diff --git a/docs/analytics/by_technique/index.md b/docs/analytics/by_technique/index.md index 08777978..c4db61a6 100644 --- a/docs/analytics/by_technique/index.md +++ b/docs/analytics/by_technique/index.md @@ -58,22 +58,22 @@ permalink: /analytics/by_technique (N/A - technique only) - - T1021.006: Windows Remote Management - - T1021.002: SMB/Windows Admin Shares - - T1021.001: Remote Desktop Protocol - - T1021.003: Distributed Component Object Model + + T1021.006: Windows Remote Management + + + + T1021.001: Remote Desktop Protocol + + T1029: Scheduled Transfer (N/A - technique only) @@ -159,14 +159,14 @@ permalink: /analytics/by_technique (N/A - technique only) - - T1059.001: PowerShell - - T1059.003: Windows Command Shell + + T1059.001: PowerShell + + T1059.005: Visual Basic @@ -190,10 +190,6 @@ permalink: /analytics/by_technique T1070: Indicator Removal - - T1070.005: Network Share Connection Removal - - T1070.003: Clear Command History @@ -202,6 +198,10 @@ permalink: /analytics/by_technique T1070.001: Clear Windows Event Logs + + T1070.005: Network Share Connection Removal + + T1078: Valid Accounts @@ -281,10 +281,6 @@ permalink: /analytics/by_technique T1218.011: Rundll32 - - T1218.003: CMSTP - - T1218.010: Regsvr32 @@ -293,6 +289,10 @@ permalink: /analytics/by_technique T1218.001: Compiled HTML File + + T1218.003: CMSTP + + T1222: File and Directory Permissions Modification @@ -327,41 +327,41 @@ permalink: /analytics/by_technique T1546: Event Triggered Execution - - T1546.010: AppInit DLLs - - T1546.015: Component Object Model Hijacking - T1546.001: Change Default File Association - + T1546.002: Screensaver + - T1546.003: Windows Management Instrumentation Event Subscription - + T1546.010: AppInit DLLs + T1546.008: Accessibility Features - T1546.002: Screensaver - + T1546.001: Change Default File Association + - T1547: Boot or Logon Autostart Execution + T1546.003: Windows Management Instrumentation Event Subscription + - T1547.004: Winlogon Helper DLL - + T1547: Boot or Logon Autostart Execution T1547.001: Registry Run Keys / Startup Folder + + T1547.004: Winlogon Helper DLL + + T1547.010: Port Monitors @@ -409,10 +409,6 @@ permalink: /analytics/by_technique T1562: Impair Defenses - - T1562.001: Disable or Modify Tools - - T1562.006: Indicator Blocking @@ -421,6 +417,10 @@ permalink: /analytics/by_technique T1562.002: Disable Windows Event Logging + + T1562.001: Disable or Modify Tools + + T1564: Hide Artifacts T1564.004: NTFS File Attributes @@ -445,6 +445,10 @@ permalink: /analytics/by_technique T1574: Hijack Execution Flow + + T1574.001: DLL Search Order Hijacking + + T1574.009: Path Interception by Unquoted Path @@ -453,10 +457,6 @@ permalink: /analytics/by_technique T1574.011: Services Registry Permissions Weakness - - T1574.001: DLL Search Order Hijacking - - T1574.010: Services File Permissions Weakness diff --git a/docs/car_attack/car_attack.json b/docs/car_attack/car_attack.json index a2dee028..907e155f 100644 --- a/docs/car_attack/car_attack.json +++ b/docs/car_attack/car_attack.json @@ -5,128 +5,139 @@ "domain": "mitre-enterprise", "techniques": [ { - "techniqueID": "T1053", + "techniqueID": "T1548", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-05-004: Execution with AT | CAR-2013-08-001: Execution with schtasks | CAR-2015-04-001: Remotely Scheduled Tasks via AT | CAR-2015-04-002: Remotely Scheduled Tasks via Schtasks | CAR-2020-09-001: Scheduled Task - FileAccess | CAR-2021-12-001: Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths", + "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2019-04-001: UAC Bypass | CAR-2021-01-008: Disable UAC | CAR-2021-02-002: Get System Elevation", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1053.005", + "techniqueID": "T1548.002", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-08-001: Execution with schtasks | CAR-2015-04-002: Remotely Scheduled Tasks via Schtasks | CAR-2020-09-001: Scheduled Task - FileAccess | CAR-2021-12-001: Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths", + "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2019-04-001: UAC Bypass | CAR-2021-01-008: Disable UAC", "enabled": true }, { - "techniqueID": "T1087", + "techniqueID": "T1021", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", + "comment": "CAR-2013-01-003: SMB Events Monitoring | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2013-07-001: Suspicious Arguments | CAR-2013-07-002: RDP Connection Detection | CAR-2013-10-001: User Login Activity Monitoring | CAR-2014-05-001: RPC Activity | CAR-2014-11-004: Remote PowerShell Sessions | CAR-2014-11-006: Windows Remote Management (WinRM) | CAR-2016-04-005: Remote Desktop Logon", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1087.001", + "techniqueID": "T1021.002", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", + "comment": "CAR-2013-01-003: SMB Events Monitoring | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2014-05-001: RPC Activity", "enabled": true }, { - "techniqueID": "T1087.002", + "techniqueID": "T1021.003", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", + "comment": "CAR-2014-05-001: RPC Activity", "enabled": true }, { - "techniqueID": "T1069", + "techniqueID": "T1021.006", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands | CAR-2020-11-006: Local Permission Group Discovery", - "enabled": true, - "showSubtechniques": true + "comment": "CAR-2014-05-001: RPC Activity | CAR-2014-11-004: Remote PowerShell Sessions | CAR-2014-11-006: Windows Remote Management (WinRM)", + "enabled": true }, { - "techniqueID": "T1069.001", + "techniqueID": "T1070", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands | CAR-2020-11-006: Local Permission Group Discovery", - "enabled": true + "comment": "CAR-2016-04-002: User Activity from Clearing Event Logs | CAR-2020-11-005: Clear Powershell Console Command History | CAR-2020-11-007: Network Share Connection Removal | CAR-2021-01-003: Clearing Windows Logs with Wevtutil", + "enabled": true, + "showSubtechniques": true }, { - "techniqueID": "T1069.002", + "techniqueID": "T1070.003", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands | CAR-2020-11-006: Local Permission Group Discovery", + "comment": "CAR-2020-11-005: Clear Powershell Console Command History", "enabled": true }, { - "techniqueID": "T1016", + "techniqueID": "T1053", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-05-004: Execution with AT | CAR-2013-08-001: Execution with schtasks | CAR-2015-04-001: Remotely Scheduled Tasks via AT | CAR-2015-04-002: Remotely Scheduled Tasks via Schtasks | CAR-2020-09-001: Scheduled Task - FileAccess | CAR-2021-12-001: Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1082", + "techniqueID": "T1053.005", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", - "enabled": true, - "showSubtechniques": true + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-08-001: Execution with schtasks | CAR-2015-04-002: Remotely Scheduled Tasks via Schtasks | CAR-2020-09-001: Scheduled Task - FileAccess | CAR-2021-12-001: Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths", + "enabled": true }, { - "techniqueID": "T1033", + "techniqueID": "T1553", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", + "comment": "CAR-2021-05-001: Attempt To Add Certificate To Untrusted Store", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1057", + "techniqueID": "T1553.004", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", - "enabled": true, - "showSubtechniques": true + "comment": "CAR-2021-05-001: Attempt To Add Certificate To Untrusted Store", + "enabled": true }, { - "techniqueID": "T1007", + "techniqueID": "T1003", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-07-001: Suspicious Arguments | CAR-2019-04-004: Credential Dumping via Mimikatz | CAR-2019-07-002: Lsass Process Dump via Procdump | CAR-2019-08-001: Credential Dumping via Windows Task Manager | CAR-2019-08-002: Active Directory Dumping via NTDSUtil | CAR-2020-05-001: MiniDump of LSASS | CAR-2021-05-011: Create Remote Thread into LSASS", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1546", + "techniqueID": "T1003.001", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences | CAR-2014-11-003: Debuggers for Accessibility Applications | CAR-2014-11-008: Command Launched from WinLogon | CAR-2020-09-002: Component Object Model Hijacking | CAR-2020-09-005: AppInit DLLs | CAR-2020-11-011: Registry Edit from Screensaver", + "comment": "CAR-2013-07-001: Suspicious Arguments | CAR-2019-04-004: Credential Dumping via Mimikatz | CAR-2019-07-002: Lsass Process Dump via Procdump | CAR-2019-08-001: Credential Dumping via Windows Task Manager | CAR-2021-05-011: Create Remote Thread into LSASS", + "enabled": true + }, + { + "techniqueID": "T1037", + "color": "#c6dbef", + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2020-11-001: Boot or Logon Initialization Scripts", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1546.010", + "techniqueID": "T1037.001", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences | CAR-2020-09-005: AppInit DLLs", + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2020-11-001: Boot or Logon Initialization Scripts", "enabled": true }, { - "techniqueID": "T1574", + "techniqueID": "T1562", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-02-001: Service Binary Modifications | CAR-2014-07-001: Service Search Path Interception | CAR-2020-05-003: Rare LolBAS Command Lines | CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-04-003: User Activity from Stopping Windows Defensive Services | CAR-2020-09-003: Indicator Blocking - Driver Unloaded | CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt | CAR-2022-03-001: Disable Windows Event Logging", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1574.009", + "techniqueID": "T1562.006", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences | CAR-2014-07-001: Service Search Path Interception", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2020-09-003: Indicator Blocking - Driver Unloaded", "enabled": true }, { - "techniqueID": "T1547", + "techniqueID": "T1570", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2020-05-003: Rare LolBAS Command Lines | CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify | CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key 'Common Startup'", + "comment": "CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2014-03-001: SMB Write Request - NamedPipes", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1547.004", + "techniqueID": "T1574", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences | CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify", + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-02-001: Service Binary Modifications | CAR-2014-07-001: Service Search Path Interception | CAR-2020-05-003: Rare LolBAS Command Lines | CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0", + "enabled": true, + "showSubtechniques": true + }, + { + "techniqueID": "T1574.001", + "color": "#c6dbef", + "comment": "CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0", "enabled": true }, { @@ -137,39 +148,69 @@ "showSubtechniques": true }, { - "techniqueID": "T1105", + "techniqueID": "T1218", "color": "#c6dbef", - "comment": "CAR-2013-07-001: Suspicious Arguments | CAR-2021-05-005: BITSAdmin Download File | CAR-2021-05-006: CertUtil Download With URLCache and Split Arguments | CAR-2021-05-007: CertUtil Download With VerifyCtl and Split Arguments", + "comment": "CAR-2014-03-006: RunDLL32.exe monitoring | CAR-2019-04-002: Generic Regsvr32 | CAR-2019-04-003: Squiblydoo | CAR-2020-11-009: Compiled HTML Access | CAR-2020-11-010: CMSTP", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1059", + "techniqueID": "T1218.011", "color": "#c6dbef", - "comment": "CAR-2013-02-003: Processes Spawning cmd.exe | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-04-003: Powershell Execution | CAR-2014-11-002: Outlier Parents of Cmd | CAR-2014-11-004: Remote PowerShell Sessions | CAR-2021-01-002: Unusually Long Command Line Strings", + "comment": "CAR-2014-03-006: RunDLL32.exe monitoring", + "enabled": true + }, + { + "techniqueID": "T1546", + "color": "#c6dbef", + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2014-11-003: Debuggers for Accessibility Applications | CAR-2014-11-008: Command Launched from WinLogon | CAR-2020-09-002: Component Object Model Hijacking | CAR-2020-09-005: AppInit DLLs | CAR-2020-11-011: Registry Edit from Screensaver", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1059.001", + "techniqueID": "T1546.015", "color": "#c6dbef", - "comment": "CAR-2014-04-003: Powershell Execution | CAR-2014-11-004: Remote PowerShell Sessions", + "comment": "CAR-2020-09-002: Component Object Model Hijacking", "enabled": true }, { - "techniqueID": "T1047", + "techniqueID": "T1046", "color": "#c6dbef", - "comment": "CAR-2014-11-007: Remote Windows Management Instrumentation (WMI) over RPC | CAR-2014-12-001: Remotely Launched Executables via WMI | CAR-2016-03-002: Create Remote Process via WMIC", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2021-01-001: Identifying Port Scanning Activity", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1040", + "techniqueID": "T1218.010", "color": "#c6dbef", - "comment": "CAR-2020-11-002: Local Network Sniffing", + "comment": "CAR-2019-04-002: Generic Regsvr32 | CAR-2019-04-003: Squiblydoo", + "enabled": true + }, + { + "techniqueID": "T1070.001", + "color": "#c6dbef", + "comment": "CAR-2016-04-002: User Activity from Clearing Event Logs | CAR-2021-01-003: Clearing Windows Logs with Wevtutil", + "enabled": true + }, + { + "techniqueID": "T1543", + "color": "#c6dbef", + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-09-005: Service Outlier Executables | CAR-2014-02-001: Service Binary Modifications | CAR-2014-03-005: Remotely Launched Executables via Services | CAR-2014-05-002: Services launching Cmd", "enabled": true, "showSubtechniques": true }, + { + "techniqueID": "T1543.003", + "color": "#c6dbef", + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-09-005: Service Outlier Executables | CAR-2014-02-001: Service Binary Modifications | CAR-2014-03-005: Remotely Launched Executables via Services | CAR-2014-05-002: Services launching Cmd", + "enabled": true + }, + { + "techniqueID": "T1574.009", + "color": "#c6dbef", + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2014-07-001: Service Search Path Interception", + "enabled": true + }, { "techniqueID": "T1012", "color": "#c6dbef", @@ -177,6 +218,13 @@ "enabled": true, "showSubtechniques": true }, + { + "techniqueID": "T1547", + "color": "#c6dbef", + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2020-05-003: Rare LolBAS Command Lines | CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify | CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key 'Common Startup'", + "enabled": true, + "showSubtechniques": true + }, { "techniqueID": "T1547.001", "color": "#c6dbef", @@ -190,360 +238,370 @@ "enabled": true }, { - "techniqueID": "T1562", + "techniqueID": "T1550", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-04-003: User Activity from Stopping Windows Defensive Services | CAR-2020-09-003: Indicator Blocking - Driver Unloaded | CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt | CAR-2022-03-001: Disable Windows Event Logging", + "comment": "CAR-2016-04-004: Successful Local Account Login", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1562.001", + "techniqueID": "T1550.002", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-04-003: User Activity from Stopping Windows Defensive Services | CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt", + "comment": "CAR-2016-04-004: Successful Local Account Login", "enabled": true }, { - "techniqueID": "T1187", + "techniqueID": "T1547.004", "color": "#c6dbef", - "comment": "CAR-2013-09-003: SMB Session Setups", - "enabled": true, - "showSubtechniques": true + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify", + "enabled": true }, { - "techniqueID": "T1036", + "techniqueID": "T1552", "color": "#c6dbef", - "comment": "CAR-2013-05-002: Suspicious Run Locations | CAR-2013-05-009: Running executables with same hash and different names | CAR-2021-04-001: Common Windows Process Masquerading", + "comment": "CAR-2020-09-004: Credentials in Files & Registry", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1036.003", + "techniqueID": "T1552.001", "color": "#c6dbef", - "comment": "CAR-2013-05-009: Running executables with same hash and different names", + "comment": "CAR-2020-09-004: Credentials in Files & Registry", "enabled": true }, { - "techniqueID": "T1562.006", + "techniqueID": "T1552.002", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2020-09-003: Indicator Blocking - Driver Unloaded", + "comment": "CAR-2020-09-004: Credentials in Files & Registry", "enabled": true }, { - "techniqueID": "T1490", + "techniqueID": "T1055", "color": "#c6dbef", - "comment": "CAR-2021-01-009: Detecting Shadow Copy Deletion or Resize | CAR-2021-05-003: BCDEdit Failure Recovery Modification", + "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2020-11-003: DLL Injection with Mavinject | CAR-2020-11-004: Processes Started From Irregular Parent", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1204", + "techniqueID": "T1055.001", "color": "#c6dbef", - "comment": "CAR-2021-05-002: Batch File Write to System32", + "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2020-11-003: DLL Injection with Mavinject", + "enabled": true + }, + { + "techniqueID": "T1036", + "color": "#c6dbef", + "comment": "CAR-2013-05-002: Suspicious Run Locations | CAR-2013-05-009: Running executables with same hash and different names | CAR-2021-04-001: Common Windows Process Masquerading", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1204.002", + "techniqueID": "T1036.003", "color": "#c6dbef", - "comment": "CAR-2021-05-002: Batch File Write to