Ala Dabat — Detection Ecosystem Matrix

Minimum Truth Framework · ADX Validated · Full Ruleset Across All Repos
Author: Ala Dabat (azdabat) Licence: CC BY-NC-SA 4.0 Ecosystems: 14 Rules: 100+ ★ Core Rule  ◆ Novel/POC
Full Matrix
◆ Novel Tradecraft
Roadmap
Coverage Gaps
Framework doctrine: Each rule is a sensor, not a kill-chain monolith. Core rules (★) are the minimum truth anchor per ecosystem. Cousin rules cover adjacent surfaces with the same attack intent on a different substrate. No ghost chains — sensor layer always separated from narrative layer. Rules span two repos: Minimum-Truth-Detection-Framework (validated composites) and Attack-Ecosystems-and-POC (expanded ecosystem coverage).
C2
Initial Access
Execution
Persistence
Defence Evasion
Credential Access
Lateral Movement
Identity / Cloud
Exfiltration
Impact
RMM / Control
Control Plane
Tactic Ecosystem Core Rules ★ Cousin / Adjacent MITRE Techniques
Initial Access
Phishing & ClickFix Chain
SafeLinks + Clipboard Injection
  • Sentinel_Phishing_SafeLinks_ClickThrough_V2
  • ClickFix_ErrTraffic_Clipboard_Chain
  • MDE_BEC_Malicious_ClickThrough
  • Sentinel_Phishing_SafeLinks (v1)
  • Smartscreen_High_Risk_Event
 HTML Smuggling Macro Execution Chain QR Code Phish OneNote Attachment AitM Proxy Phish T1566.002 Spearphish Link T1204.002 User Exec T1059.007 JS/VBS T1566.001 Attachment
C2
C2 Full Ecosystem
HTTPS · Named Pipe · Blockchain · RMM
  • C2_HTTPS_Jitter_Beacon (v2)
  • C2_NamedPipe_IPC_Session
  • Pipe_C2_Lateral_Movement_Hunt
  • Pipe2_C2_Lateral_Movement_L3
  • Suspicious_Names_Pipes
  • C2_and_RMM_Behavioural_Abuse
  • C2_HTTPS_Jitter_Beacon (v1)
  • C2_Blockchain_RPC_Beacon
  • Crypto_Miner_C2
  • Suspicious_Outbound_Connections
  • TOR_Exit_Nodes_on_Network
 DNS Tunnelling C2 ICMP C2 Domain Fronting FastFlux Beacon Slack/Teams C2 WebDAV C2 T1071.001 Web Protocols T1559.001 Named Pipes T1102 Web Service T1571 Non-Std Port T1219 Remote Access T1090 Proxy
Execution
LOLBins + PowerShell Full Pack
9 sub-packs · Rare LOLBins · Rundll32 · PS Hunter
  • 01_ProxyExec_Ingress
  • Powershell_Cradle_Ingress
  • PowerShell_Download
  • Powershell_Intent_First
  • Muli_LOLBIN_Hunt_2
  • ASR_Blocked_Executables
  • Untrusted_Executable_Execution
  • 08_Debug_Dump_Injection
  • LOLBINS_Ingress_Pack
  • Powershell_Cradle_Staged
  • Ingress_Tool_Transfer
  • 04_DefenseEvasion_Renamed
 MSHTA Execution Certutil Download Regsvr32 Proxy BitsAdmin Transfer Wscript/Cscript Compiled HTML (CHM) Electron App Abuse T1218 Sys Binary Proxy T1059.001 PowerShell T1105 Ingress Transfer T1036.003 Renamed Binary T1218.011 Rundll32 T1218.005 Mshta
Persistence
Registry Persistence Ecosystem
Boot · LSA · Payload Stash · Drift
  • Registry_Persistence_Boot (primary)
  • Registry_Payload_Stash
  • Registry_Persistence_LSA
  • Registry_Core_Hunt
  • Registry_Persistence_Drift_ReWrite
  • ADX_Registry_Persistence
  • Registry_Persistence_Security
  • Registry_Persistence_UAC
  • Registry_Persistence_Hive
