed)", "color": "#0e7490" }, { "label": "Adjacent (visible downstream, not directly detected)", "color": "#5ee3ff" } ], "metadata": [], "links": [], "showTacticRowBackground": false, "tacticRowBackground": "#dddddd", "selectTechniquesAcrossTactics": true, "selectSubtechniquesWithParent": false }