System32", + "comment": "CAR-2013-05-009: Running executables with same hash and different names", "enabled": true }, { - "techniqueID": "T1543", + "techniqueID": "T1218.001", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-09-005: Service Outlier Executables | CAR-2014-02-001: Service Binary Modifications | CAR-2014-03-005: Remotely Launched Executables via Services | CAR-2014-05-002: Services launching Cmd", + "comment": "CAR-2020-11-009: Compiled HTML Access", + "enabled": true + }, + { + "techniqueID": "T1140", + "color": "#c6dbef", + "comment": "CAR-2021-05-009: CertUtil With Decode Argument", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1543.003", + "techniqueID": "T1127", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-09-005: Service Outlier Executables | CAR-2014-02-001: Service Binary Modifications | CAR-2014-03-005: Remotely Launched Executables via Services | CAR-2014-05-002: Services launching Cmd", - "enabled": true + "comment": "CAR-2020-11-008: MSBuild and msxsl", + "enabled": true, + "showSubtechniques": true }, { - "techniqueID": "T1574.001", + "techniqueID": "T1127.001", "color": "#c6dbef", - "comment": "CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0", + "comment": "CAR-2020-11-008: MSBuild and msxsl", "enabled": true }, { - "techniqueID": "T1553", + "techniqueID": "T1047", "color": "#c6dbef", - "comment": "CAR-2021-05-001: Attempt To Add Certificate To Untrusted Store", + "comment": "CAR-2014-11-007: Remote Windows Management Instrumentation (WMI) over RPC | CAR-2014-12-001: Remotely Launched Executables via WMI | CAR-2016-03-002: Create Remote Process via WMIC", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1553.004", + "techniqueID": "T1136", "color": "#c6dbef", - "comment": "CAR-2021-05-001: Attempt To Add Certificate To Untrusted Store", - "enabled": true + "comment": "CAR-2021-05-010: Create local admin accounts using net exe", + "enabled": true, + "showSubtechniques": true }, { - "techniqueID": "T1059.003", + "techniqueID": "T1136.001", "color": "#c6dbef", - "comment": "CAR-2013-02-003: Processes Spawning cmd.exe | CAR-2014-11-002: Outlier Parents of Cmd", + "comment": "CAR-2021-05-010: Create local admin accounts using net exe", "enabled": true }, { - "techniqueID": "T1003", + "techniqueID": "T1059", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-07-001: Suspicious Arguments | CAR-2019-04-004: Credential Dumping via Mimikatz | CAR-2019-07-002: Lsass Process Dump via Procdump | CAR-2019-08-001: Credential Dumping via Windows Task Manager | CAR-2019-08-002: Active Directory Dumping via NTDSUtil | CAR-2020-05-001: MiniDump of LSASS | CAR-2021-05-011: Create Remote Thread into LSASS", + "comment": "CAR-2013-02-003: Processes Spawning cmd.exe | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-04-003: Powershell Execution | CAR-2014-11-002: Outlier Parents of Cmd | CAR-2014-11-004: Remote PowerShell Sessions | CAR-2021-01-002: Unusually Long Command Line Strings", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1003.001", + "techniqueID": "T1059.003", "color": "#c6dbef", - "comment": "CAR-2013-07-001: Suspicious Arguments | CAR-2019-04-004: Credential Dumping via Mimikatz | CAR-2019-07-002: Lsass Process Dump via Procdump | CAR-2019-08-001: Credential Dumping via Windows Task Manager | CAR-2021-05-011: Create Remote Thread into LSASS", + "comment": "CAR-2013-02-003: Processes Spawning cmd.exe | CAR-2014-11-002: Outlier Parents of Cmd", "enabled": true }, { - "techniqueID": "T1021", + "techniqueID": "T1559", "color": "#c6dbef", - "comment": "CAR-2013-01-003: SMB Events Monitoring | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2013-07-001: Suspicious Arguments | CAR-2013-07-002: RDP Connection Detection | CAR-2013-10-001: User Login Activity Monitoring | CAR-2014-05-001: RPC Activity | CAR-2014-11-004: Remote PowerShell Sessions | CAR-2014-11-006: Windows Remote Management (WinRM) | CAR-2016-04-005: Remote Desktop Logon", + "comment": "CAR-2021-01-006: Unusual Child Process spawned using DDE exploit", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1021.006", + "techniqueID": "T1559.002", "color": "#c6dbef", - "comment": "CAR-2014-05-001: RPC Activity | CAR-2014-11-004: Remote PowerShell Sessions | CAR-2014-11-006: Windows Remote Management (WinRM)", + "comment": "CAR-2021-01-006: Unusual Child Process spawned using DDE exploit", "enabled": true }, { - "techniqueID": "T1570", + "techniqueID": "T1574.010", "color": "#c6dbef", - "comment": "CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2014-03-001: SMB Write Request - NamedPipes", - "enabled": true, - "showSubtechniques": true + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2014-02-001: Service Binary Modifications", + "enabled": true }, { - "techniqueID": "T1078", + "techniqueID": "T1569", "color": "#c6dbef", - "comment": "CAR-2013-02-008: Simultaneous Logins on a Host | CAR-2013-02-012: User Logged in to Multiple Hosts | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2013-10-001: User Login Activity Monitoring", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-02-001: Service Binary Modifications | CAR-2014-03-005: Remotely Launched Executables via Services | CAR-2021-05-012: Create Service In Suspicious File Path", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1078.002", + "techniqueID": "T1569.002", "color": "#c6dbef", - "comment": "CAR-2013-02-008: Simultaneous Logins on a Host | CAR-2013-02-012: User Logged in to Multiple Hosts | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2013-10-001: User Login Activity Monitoring", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-02-001: Service Binary Modifications | CAR-2014-03-005: Remotely Launched Executables via Services | CAR-2021-05-012: Create Service In Suspicious File Path", "enabled": true }, { - "techniqueID": "T1078.003", + "techniqueID": "T1036.005", "color": "#c6dbef", - "comment": "CAR-2013-02-008: Simultaneous Logins on a Host | CAR-2013-02-012: User Logged in to Multiple Hosts | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2013-10-001: User Login Activity Monitoring", + "comment": "CAR-2021-04-001: Common Windows Process Masquerading", "enabled": true }, { - "techniqueID": "T1053.002", + "techniqueID": "T1562.002", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-05-004: Execution with AT | CAR-2015-04-001: Remotely Scheduled Tasks via AT", + "comment": "CAR-2022-03-001: Disable Windows Event Logging", "enabled": true }, { - "techniqueID": "T1564", + "techniqueID": "T1569.001", "color": "#c6dbef", - "comment": "CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities | CAR-2020-08-002: NTFS Alternate Data Stream Execution - LOLBAS", - "enabled": true, - "showSubtechniques": true + "comment": "CAR-2021-05-012: Create Service In Suspicious File Path", + "enabled": true }, { - "techniqueID": "T1564.004", + "techniqueID": "T1187", "color": "#c6dbef", - "comment": "CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities | CAR-2020-08-002: NTFS Alternate Data Stream Execution - LOLBAS", - "enabled": true + "comment": "CAR-2013-09-003: SMB Session Setups", + "enabled": true, + "showSubtechniques": true }, { - "techniqueID": "T1546.015", + "techniqueID": "T1546.002", "color": "#c6dbef", - "comment": "CAR-2020-09-002: Component Object Model Hijacking", + "comment": "CAR-2020-11-011: Registry Edit from Screensaver", "enabled": true }, { - "techniqueID": "T1021.002", + "techniqueID": "T1068", "color": "#c6dbef", - "comment": "CAR-2013-01-003: SMB Events Monitoring | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2014-05-001: RPC Activity", - "enabled": true + "comment": "CAR-2021-01-004: Unusual Child Process for Spoolsv.Exe or Connhost.Exe", + "enabled": true, + "showSubtechniques": true }, { - "techniqueID": "T1505", + "techniqueID": "T1105", "color": "#c6dbef", - "comment": "CAR-2021-02-001: Webshell-Indicative Process Tree", + "comment": "CAR-2013-07-001: Suspicious Arguments | CAR-2021-05-005: BITSAdmin Download File | CAR-2021-05-006: CertUtil Download With URLCache and Split Arguments | CAR-2021-05-007: CertUtil Download With VerifyCtl and Split Arguments", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1505.003", + "techniqueID": "T1078", "color": "#c6dbef", - "comment": "CAR-2021-02-001: Webshell-Indicative Process Tree", - "enabled": true + "comment": "CAR-2013-02-008: Simultaneous Logins on a Host | CAR-2013-02-012: User Logged in to Multiple Hosts | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2013-10-001: User Login Activity Monitoring", + "enabled": true, + "showSubtechniques": true }, { - "techniqueID": "T1574.010", + "techniqueID": "T1078.002", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences | CAR-2014-02-001: Service Binary Modifications", + "comment": "CAR-2013-02-008: Simultaneous Logins on a Host | CAR-2013-02-012: User Logged in to Multiple Hosts | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2013-10-001: User Login Activity Monitoring", "enabled": true }, { - "techniqueID": "T1569", + "techniqueID": "T1078.003", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-02-001: Service Binary Modifications | CAR-2014-03-005: Remotely Launched Executables via Services | CAR-2021-05-012: Create Service In Suspicious File Path", - "enabled": true, - "showSubtechniques": true + "comment": "CAR-2013-02-008: Simultaneous Logins on a Host | CAR-2013-02-012: User Logged in to Multiple Hosts | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2013-10-001: User Login Activity Monitoring", + "enabled": true }, { - "techniqueID": "T1569.002", + "techniqueID": "T1562.001", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-02-001: Service Binary Modifications | CAR-2014-03-005: Remotely Launched Executables via Services | CAR-2021-05-012: Create Service In Suspicious File Path", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-04-003: User Activity from Stopping Windows Defensive Services | CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt", "enabled": true }, { - "techniqueID": "T1070", + "techniqueID": "T1087", "color": "#c6dbef", - "comment": "CAR-2016-04-002: User Activity from Clearing Event Logs | CAR-2020-11-005: Clear Powershell Console Command History | CAR-2020-11-007: Network Share Connection Removal | CAR-2021-01-003: Clearing Windows Logs with Wevtutil", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1070.005", + "techniqueID": "T1087.001", "color": "#c6dbef", - "comment": "CAR-2020-11-007: Network Share Connection Removal", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", "enabled": true }, { - "techniqueID": "T1218", - "color": "#c6dbef", - "comment": "CAR-2014-03-006: RunDLL32.exe monitoring | CAR-2019-04-002: Generic Regsvr32 | CAR-2019-04-003: Squiblydoo | CAR-2020-11-009: Compiled HTML Access | CAR-2020-11-010: CMSTP", - "enabled": true, - "showSubtechniques": true - }, - { - "techniqueID": "T1218.011", + "techniqueID": "T1087.002", "color": "#c6dbef", - "comment": "CAR-2014-03-006: RunDLL32.exe monitoring", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", "enabled": true }, { - "techniqueID": "T1037", + "techniqueID": "T1069", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences | CAR-2020-11-001: Boot or Logon Initialization Scripts", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands | CAR-2020-11-006: Local Permission Group Discovery", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1037.001", + "techniqueID": "T1069.001", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences | CAR-2020-11-001: Boot or Logon Initialization Scripts", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands | CAR-2020-11-006: Local Permission Group Discovery", "enabled": true }, { - "techniqueID": "T1140", + "techniqueID": "T1069.002", "color": "#c6dbef", - "comment": "CAR-2021-05-009: CertUtil With Decode Argument", - "enabled": true, - "showSubtechniques": true + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands | CAR-2020-11-006: Local Permission Group Discovery", + "enabled": true }, { - "techniqueID": "T1003.003", + "techniqueID": "T1016", "color": "#c6dbef", - "comment": "CAR-2019-08-002: Active Directory Dumping via NTDSUtil | CAR-2020-05-001: MiniDump of LSASS", - "enabled": true + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", + "enabled": true, + "showSubtechniques": true }, { - "techniqueID": "T1055", + "techniqueID": "T1082", "color": "#c6dbef", - "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2020-11-003: DLL Injection with Mavinject | CAR-2020-11-004: Processes Started From Irregular Parent", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1055.001", + "techniqueID": "T1033", "color": "#c6dbef", - "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2020-11-003: DLL Injection with Mavinject", - "enabled": true + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", + "enabled": true, + "showSubtechniques": true }, { - "techniqueID": "T1560", + "techniqueID": "T1057", "color": "#c6dbef", - "comment": "CAR-2013-07-005: Command Line Usage of Archiving Software", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1560.001", + "techniqueID": "T1007", "color": "#c6dbef", - "comment": "CAR-2013-07-005: Command Line Usage of Archiving Software", - "enabled": true + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", + "enabled": true, + "showSubtechniques": true }, { - "techniqueID": "T1559", + "techniqueID": "T1204", "color": "#c6dbef", - "comment": "CAR-2021-01-006: Unusual Child Process spawned using DDE exploit", + "comment": "CAR-2021-05-002: Batch File Write to System32", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1559.002", + "techniqueID": "T1204.002", "color": "#c6dbef", - "comment": "CAR-2021-01-006: Unusual Child Process spawned using DDE exploit", + "comment": "CAR-2021-05-002: Batch File Write to System32", "enabled": true }, { - "techniqueID": "T1547.010", + "techniqueID": "T1218.003", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences", + "comment": "CAR-2020-11-010: CMSTP", "enabled": true }, { - "techniqueID": "T1574.007", + "techniqueID": "T1490", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences", - "enabled": true + "comment": "CAR-2021-01-009: Detecting Shadow Copy Deletion or Resize | CAR-2021-05-003: BCDEdit Failure Recovery Modification", + "enabled": true, + "showSubtechniques": true }, { - "techniqueID": "T1574.008", + "techniqueID": "T1003.003", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences", + "comment": "CAR-2019-08-002: Active Directory Dumping via NTDSUtil | CAR-2020-05-001: MiniDump of LSASS", "enabled": true }, { - "techniqueID": "T1546.001", + "techniqueID": "T1059.001", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences", + "comment": "CAR-2014-04-003: Powershell Execution | CAR-2014-11-004: Remote PowerShell Sessions", "enabled": true }, { - "techniqueID": "T1546.003", + "techniqueID": "T1546.010", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences", + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2020-09-005: AppInit DLLs", "enabled": true }, { - "techniqueID": "T1546.008", + "techniqueID": "T1070.005", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences | CAR-2014-11-003: Debuggers for Accessibility Applications | CAR-2014-11-008: Command Launched from WinLogon", + "comment": "CAR-2020-11-007: Network Share Connection Removal", "enabled": true }, { - "techniqueID": "T1218.003", + "techniqueID": "T1546.008", "color": "#c6dbef", - "comment": "CAR-2020-11-010: CMSTP", + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2014-11-003: Debuggers for Accessibility Applications | CAR-2014-11-008: Command Launched from WinLogon", "enabled": true }, { - "techniqueID": "T1569.001", + "techniqueID": "T1564", "color": "#c6dbef", - "comment": "CAR-2021-05-012: Create Service In Suspicious File Path", - "enabled": true + "comment": "CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities | CAR-2020-08-002: NTFS Alternate Data Stream Execution - LOLBAS", + "enabled": true, + "showSubtechniques": true }, { - "techniqueID": "T1546.002", + "techniqueID": "T1564.004", "color": "#c6dbef", - "comment": "CAR-2020-11-011: Registry Edit from Screensaver", + "comment": "CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities | CAR-2020-08-002: NTFS Alternate Data Stream Execution - LOLBAS", "enabled": true }, { @@ -553,16 +611,16 @@ "enabled": true }, { - "techniqueID": "T1548", + "techniqueID": "T1560", "color": "#c6dbef", - "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2019-04-001: UAC Bypass | CAR-2021-01-008: Disable UAC | CAR-2021-02-002: Get System Elevation", + "comment": "CAR-2013-07-005: Command Line Usage of Archiving Software", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1548.002", + "techniqueID": "T1560.001", "color": "#c6dbef", - "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2019-04-001: UAC Bypass | CAR-2021-01-008: Disable UAC", + "comment": "CAR-2013-07-005: Command Line Usage of Archiving Software", "enabled": true }, { @@ -572,26 +630,6 @@ "enabled": true, "showSubtechniques": true }, - { - "techniqueID": "T1218.010", - "color": "#c6dbef", - "comment": "CAR-2019-04-002: Generic Regsvr32 | CAR-2019-04-003: Squiblydoo", - "enabled": true - }, - { - "techniqueID": "T1068", - "color": "#c6dbef", - "comment": "CAR-2021-01-004: Unusual Child Process for Spoolsv.Exe or Connhost.Exe", - "enabled": true, - "showSubtechniques": true - }, - { - "techniqueID": "T1039", - "color": "#c6dbef", - "comment": "CAR-2013-01-003: SMB Events Monitoring", - "enabled": true, - "showSubtechniques": true - }, { "techniqueID": "T1003.002", "color": "#c6dbef", @@ -605,6 +643,12 @@ "enabled": true, "showSubtechniques": true }, + { + "techniqueID": "T1053.002", + "color": "#c6dbef", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-05-004: Execution with AT | CAR-2015-04-001: Remotely Scheduled Tasks via AT", + "enabled": true + }, { "techniqueID": "T1029", "color": "#c6dbef", @@ -639,13 +683,6 @@ "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands", "enabled": true }, - { - "techniqueID": "T1046", - "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2021-01-001: Identifying Port Scanning Activity", - "enabled": true, - "showSubtechniques": true - }, { "techniqueID": "T1098", "color": "#c6dbef", @@ -660,65 +697,33 @@ "enabled": true }, { - "techniqueID": "T1021.003", - "color": "#c6dbef", - "comment": "CAR-2014-05-001: RPC Activity", - "enabled": true - }, - { - "techniqueID": "T1036.005", - "color": "#c6dbef", - "comment": "CAR-2021-04-001: Common Windows Process Masquerading", - "enabled": true - }, - { - "techniqueID": "T1222", - "color": "#c6dbef", - "comment": "CAR-2019-07-001: Access Permission Modification", - "enabled": true, - "showSubtechniques": true - }, - { - "techniqueID": "T1222.001", - "color": "#c6dbef", - "comment": "CAR-2019-07-001: Access Permission Modification", - "enabled": true - }, - { - "techniqueID": "T1222.002", + "techniqueID": "T1547.010", "color": "#c6dbef", - "comment": "CAR-2019-07-001: Access Permission Modification", + "comment": "CAR-2013-01-002: Autorun Differences", "enabled": true }, { - "techniqueID": "T1055.012", + "techniqueID": "T1574.007", "color": "#c6dbef", - "comment": "CAR-2020-11-004: Processes Started From Irregular Parent", + "comment": "CAR-2013-01-002: Autorun Differences", "enabled": true }, { - "techniqueID": "T1070.003", + "techniqueID": "T1574.008", "color": "#c6dbef", - "comment": "CAR-2020-11-005: Clear Powershell Console Command History", + "comment": "CAR-2013-01-002: Autorun Differences", "enabled": true }, { - "techniqueID": "T1562.002", + "techniqueID": "T1546.001", "color": "#c6dbef", - "comment": "CAR-2022-03-001: Disable Windows Event Logging", + "comment": "CAR-2013-01-002: Autorun Differences", "enabled": true }, { - "techniqueID": "T1136", - "color": "#c6dbef", - "comment": "CAR-2021-05-010: Create local admin accounts using net exe", - "enabled": true, - "showSubtechniques": true - }, - { - "techniqueID": "T1136.001", + "techniqueID": "T1546.003", "color": "#c6dbef", - "comment": "CAR-2021-05-010: Create local admin accounts using net exe", + "comment": "CAR-2013-01-002: Autorun Differences", "enabled": true }, { @@ -735,60 +740,55 @@ "enabled": true }, { - "techniqueID": "T1550", + "techniqueID": "T1055.012", "color": "#c6dbef", - "comment": "CAR-2016-04-004: Successful Local Account Login", + "comment": "CAR-2020-11-004: Processes Started From Irregular Parent", + "enabled": true + }, + { + "techniqueID": "T1222", + "color": "#c6dbef", + "comment": "CAR-2019-07-001: Access Permission Modification", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1550.002", + "techniqueID": "T1222.001", "color": "#c6dbef", - "comment": "CAR-2016-04-004: Successful Local Account Login", + "comment": "CAR-2019-07-001: Access Permission Modification", "enabled": true }, { - "techniqueID": "T1070.001", + "techniqueID": "T1222.002", "color": "#c6dbef", - "comment": "CAR-2016-04-002: User Activity from Clearing Event Logs | CAR-2021-01-003: Clearing Windows Logs with Wevtutil", + "comment": "CAR-2019-07-001: Access Permission Modification", "enabled": true }, { - "techniqueID": "T1127", + "techniqueID": "T1040", "color": "#c6dbef", - "comment": "CAR-2020-11-008: MSBuild and msxsl", + "comment": "CAR-2020-11-002: Local Network Sniffing", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1127.001", - "color": "#c6dbef", - "comment": "CAR-2020-11-008: MSBuild and msxsl", - "enabled": true - }, - { - "techniqueID": "T1552", + "techniqueID": "T1039", "color": "#c6dbef", - "comment": "CAR-2020-09-004: Credentials in Files & Registry", + "comment": "CAR-2013-01-003: SMB Events Monitoring", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1552.001", - "color": "#c6dbef", - "comment": "CAR-2020-09-004: Credentials in Files & Registry", - "enabled": true - }, - { - "techniqueID": "T1552.002", + "techniqueID": "T1505", "color": "#c6dbef", - "comment": "CAR-2020-09-004: Credentials in Files & Registry", - "enabled": true + "comment": "CAR-2021-02-001: Webshell-Indicative Process Tree", + "enabled": true, + "showSubtechniques": true }, { - "techniqueID": "T1218.001", + "techniqueID": "T1505.003", "color": "#c6dbef", - "comment": "CAR-2020-11-009: Compiled HTML Access", + "comment": "CAR-2021-02-001: Webshell-Indicative Process Tree", "enabled": true } ] diff --git a/docs/data/analytics.json b/docs/data/analytics.json index 341dd409..b50ff824 100644 --- a/docs/data/analytics.json +++ b/docs/data/analytics.json @@ -1 +1 @@ -{"analytics": [{"shortName": "Scheduled Task - FileAccess", "name": "CAR-2020-09-001", "fields": ["file/create/file_path", "file/create/image_path"], "attack": [{"tactics": ["Execution", "Persistence", "Privilege Escalation"], "technique": "Technique/T1053", "coverage": "Low"}]}, {"shortName": "Host Discovery Commands", "name": "CAR-2016-03-001", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1087", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1069", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1016", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1082", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1033", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1057", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1007", "coverage": "Moderate"}]}, {"shortName": "AppInit DLLs", "name": "CAR-2020-09-005", "fields": ["registry/add/key", "registry/remove/key", "registry/edit/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "Service Search Path Interception", "name": "CAR-2014-07-001", "fields": ["process/create/command_line", "process/create/image_path", "process/create/parent_exe"], "attack": [{"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1574", "coverage": "High"}]}, {"shortName": "Registry Edit with Modification of Userinit, Shell or Notify", "name": "CAR-2021-11-002", "fields": ["process/create/command_line", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1547", "coverage": "Medium"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Medium"}]}, {"shortName": "Local Permission Group Discovery", "name": "CAR-2020-11-006", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1069", "coverage": "Moderate"}]}, {"shortName": "CertUtil Download With URLCache and Split Arguments", "name": "CAR-2021-05-006", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Command and Control"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "Powershell Execution", "name": "CAR-2014-04-003", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "High"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1059", "coverage": "Moderate"}]}, {"shortName": "CertUtil Download With VerifyCtl and Split Arguments", "name": "CAR-2021-05-007", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Command and Control"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "Remote Registry", "name": "CAR-2014-11-005", "fields": ["flow/message/dest_port", "flow/message/proto_info"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Moderate"}]}, {"shortName": "Create Remote Process via WMIC", "name": "CAR-2016-03-002", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1047", "coverage": "Low"}]}, {"shortName": "Local Network Sniffing", "name": "CAR-2020-11-002", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Credential Access", "Discovery"], "technique": "Technique/T1040", "coverage": "Moderate"}]}, {"shortName": "Reg.exe called from Command Shell", "name": "CAR-2013-03-001", "fields": ["process/create/command_line", "process/create/hostname", "process/create/exe", "process/create/parent_exe", "process/create/pid", "process/create/ppid"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1012", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1547", "coverage": "Moderate"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Moderate"}]}, {"shortName": "Detecting Tampering of Windows Defender Command Prompt", "name": "CAR-2021-01-007", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Medium"}]}, {"shortName": "SMB Session Setups", "name": "CAR-2013-09-003", "fields": ["flow/message/dest_port", "flow/message/proto_info", "flow/message/protocol"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1187", "coverage": "Low"}]}, {"shortName": "Running executables with same hash and different names", "name": "CAR-2013-05-009", "fields": ["process/create/exe", "process/create/md5_hash"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1036", "coverage": "Moderate"}]}, {"shortName": "Indicator Blocking - Driver Unloaded", "name": "CAR-2020-09-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Low"}]}, {"shortName": "BCDEdit Failure Recovery Modification", "name": "CAR-2021-05-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Impact"], "technique": "Technique/T1490", "coverage": "Moderate"}]}, {"shortName": "Batch File Write to