 TaskCache (silent) Service ImagePath Hijack COM Object Hijack AppInit DLL Winlogon Helper Time Provider DLL T1547.001 Run Keys T1112 Modify Registry T1547.005 Security Support T1553.004 Code Signing T1548.002 UAC Bypass T1027 Obfuscated Files
Persistence
Scheduled Task Ecosystem
TaskCache · AT · BITS
  • 02_ScheduledTask_Persistence
  • 03_Persistence_Surface
  • Scheduled_Tasks_Abuse
  • Scheduled_Tasks_Rundll
 TaskCache (no schtasks.exe) AT Job Legacy BITS Job Persistence Winlogon Helper T1053.005 Scheduled Task T1053.002 AT Job T1197 BITS Jobs T1547.004 Winlogon
Def Evasion
BYOVD / LOLDriver Ecosystem
Kernel · Delayed/Staged · Combined
  • LOLDriver_Abuse_Kernel
  • LOLDrivers_BYOVD_Combined_Rule
  • _BYOVD_Service_Creation_Detection
  • LOLDRIVER_Abuse-v2
  • LOLDRIVER_BYOVD_Delayed_Staged
 ProcExp Driver Abuse EDR Kill via Vulnerable Driver HVCI Bypass Attempt Driver Signature Spoof T1014 Rootkit T1562.001 Impair Defences T1068 Privilege Escalation T1543.003 Windows Service
Def Evasion
DLL Sideloading Chain
MDE · Sentinel · BYOVD Combo
  • DLL_Sideload_BYOVD_CHAIN_UNIFIED
  • MDE_DLL_Sideloading_Attack_Chain
  • L3_DLL_SIDELOAD_CHAIN_SENTINEL
  • DLL_Sideload_BYOVD_CHAIN_MDE_ONLY
 Search Order Hijack Phantom DLL Known DLL Override SxS DLL Hijack T1574.002 DLL Sideloading T1574.001 DLL Search Order T1574.006 Dynamic Linker
Def Evasion
In-Memory Injection + Obfuscation
Process Injection · AMSI Bypass · Polymorphic
  • AMSI_Bypass_Hunt
  • Polymorphic_Malware
  • EDR_Malicious_Driver_Tamper
  • In-Memory Injection Detection (pack)
  • Obfuscation (pack)
  • WSL_Hunt_Advanced_Pack
  • WSL_Hunt_REFACTORED
 Reflective DLL Injection Process Hollowing Heaven's Gate ETW Patching WSL Linux Binary Proxy T1055 Process Injection T1562.001 Impair Defences T1027.010 Command Obfusc T1497 Virtualization Evasion T1202 Indirect Cmd Exec
Cred Access
LSASS + NTDS + Secrets
DC Attack · Staging · Recon
  • COMPOSITE_L3_LSASS
  • Lsass_Access_Or_Dump_Attempts
  • NTDS.dit_Core_Detection
  • NTDS.dit_DC_Attack_Hunt
  • NTDS_Server_Staging
  • SecretsRecon_Hunt
  • Credential_Keyword_File_Hunt
  • Password_Files_Credential_Recon
  • Unsafe-Password-Stores
  • Composite_LSASS_Credential (x3)
  • Cousin_Discovery_Logon
 SAM Hive Dump DCSync Credential Manager GPP Password LSASS Non-Dump Access Mimikatz Sekurlsa T1003.001 LSASS Memory T1003.003 NTDS T1552 Unsecured Creds T1003.002 SAM T1087 Account Discovery
Cred Access
Kerberos Attack Ecosystem
Kerberoasting · AS-REP · PTH/PTT
  • KERBEROASTING_UNIFIED_Sentinel_MDE
  • KERBEROASTING_CLIENT_HEURISTIC_MDE
  • KERBEROASTING_TGS_ANOMALY_SENTINEL
  • Kerberoasting_Hunt
  • ENDPOINT_KERBEROS_SVC_RECON_PORT88
  • PASS_THE_HASH_TICKET_NEW_HOST
  • Sensitive_Cert_Attack_Vectors
 AS-REP Roasting Golden Ticket Silver Ticket Diamond Ticket ADCS ESC1-8 T1558.003 Kerberoasting T1558.004 AS-REP Roast T1550.003 Pass-the-Ticket T1558.001 Golden Ticket T1649 Steal Cert
Lateral
SMB / RPC Lateral Movement
PsExec · TaskExec · Critical Shares
  • SMB_Services_PsExec
  • SMB_TaskExec_Svchosts (v2)
  • SMB_RPC_Lateral_Movement_Hunt
  • SMB_Critical_Share_Hunt
  • ADX_SMB_Svhosts_Harvester
