Impact Detection Rules
The adversary is trying to manipulate, interrupt, or destroy your systems and data. Impact consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes. Techniques used for impact can include destroying or tampering with data. In some cases, business processes can look fine, but may have been altered to benefit the adversaries’ goals. These techniques might be used by adversaries to follow through on their end goal or to provide cover for a confidentiality breach.
df00tech ships 34 production-ready detection rules mapped to the Impact tactic (TA0040). Each rule below includes copy-paste queries for Microsoft Sentinel (KQL), Splunk (SPL), Elastic (EQL), QRadar, Sumo Logic, Chronicle and LogScale, with data-source requirements, severity and false-positive guidance — free to use.
Impact detections (34)
- T1485 Data Destruction
- T1485.001 Lifecycle-Triggered Deletion
- T1486 Data Encrypted for Impact
- T1489 Service Stop
- T1490 Inhibit System Recovery
- T1491 Defacement
- T1491.001 Internal Defacement
- T1491.002 External Defacement
- T1495 Firmware Corruption
- T1496 Resource Hijacking
- T1496.001 Compute Hijacking
- T1496.002 Bandwidth Hijacking
- T1496.003 SMS Pumping
- T1496.004 Cloud Service Hijacking
- T1498 Network Denial of Service
- T1498.001 Direct Network Flood
- T1498.002 Reflection Amplification
- T1499 Endpoint Denial of Service
- T1499.001 OS Exhaustion Flood
- T1499.002 Service Exhaustion Flood
- T1499.003 Application Exhaustion Flood
- T1499.004 Application or System Exploitation
- T1529 System Shutdown/Reboot
- T1531 Account Access Removal
- T1561 Disk Wipe
- T1561.001 Disk Content Wipe
- T1561.002 Disk Structure Wipe
- T1565 Data Manipulation
- T1565.001 Stored Data Manipulation
- T1565.002 Transmitted Data Manipulation
- T1565.003 Runtime Data Manipulation
- T1657 Financial Theft
- T1667 Email Bombing
- THREAT-Ransomware-StagingIndicators Ransomware Pre-Deployment Staging Indicators