System32", "name": "CAR-2021-05-002", "fields": ["file/create/extension", "file/create/file_path"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1204", "coverage": "Moderate"}]}, {"shortName": "Services launching Cmd", "name": "CAR-2014-05-002", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1543", "coverage": "Moderate"}]}, {"shortName": "Registry Edit with Creation of SafeDllSearchMode Key Set to 0", "name": "CAR-2021-11-001", "fields": ["process/create/command_line", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation", "Defense Evasion"], "technique": "Technique/T1574", "coverage": "Medium"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Medium"}]}, {"shortName": "Attempt To Add Certificate To Untrusted Store", "name": "CAR-2021-05-001", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1553", "coverage": "Moderate"}]}, {"shortName": "Modification of Default Startup Folder in the Registry Key 'Common Startup'", "name": "CAR-2021-12-002", "fields": ["process/create/command_line", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1547", "coverage": "Medium"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Medium"}]}, {"shortName": "Processes Spawning cmd.exe", "name": "CAR-2013-02-003", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}]}, {"shortName": "Credential Dumping via Mimikatz", "name": "CAR-2019-04-004", "fields": [], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Remote PowerShell Sessions", "name": "CAR-2014-11-004", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "SMB Write Request - NamedPipes", "name": "CAR-2014-03-001", "fields": ["flow/message/proto_info", "flow/start/dest_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1570", "coverage": "Low"}]}, {"shortName": "Simultaneous Logins on a Host", "name": "CAR-2013-02-008", "fields": ["user_session/login/user", "user_session/login/hostname"], "attack": [{"tactics": ["Initial Access"], "technique": "Technique/T1078", "coverage": "Low"}]}, {"shortName": "Execution with AT", "name": "CAR-2013-05-004", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Execution", "Persistence", "Privilege Escalation"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "Remotely Scheduled Tasks via Schtasks", "name": "CAR-2015-04-002", "fields": ["flow/message/dest_port", "flow/message/src_port", "flow/message/proto_info"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "Execution with schtasks", "name": "CAR-2013-08-001", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "NTFS Alternate Data Stream Execution - System Utilities", "name": "CAR-2020-08-001", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1564", "coverage": "Low"}]}, {"shortName": "Remote Windows Management Instrumentation (WMI) over RPC", "name": "CAR-2014-11-007", "fields": ["flow/message/proto_info"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1047", "coverage": "Moderate"}]}, {"shortName": "Component Object Model Hijacking", "name": "CAR-2020-09-002", "fields": ["registry/add/key", "registry/remove/key", "registry/edit/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "SMB Copy and Execution", "name": "CAR-2013-05-005", "fields": ["process/create/image_path", "process/create/proto_info", "process/create/hostname"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1078", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1570", "coverage": "Moderate"}]}, {"shortName": "Webshell-Indicative Process Tree", "name": "CAR-2021-02-001", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1505", "coverage": "Moderate"}]}, {"shortName": "User Logged in to Multiple Hosts", "name": "CAR-2013-02-012", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1078", "coverage": "Moderate"}]}, {"shortName": "User Activity from Stopping Windows Defensive Services", "name": "CAR-2016-04-003", "fields": [], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Low"}]}, {"shortName": "Service Binary Modifications", "name": "CAR-2014-02-001", "fields": ["file/create/file_path", "file/create/image_path", "process/create/image_path", "process/create/parent_exe"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1543", "coverage": "Moderate"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Moderate"}, {"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Moderate"}]}, {"shortName": "Rare LolBAS Command Lines", "name": "CAR-2020-05-003", "fields": [], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1012", "coverage": "Low"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Low"}, {"tactics": ["Persistence"], "technique": "Technique/T1547", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Low"}]}, {"shortName": "Suspicious Arguments", "name": "CAR-2013-07-001", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Command and Control", "Lateral Movement"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "Remotely Scheduled Tasks via AT", "name": "CAR-2015-04-001", "fields": ["flow/message/proto_info"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "Network Share Connection Removal", "name": "CAR-2020-11-007", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "High"}]}, {"shortName": "RunDLL32.exe monitoring", "name": "CAR-2014-03-006", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "Moderate"}]}, {"shortName": "Boot or Logon Initialization Scripts", "name": "CAR-2020-11-001", "fields": ["process/create/command_line", "process/create/exe", "registry/add/key", "registry/edit/key"], "attack": [{"tactics": ["Persistence", "Lateral Movement"], "technique": "Technique/T1037", "coverage": "Moderate"}]}, {"shortName": "CertUtil With Decode Argument", "name": "CAR-2021-05-009", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1140", "coverage": "Moderate"}]}, {"shortName": "Unusually Long Command Line Strings", "name": "CAR-2021-01-002", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Low"}]}, {"shortName": "MiniDump of LSASS", "name": "CAR-2020-05-001", "fields": [], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "DLL Injection with Mavinject", "name": "CAR-2020-11-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Privilege Escalation", "Defense Evasion"], "technique": "Technique/T1055", "coverage": "Low"}]}, {"shortName": "Command Line Usage of Archiving Software", "name": "CAR-2013-07-005", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Exfiltration"], "technique": "Technique/T1560", "coverage": "Moderate"}]}, {"shortName": "Unusual Child Process spawned using DDE exploit", "name": "CAR-2021-01-006", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1559", "coverage": "Low"}]}, {"shortName": "Credential Dumping via Windows Task Manager", "name": "CAR-2019-08-001", "fields": ["file/create/file_name", "file/create/image_path"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Shadow Copy Deletion", "name": "CAR-2020-04-001", "fields": [], "attack": []}, {"shortName": "Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths", "name": "CAR-2021-12-001", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Execution", "Persistence", "Privilege Escalation"], "technique": "Technique/T1053", "coverage": "Medium"}]}, {"shortName": "Autorun Differences", "name": "CAR-2013-01-002", "fields": [], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1543", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1053", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1547", "coverage": "Moderate"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Moderate"}, {"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1546", "coverage": "Moderate"}, {"tactics": ["Persistence", "Execution"], "technique": "Technique/T1112", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1037", "coverage": "Moderate"}]}, {"shortName": "Remotely Launched Executables via WMI", "name": "CAR-2014-12-001", "fields": ["flow/message/dest_port", "flow/message/proto_info", "flow/message/src_port", "process/create/command_line", "process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1047", "coverage": "High"}]}, {"shortName": "NTFS Alternate Data Stream Execution - LOLBAS", "name": "CAR-2020-08-002", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1564", "coverage": "Low"}]}, {"shortName": "CMSTP", "name": "CAR-2020-11-010", "fields": ["process/create/exe", "process/create/src_ip"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "High"}]}, {"shortName": "Create Service In Suspicious File Path", "name": "CAR-2021-05-012", "fields": ["service/create/image_path"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Moderate"}]}, {"shortName": "Registry Edit from Screensaver", "name": "CAR-2020-11-011", "fields": ["registry/edit/key", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1546", "coverage": "High"}]}, {"shortName": "User Login Activity Monitoring", "name": "CAR-2013-10-001", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1078", "coverage": "Moderate"}]}, {"shortName": "Detecting Shadow Copy Deletion or Resize", "name": "CAR-2021-01-009", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Impact"], "technique": "Technique/T1490", "coverage": "Low"}]}, {"shortName": "Remotely