  • SMB_Svhosts_Empire
  • SMB_Critical_Share_Fixed
 DCOM Lateral WinRM Exec Pass-the-Hash via SMB SSH Lateral (Linux) Impacket Tooling T1021.002 SMB/Admin T1569.002 Service Exec T1543.003 Windows Svc T1570 Lateral Transfer T1550.002 PTH
Lateral + Exec
WMI Ecosystem
Fileless · Permanent Sub · Atomic
  • WMI_FILELESS_ATTACK
  • WMI_Permanent_Subscription
  • WmiPrvSE_Secondary
  • WMI-Atomic-Behavioural-Hunt-Pack
  • WMI_Fileless_Consumer
  • WMI_Fileless_Scrcons
  • WMI-L2_Remote_Process
  • WMI_Fileless_Execution
 DCOM via WMI MOF File Abuse WMI Provider Host Masq WMI via PS Remoting T1047 WMI T1546.003 WMI Event Sub T1059.001 PowerShell T1021.003 DCOM
Lateral
RDP Ecosystem
Post-Access File Drop
  • RDP_Following_Susp_File_Drop
 RDP Session Hijack Sticky Keys Backdoor RDP Tunnel xFreeRDP / SharpRDP T1021.001 RDP T1546.008 Accessibility T1563.002 RDP Hijack
Identity / Cloud
OAuth / Token Abuse + Azure
Consent · Token Theft · SP Backdoor · Azure RunCommand
  • OAuth_Consent_Abuse (primary)
  • OAuth_Token_Theft_Anomaly
  • Service_Principal_Backdoor
  • Azure_RunCommand_Abuse
  • VM_Extension_Tampering_Network
  • Sentinel_Susp_Malicious_Signins
  • OAuth_Threat_Hunter_Pack (full)
  • 0Auth_App_Consent
 Device Code Phishing Refresh Token Abuse SAML Golden Ticket Managed Identity Abuse App Impersonation Conditional Access Bypass T1528 Steal App Token T1550.001 App Access Token T1078.004 Cloud Accounts T1606.002 SAML Token T1578 Modify Cloud Compute T1136.003 Cloud Account
Discovery
AD Recon + Browser Artefacts
Cert Attack Vectors · Browser Extensions
  • 05_AD_Recon_Discovery
  • 06_Local_SecretHunting
  • MDE_Malicious_Browser_Extension_Hunt
  • Malicious_Browser_Extension_Hunt
  • CVE_Internet_Facing_Devices
 BloodHound Collector Detection LDAP Enumeration Net Commands ShareFinder T1087.002 Domain Account T1482 Domain Trust T1518.001 Security Software T1176 Browser Extensions
Exfiltration
Clipboard + Data Exfil
Clipboard Intercept · Credential Keyword Hunt
  • Data_Exfiltration_Clipboard_Events
  • Credential_Keyword_File_Hunt
 Staging + Archive + Outbound Cloud Sync Exfil (OneDrive/Box) DNS Exfil HTTPS Upload to Paste Sites T1115 Clipboard Data T1041 Exfil over C2 T1048 Exfil over Alt Protocol T1567 Exfil to Web Service
RMM / Access
RMM Abuse Ecosystem
LOLRMM · VPN First Use · Suspicious Drop
  • Unauthorized_RMM_Activity_LOLRMM
  • RMM_Suspicious_Dropv2
  • _First_Time_VPN_RMM_Hunt_V5
  • C2_and_RMM_Behavioural_Abuse
 AnyDesk/TeamViewer Silent Install ScreenConnect Abuse Atera Agent Deploy VPN Split Tunnel Abuse T1219 Remote Access Software T1133 External Remote Svcs T1021 Remote Services
Impact
Ransomware Cousin Ecosystem
Encryption · Shadow Delete · Service Stop
  • Cousin_EncryptionVelocity
  • Cousin_ShadowDeletion
  • Cousin_ServiceStopPlus
 Backup Deletion (wbadmin) Firewall Disable Pre-Encrypt Network Share Encryption MBR Wipe Ransom Note Drop T1486 Data Encrypted T1490 Inhibit Recovery T1489 Service Stop T1485 Data Destruction
Control Plane
Rogue / Unmanaged Device
3 rule variants + strict mode
