Security Checks Reference
Complete list of 150+ security controls monitored by QuickSecure
150+
Security Checks
25+
MITRE Techniques
3
Platforms
7.5K+
Detection Patterns
Windows Security Checks
Persistence Mechanisms
| Check | Description | MITRE ATT&CK | Severity |
|---|---|---|---|
WIN-PERS-001 | Registry Run/RunOnce keys modification | T1547.001 | High |
WIN-PERS-002 | Scheduled Tasks creation/modification | T1053.005 | High |
WIN-PERS-003 | Windows Service installation | T1543.003 | High |
WIN-PERS-004 | Startup folder modification | T1547.001 | Medium |
WIN-PERS-005 | WMI event subscription | T1546.003 | High |
WIN-PERS-006 | DLL Search Order Hijacking | T1574.001 | Critical |
Defense Evasion
| Check | Description | MITRE ATT&CK | Severity |
|---|---|---|---|
WIN-DEF-001 | Windows Defender exclusions modified | T1562.001 | Critical |
WIN-DEF-002 | Real-time protection disabled | T1562.001 | Critical |
WIN-DEF-003 | Event log cleared/disabled | T1070.001 | High |
WIN-DEF-004 | AMSI bypass attempt | T1562.001 | Critical |
WIN-DEF-005 | Process hollowing detected | T1055.012 | Critical |
Credential Access
| Check | Description | MITRE ATT&CK | Severity |
|---|---|---|---|
WIN-CRED-001 | LSASS memory access attempt | T1003.001 | Critical |
WIN-CRED-002 | SAM database access | T1003.002 | Critical |
WIN-CRED-003 | Browser password extraction | T1555.003 | High |
WIN-CRED-004 | Mimikatz signature detected | T1003 | Critical |
Linux Security Checks
Persistence
| Check | Description | MITRE ATT&CK | Severity |
|---|---|---|---|
LNX-PERS-001 | Cron job modification | T1053.003 | High |
LNX-PERS-002 | Systemd service installation | T1543.002 | High |
LNX-PERS-003 | SSH authorized_keys modified | T1098.004 | High |
LNX-PERS-004 | LD_PRELOAD hijacking | T1574.006 | Critical |
LNX-PERS-005 | Bashrc/profile backdoor | T1546.004 | High |
Privilege Escalation
| Check | Description | MITRE ATT&CK | Severity |
|---|---|---|---|
LNX-PRIV-001 | SUID/SGID binary abuse | T1548.001 | High |
LNX-PRIV-002 | Sudo misconfiguration exploit | T1548.003 | Critical |
LNX-PRIV-003 | Kernel exploit attempt | T1068 | Critical |
Behavioral Protection Patterns
| Check | Description | MITRE ATT&CK | Severity |
|---|---|---|---|
WIN-BHV-001 | Security Tool Tampering Attempt | T1562.001 | Critical |
WIN-BHV-002 | Recovery Inhibition / Shadow Copy Deletion | T1490 | Critical |
WIN-BHV-003 | Mass File Encryption Behavior | T1486 | Critical |
WIN-BHV-004 | Bulk Data Exfiltration Attempt | T1567 T1041 | Critical |
WIN-BHV-005 | Suspicious Driver Load / BYOVD | T1068 T1014 | Critical |
WIN-BHV-006 | Suspicious Data Staging Archive | T1560 T1074 | High |
WIN-BHV-007 | LOLBAS Proxy Execution | T1218 T1059 | High |
WIN-BHV-008 | Suspicious Download and Execute Chain | T1105 T1204 | High |
WIN-BHV-009 | Suspicious Service Installation | T1543.003 | High |
WIN-BHV-010 | Suspicious Scheduled Task Creation | T1053.005 | High |
WIN-BHV-011 | Reconnaissance Command Burst | T1087 T1018 | Medium |
WIN-BHV-012 | Unauthorized Remote Access Tool | T1219 | High |
Supply Chain Checks
Package Security
| Check | Description | MITRE ATT&CK | Severity |
|---|---|---|---|
SC-001 | Malicious npm postinstall script | T1195.001 | Critical |
SC-002 | Compromised package detected | T1195.002 | Critical |
SC-003 | GitHub credential theft attempt | T1552.001 | Critical |
SC-004 | Typosquatting package installed | T1195.001 | High |