Launched Executables via Services", "name": "CAR-2014-03-005", "fields": ["flow/start/pid", "process/create/parent_exe", "process/create/pid"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1543", "coverage": "Moderate"}, {"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Moderate"}]}, {"shortName": "UAC Bypass", "name": "CAR-2019-04-001", "fields": ["process/create/image_path", "process/create/parent_image_path", "process/create/integrity_level", "process/create/user", "process/create/parent_command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1548", "coverage": "Low"}]}, {"shortName": "BITSAdmin Download File", "name": "CAR-2021-05-005", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion", "Persistence"], "technique": "Technique/T1197", "coverage": "Moderate"}, {"tactics": ["Command and Control"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "Generic Regsvr32", "name": "CAR-2019-04-002", "fields": ["process/create/exe", "process/create/parent_exe", "process/create/command_line", "process/create/image", "process/create/parent_image"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "Low"}]}, {"shortName": "Unusual Child Process for Spoolsv.Exe or Connhost.Exe", "name": "CAR-2021-01-004", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Privilege Escalation"], "technique": "Technique/T1068", "coverage": "Low"}]}, {"shortName": "Get System Elevation", "name": "CAR-2021-02-002", "fields": ["process/create/exe", "process/create/parent_exe", "process/create/command_line", "service/create/command_line"], "attack": [{"tactics": ["Privilege Escalation", "Defense Evasion"], "technique": "Technique/T1548", "coverage": "Moderate"}]}, {"shortName": "Debuggers for Accessibility Applications", "name": "CAR-2014-11-003", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "RDP Connection Detection", "name": "CAR-2013-07-002", "fields": ["flow/end/dest_port", "flow/start/dest_ip", "flow/start/dest_port", "flow/start/src_ip"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Medium"}]}, {"shortName": "Disable UAC", "name": "CAR-2021-01-008", "fields": ["process/create/image_path", "process/create/command_line"], "attack": [{"tactics": ["Privilege Escalation"], "technique": "Technique/T1548", "coverage": "Medium"}]}, {"shortName": "Lsass Process Dump via Procdump", "name": "CAR-2019-07-002", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "SMB Events Monitoring", "name": "CAR-2013-01-003", "fields": ["flow/message/dest_port", "flow/message/proto_info"], "attack": [{"tactics": ["Collection"], "technique": "Technique/T1039", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "Service Outlier Executables", "name": "CAR-2013-09-005", "fields": ["process/create/parent_image_path"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1543", "coverage": "Moderate"}]}, {"shortName": "Command Launched from WinLogon", "name": "CAR-2014-11-008", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "Windows Remote Management (WinRM)", "name": "CAR-2014-11-006", "fields": ["flow/start/dest_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "Quick execution of a series of suspicious commands", "name": "CAR-2013-04-002", "fields": ["process/create/hostname", "process/create/ppid", "process/create/exe"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1087", "coverage": "Low"}, {"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1069", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1057", "coverage": "Low"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1543", "coverage": "Low"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1018", "coverage": "Low"}, {"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation", "Execution"], "technique": "Technique/T1053", "coverage": "Low"}, {"tactics": ["Exfiltration"], "technique": "Technique/T1029", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1033", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1007", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1082", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1049", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1016", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1010", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1518", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1046", "coverage": "Low"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Low"}, {"tactics": ["Credential Access"], "technique": "Technique/T1098", "coverage": "Low"}, {"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1012", "coverage": "Low"}]}, {"shortName": "RPC Activity", "name": "CAR-2014-05-001", "fields": ["flow/start/dest_port", "flow/start/src_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "Common Windows Process Masquerading", "name": "CAR-2021-04-001", "fields": ["process/create/exe", "process/create/image_path", "process/access/exe", "process/access/image_path", "process/terminate/exe", "process/terminate/image_path"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1036", "coverage": "Moderate"}]}, {"shortName": "Access Permission Modification", "name": "CAR-2019-07-001", "fields": [], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1222", "coverage": "Moderate"}]}, {"shortName": "Processes Started From Irregular Parent", "name": "CAR-2020-11-004", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1055", "coverage": "Low"}]}, {"shortName": "All Logins Since Last Boot", "name": "CAR-2015-07-001", "fields": ["user_session/login/user"], "attack": []}, {"shortName": "BITS Job Persistence", "name": "CAR-2021-05-004", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion", "Persistence"], "technique": "Technique/T1197", "coverage": "Moderate"}]}, {"shortName": "Identifying Port Scanning Activity", "name": "CAR-2021-01-001", "fields": ["flow/start/dest_ip"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1046", "coverage": "Moderate"}]}, {"shortName": "Clear Powershell Console Command History", "name": "CAR-2020-11-005", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "Low"}]}, {"shortName": "Disable Windows Event Logging", "name": "CAR-2022-03-001", "fields": ["registry/value_edit/value", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Moderate"}]}, {"shortName": "Create local admin accounts using net exe", "name": "CAR-2021-05-010", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1136", "coverage": "Moderate"}]}, {"shortName": "Certutil exe certificate extraction", "name": "CAR-2021-05-008", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1606", "coverage": "Moderate"}]}, {"shortName": "DLL Injection via Load Library", "name": "CAR-2013-10-002", "fields": ["thread/remote_create/src_pid", "thread/remote_create/start_function"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1055", "coverage": "Moderate"}, {"tactics": ["Privilege Escalation"], "technique": "Technique/T1548", "coverage": "Moderate"}]}, {"shortName": "Create Remote Thread into LSASS", "name": "CAR-2021-05-011", "fields": ["thread/remote_create"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Moderate"}]}, {"shortName": "Successful Local Account Login", "name": "CAR-2016-04-004", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1550", "coverage": "Moderate"}]}, {"shortName": "SMB Write Request", "name": "CAR-2013-05-003", "fields": ["flow/message/proto_info", "flow/message/dest_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1570", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1078", "coverage": "Moderate"}]}, {"shortName": "Remote Desktop Logon", "name": "CAR-2016-04-005", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "Clearing Windows Logs with Wevtutil", "name": "CAR-2021-01-003", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "Low"}]}, {"shortName": "MSBuild and msxsl", "name": "CAR-2020-11-008", "fields": ["process/create/exe", "process/create/image_path"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1127", "coverage": "High"}]}, {"shortName": "Outlier Parents of Cmd", "name": "CAR-2014-11-002", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}]}, {"shortName": "Credentials in Files & Registry", "name": "CAR-2020-09-004", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1552", "coverage": "Low"}]}, {"shortName": "Active Directory Dumping via NTDSUtil", "name": "CAR-2019-08-002", "fields": ["file/create/file_name", "file/create/image_path"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Suspicious Run Locations", "name": "CAR-2013-05-002", "fields": ["process/create/image_path"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1036", "coverage": "Low"}]}, {"shortName": "Squiblydoo", "name": "CAR-2019-04-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "Moderate"}]}, {"shortName": "Compiled HTML Access", "name": "CAR-2020-11-009", "fields": ["process/create/exe"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "High"}]}, {"shortName": "User Activity from Clearing Event