  • Rogue_Unmanaged_Device_Detection
  • Rogue_Umanaged_DevicesV2
  • Rogue_Device_Stricter_Rule
  • Control-Plane_Exposure (pack)
 Shadow IT Cloud Resource Unauthorised Network Device Unmanaged Endpoint Enrol NAC Bypass T1200 Hardware Additions T1078 Valid Accounts T1133 External Remote Svcs
Novel Tradecraft Research: These ecosystems represent emerging and custom-researched threat families with original detection authored specifically against them. This is original research — not lifted from vendor blogs. Each includes a dedicated POC hunt pack, threat analysis, and IR SOP where applicable. Repo: Novel-Tradecraft-Research-Emerging-Attack-Ecosystems
◆ SilverFox / ValleyRAT Ecosystem
Novel-Tradecraft-Research
SilverFox BYOVD Chain LIVE
SilverFox uses BYOVD (Bring Your Own Vulnerable Driver) to kill EDR before deploying ValleyRAT. Full attack chain: stager → driver load → EDR kill → RAT deploy. Three detection layers: core hunt, advanced rule, and BYOVD-specific variant.
  • SilverFox-BYOVD-Core-Hunt
  • SilverFox-BYOVD-Advanced-Hunt
  • SilverFox_ValleyRAT_AdvancedRule
  • SilverFox_ValleyRAT_Stager
  • SilverFox_ValleyRAT_ScriptStager
  • Silverfox-ValleyRAT-core-hunt (Attack-POC repo)
  • SilverFox_ValleyRAT_Injection_Hunt
SilverFox vs Polymorphic Malware RESEARCH
Analysis of SilverFox BYOVD interaction with polymorphic malware — how signature-mutating payloads interact with vulnerable driver exploitation chains. Original threat research comparing two evasion paradigms.
  • SilverFox-BYOVD-Vs-Polymorphic-Malware (analysis)
  • Polymorphic_Malware (Attack-POC repo)
T1014 Rootkit T1562.001 Impair Defences T1027.001 Binary Padding
ValleyRAT Detection Pack LIVE
Multi-stage ValleyRAT detection covering injection behaviour, script stager, and RAT persistence mechanisms. Cross-platform between MDE and Sentinel. Includes README and threat profile.
  • SilverFox ValleyRAT Detection Rules (folder)
T1055 Process Injection T1059.005 VBScript T1547 Boot Autostart
◆ EtherRAT / React2Shell — CVE-2025-55182
Novel-Tradecraft-Research
React2Shell EtherRAT Full Pack POC
Original research and detection for EtherRAT delivered via React2Shell exploitation (CVE-2025-55182). Post-exploitation behaviour analysis + detection. Includes test handbook and IR SOP.
  • React2Shell_CVE-2025-55182 (detection)
  • React2Shell_EtherRAT_CVE-2025-55182_Hunt (folder)
  • EtherRAT (Attack-POC repo folder)
T1190 Exploit Public App T1059 Command Interpreter T1071 App Layer Protocol
PulsarRAT POC Detection POC
Early-stage POC detection for PulsarRAT — lightweight remote access tool with evasive comms. Detection authored against behavioural indicators rather than signatures.
  • PulsarRAT_POC
T1071 App Layer Protocol T1219 Remote Access Software
◆ Steganographic Loader Ecosystem
Novel-Tradecraft-Research + Attack-Ecosystems-and-POC
Stego Threat Analysis + Hunter Pack LIVE
Full ecosystem for detecting malicious payloads delivered via steganographic image loaders. Covers memory indicators, image inspection, loader chain detection, and IR SOP. Multi-phase detection approach.
