---
type: "mapping-set"
title: "Sigma rules → #9 Social Engineering"
description: "16 Sigma rules entries mapped to TLCTC #9 Social Engineering."
resource: "tlctc:mapping:sigma:cluster-9"
tags:
  - "mapping"
  - "sigma"
  - "cluster-9"
---
# Sigma rules → #9 Social Engineering

> Source: SigmaHQ rules → TLCTC mapping (`mappings/sigma/`). Derived via ATT&CK technique mapping.

Mapped entries: **16**. Cluster: [#9 Social Engineering](/clusters/cluster-9.md).

| Rule | Techniques | Cluster set | Status |
|---|---|---|---|
| Potential Malicious Usage of CloudTrail System Manager | T1566 | #9 | ok |
| Suspicious Email Delivered In Microsoft 365 | T1566 | #9 | ok |
| Okta FastPass Phishing Detection | T1566 | #9 | ok |
| Suspicious External WebDAV Execution | T1566, T1584 | #9 | ambiguous |
| ISO Image Mounted | T1566 | #9 | ok |
| ISO File Created Within Temp Folders | T1566 | #9 | ok |
| ISO or Image Mount Indicator in Recent Files | T1566 | #9 | ok |
| Office Macro File Creation | T1566 | #9 | ok |
| Office Macro File Download | T1566 | #9 | ok |
| Office Macro File Creation From Suspicious Process | T1566 | #9 | ok |
| Suspicious File Created in Outlook Temporary Directory | T1566 | #9 | ok |
| Suspicious Microsoft OneNote Child Process | T1566 | #9 | ok |
| Suspicious Execution From Outlook Temporary Folder | T1566 | #9 | ok |
| Phishing Pattern ISO in Archive | T1566 | #9 | ok |
| Suspicious Double Extension File Execution | T1566 | #9 | ok |
| Windows Registry Trust Record Modification | T1566 | #9 | ok |