  • Stego-Image-Loader (core)
  • Stego-Malicious-Image-Loader
  • Stego_Loader_Basic_Hunt
  • Stego_Memory_Indicators_Phase2
  • Stego_Threat_Hunters_Incident_Response_SOP
  • Stego_Threat_Analysis_And_Hunter_Pack (folder)
T1027.003 Steganography T1027 Obfuscated Files T1055 Process Injection
Hijacked Libraries Research RESEARCH
Research dataset mapping hijack-able libraries (hijack-libs.csv) used as a threat modelling input for DLL hijack detection coverage. Feeds into the DLL sideloading ecosystem.
  • hijack-libs.csv (threat model dataset)
  • Threat Modelling Project #1.md
T1574.002 DLL Sideloading T1574.001 DLL Search Order
Pipeline philosophy: Rules are sequenced by ecosystem completion priority, not MITRE square count. An incomplete ecosystem with a mapped cousin gap is higher priority than a new standalone rule. The roadmap below reflects the logical build order — each row closes an existing cousin gap or opens a new ecosystem that feeds the existing detection architecture.
Phase 1 — Close Existing Ecosystem Gaps
Exfiltration Ecosystem PIPELINE
Staging → archive creation → large outbound transfer composite. Currently only clipboard exfil is covered. Need: compression utility abuse, cloud sync exfil (OneDrive/SharePoint), HTTPS upload to paste sites, DNS exfil chain.
T1041T1048T1567T1052
RDP Full Ecosystem PIPELINE
RDP file drop is covered. RDP session hijack, sticky keys backdoor, RDP tunnel via port forward, SharpRDP, xFreeRDP lateral movement — all unmapped. Cousin gap from the SMB/WMI lateral ecosystem.
T1021.001T1546.008T1563.002
Backup System Targeting PIPELINE
Shadow copy deletion cousin exists. No dedicated backup software process kill — Veeam, Backup Exec, Windows Server Backup. Pre-ransomware backup destruction is systematic. Need T1490 composite beyond VSS.
T1490 Inhibit RecoveryT1485 Data Destruction
ADCS / Certificate Abuse PIPELINE
Sensitive_Cert_Attack_Vectors exists as a single rule. Full ADCS ESC1-8 ecosystem needed. Certificate template abuse, unauthorised CA enrolment, certificate theft — a growing AD priv escalation vector.
T1649 Steal CertT1552.004 Private Keys
WinRM / DCOM Lateral Cousins PIPELINE
SMB and WMI lateral covered. WinRM (Evil-WinRM, PSRemoting) and DCOM (MMC20, ShellWindows) are the two remaining primary lateral movement paths without dedicated ecosystem rules.
T1021.006 WinRMT1021.003 DCOM
DNS Tunnelling C2 Cousin PIPELINE
HTTPS and Named Pipe C2 covered. DNS tunnelling (iodine, dnscat2, DNScat) is the natural cousin — same intent, different protocol. Single detection rule closes the C2 ecosystem cousin gap.
T1071.004 DNST1048.003 DNS Exfil
Phase 2 — New Ecosystems
Initial Access — Phishing Attachment Chain PIPELINE
SafeLinks click-through covered. Full attachment execution chain (ISO/LNK/OneNote/HTML smuggling) needs dedicated ecosystem. Entry point detection is the weakest part of current coverage.
T1566.001T1204.002T1027.006 HTML Smuggling
Cloud Resource Abuse PIPELINE
Beyond OAuth identity — Azure compute resource creation, cryptomining via hijacked cloud resources, S3/Blob storage data exfiltration, Lambda/Function abuse. Cloud coverage is identity-only currently.
T1578T1496T1530
Golden / Silver / Diamond Ticket PIPELINE
Kerberoasting ecosystem is now complete. The next Kerberos tier is ticket forgery — Golden Ticket (KRBTGT hash), Silver Ticket (service account), Diamond Ticket (modified TGT). Separate ecosystem from roasting.
T1558.001 GoldenT1558.002 Silver
Supply Chain / Dependency Confusion RESEARCH
Hijack-libs.csv exists as a dataset. Dependency confusion, typosquatting package installs, compromised build pipeline detection — emerging attack vector with weak current tooling across the industry.
T1195.002 Compromise SW Supply Chain
Risk-Based Hunt Operationalisation PIPELINE
Risk_Based_Hunts folder exists. Formalise the methodology — asset criticality weighting, exploit-in-wild prioritisation, threat intel feed integration (ThreatView_Threatintel_Feed). Turn hunts into scheduled KQL workbooks.
Cross-tactic · Risk-weighted
KQL Join Operator Framework RESEARCH
KQL-Join-Operator-Guide folder exists. This is infrastructure knowledge — formalise into reusable join patterns for multi-table composite rules. Feeds every ecosystem at engineering level.
Detection Engineering · KQL Architecture
Gap identification methodology: Gaps are identified by ecosystem shape, not MITRE square count. A gap exists where attack intent is covered on one substrate but cousin surfaces remain unmapped — meaning an adversary who pivots technique after a detection fires goes undetected. Gaps below are ranked by adversary pivot probability.
Tier 1 — Adversary Will Pivot Here
Exfiltration Chain MISSING ECOSYSTEM
Clipboard exfil exists. Staging → compression → large outbound transfer chain is absent. Double-extortion ransomware exfils before encrypting — this is where the actual damage measurement happens.
RDP Full Ecosystem COUSIN GAP
File drop post-RDP exists. Session hijack, sticky keys backdoor, SharpRDP, RDP tunnelling through port forwards — all gaps. RDP is the most common lateral movement vector in enterprise breaches.
WinRM / DCOM Lateral COUSIN GAP
SMB and WMI lateral are fully mapped. WinRM (T1021.006) and DCOM (T1021.003) are the two remaining primary lateral paths. Evil-WinRM is standard post-exploitation tooling. Classic cousin gap in the lateral ecosystem.
DNS Tunnelling C2 COUSIN GAP
HTTPS and Named Pipe C2 covered. DNS tunnelling is the natural fallback when HTTPS is blocked or detected. iodine, dnscat2, DNScat — same C2 intent, different protocol. Single rule closes this cousin gap.
Backup Software Targeting COUSIN GAP
VSS/shadow deletion covered. Dedicated backup software process kill (Veeam Agent, wbadmin, ntbackup) is absent. Pre-ransomware backup destruction is now systematic — this fires before encryption velocity.
Network Share Encryption COUSIN GAP
Local encryption velocity is covered. Ransomware increasingly encrypts network shares before local files. SMB write velocity to UNC paths is the missing cousin to the local encryption detection.
Tier 2 — Growing Attack Surface
ADCS Full Ecosystem PARTIAL
Single cert detection rule exists. ESC1-8 template abuse, unauthorised CA enrolment, certificate theft for persistence — entire ADCS privilege escalation chain needs dedicated ecosystem.
Golden/Silver/Diamond Ticket MISSING
Kerberoasting ecosystem is now complete and strong. The next tier — ticket forgery — has no coverage. Golden Ticket (KRBTGT), Silver Ticket (service), Diamond Ticket (modified TGT). Different substrate from roasting.
Cloud Resource Abuse PARTIAL
OAuth/identity is well covered. Post-identity cloud resource abuse — compute creation, cryptomining, S3/Blob exfil, Lambda function abuse — is absent. Cloud coverage is identity-only currently.
Device Code Phishing COUSIN GAP
OAuth consent abuse is covered. Device code phishing uses the legitimate OAuth device auth flow — different substrate, same token theft intent. Increasingly used against M365 environments.
COM Object Hijack Persistence COUSIN GAP
Registry and ScheduledTask persistence fully covered. COM object hijack (T1546.015) is user-land persistent without registry run key writes — different substrate, same persistence intent. Natural cousin gap.
Supply Chain / Dependency Confusion RESEARCH ONLY
Hijack-libs.csv dataset exists. Operationalised detection for dependency confusion, typosquatting, compromised build pipeline — absent. Growing attack vector with weak industry-wide tooling.