Logs", "name": "CAR-2016-04-002", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "Moderate"}]}]} \ No newline at end of file +{"analytics": [{"shortName": "Disable UAC", "name": "CAR-2021-01-008", "fields": ["process/create/image_path", "process/create/command_line"], "attack": [{"tactics": ["Privilege Escalation"], "technique": "Technique/T1548", "coverage": "Medium"}]}, {"shortName": "RPC Activity", "name": "CAR-2014-05-001", "fields": ["flow/start/dest_port", "flow/start/src_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "Clear Powershell Console Command History", "name": "CAR-2020-11-005", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "Low"}]}, {"shortName": "Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths", "name": "CAR-2021-12-001", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Execution", "Persistence", "Privilege Escalation"], "technique": "Technique/T1053", "coverage": "Medium"}]}, {"shortName": "Attempt To Add Certificate To Untrusted Store", "name": "CAR-2021-05-001", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1553", "coverage": "Moderate"}]}, {"shortName": "Get System Elevation", "name": "CAR-2021-02-002", "fields": ["process/create/exe", "process/create/parent_exe", "process/create/command_line", "service/create/command_line"], "attack": [{"tactics": ["Privilege Escalation", "Defense Evasion"], "technique": "Technique/T1548", "coverage": "Moderate"}]}, {"shortName": "Credential Dumping via Mimikatz", "name": "CAR-2019-04-004", "fields": [], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Boot or Logon Initialization Scripts", "name": "CAR-2020-11-001", "fields": ["process/create/command_line", "process/create/exe", "registry/add/key", "registry/edit/key"], "attack": [{"tactics": ["Persistence", "Lateral Movement"], "technique": "Technique/T1037", "coverage": "Moderate"}]}, {"shortName": "Indicator Blocking - Driver Unloaded", "name": "CAR-2020-09-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Low"}]}, {"shortName": "SMB Write Request - NamedPipes", "name": "CAR-2014-03-001", "fields": ["flow/message/proto_info", "flow/start/dest_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1570", "coverage": "Low"}]}, {"shortName": "Credential Dumping via Windows Task Manager", "name": "CAR-2019-08-001", "fields": ["file/create/file_name", "file/create/image_path"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Registry Edit with Creation of SafeDllSearchMode Key Set to 0", "name": "CAR-2021-11-001", "fields": ["process/create/command_line", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation", "Defense Evasion"], "technique": "Technique/T1574", "coverage": "Medium"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Medium"}]}, {"shortName": "RunDLL32.exe monitoring", "name": "CAR-2014-03-006", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "Moderate"}]}, {"shortName": "Component Object Model Hijacking", "name": "CAR-2020-09-002", "fields": ["registry/add/key", "registry/remove/key", "registry/edit/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "Identifying Port Scanning Activity", "name": "CAR-2021-01-001", "fields": ["flow/start/dest_ip"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1046", "coverage": "Moderate"}]}, {"shortName": "Lsass Process Dump via Procdump", "name": "CAR-2019-07-002", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Squiblydoo", "name": "CAR-2019-04-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "Moderate"}]}, {"shortName": "Clearing Windows Logs with Wevtutil", "name": "CAR-2021-01-003", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "Low"}]}, {"shortName": "Services launching Cmd", "name": "CAR-2014-05-002", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1543", "coverage": "Moderate"}]}, {"shortName": "Service Search Path Interception", "name": "CAR-2014-07-001", "fields": ["process/create/command_line", "process/create/image_path", "process/create/parent_exe"], "attack": [{"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1574", "coverage": "High"}]}, {"shortName": "Reg.exe called from Command Shell", "name": "CAR-2013-03-001", "fields": ["process/create/command_line", "process/create/hostname", "process/create/exe", "process/create/parent_exe", "process/create/pid", "process/create/ppid"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1012", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1547", "coverage": "Moderate"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Moderate"}]}, {"shortName": "Remotely Scheduled Tasks via Schtasks", "name": "CAR-2015-04-002", "fields": ["flow/message/dest_port", "flow/message/src_port", "flow/message/proto_info"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "Successful Local Account Login", "name": "CAR-2016-04-004", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1550", "coverage": "Moderate"}]}, {"shortName": "Registry Edit with Modification of Userinit, Shell or Notify", "name": "CAR-2021-11-002", "fields": ["process/create/command_line", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1547", "coverage": "Medium"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Medium"}]}, {"shortName": "Credentials in Files & Registry", "name": "CAR-2020-09-004", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1552", "coverage": "Low"}]}, {"shortName": "DLL Injection via Load Library", "name": "CAR-2013-10-002", "fields": ["thread/remote_create/src_pid", "thread/remote_create/start_function"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1055", "coverage": "Moderate"}, {"tactics": ["Privilege Escalation"], "technique": "Technique/T1548", "coverage": "Moderate"}]}, {"shortName": "Running executables with same hash and different names", "name": "CAR-2013-05-009", "fields": ["process/create/exe", "process/create/md5_hash"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1036", "coverage": "Moderate"}]}, {"shortName": "Compiled HTML Access", "name": "CAR-2020-11-009", "fields": ["process/create/exe"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "High"}]}, {"shortName": "CertUtil With Decode Argument", "name": "CAR-2021-05-009", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1140", "coverage": "Moderate"}]}, {"shortName": "MSBuild and msxsl", "name": "CAR-2020-11-008", "fields": ["process/create/exe", "process/create/image_path"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1127", "coverage": "High"}]}, {"shortName": "Remote Registry", "name": "CAR-2014-11-005", "fields": ["flow/message/dest_port", "flow/message/proto_info"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Moderate"}]}, {"shortName": "Remotely Launched Executables via WMI", "name": "CAR-2014-12-001", "fields": ["flow/message/dest_port", "flow/message/proto_info", "flow/message/src_port", "process/create/command_line", "process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1047", "coverage": "High"}]}, {"shortName": "Create local admin accounts using net exe", "name": "CAR-2021-05-010", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1136", "coverage": "Moderate"}]}, {"shortName": "Outlier Parents of Cmd", "name": "CAR-2014-11-002", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}]}, {"shortName": "Unusual Child Process spawned using DDE exploit", "name": "CAR-2021-01-006", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1559", "coverage": "Low"}]}, {"shortName": "Service Binary Modifications", "name": "CAR-2014-02-001", "fields": ["file/create/file_path", "file/create/image_path", "process/create/image_path", "process/create/parent_exe"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1543", "coverage": "Moderate"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Moderate"}, {"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Moderate"}]}, {"shortName": "Common Windows Process Masquerading", "name": "CAR-2021-04-001", "fields": ["process/create/exe", "process/create/image_path", "process/access/exe", "process/access/image_path", "process/terminate/exe", "process/terminate/image_path"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1036", "coverage": "Moderate"}]}, {"shortName": "Disable Windows Event Logging", "name": "CAR-2022-03-001", "fields": ["registry/value_edit/value", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Moderate"}]}, {"shortName": "Create Service In Suspicious File Path", "name": "CAR-2021-05-012", "fields": ["service/create/image_path"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Moderate"}]}, {"shortName": "SMB Session Setups", "name": "CAR-2013-09-003", "fields": ["flow/message/dest_port", "flow/message/proto_info", "flow/message/protocol"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1187", "coverage": "Low"}]}, {"shortName": "Processes Spawning cmd.exe", "name": "CAR-2013-02-003", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}]}, {"shortName": "Registry Edit from Screensaver", "name": "CAR-2020-11-011", "fields": ["registry/edit/key", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1546", "coverage": "High"}]}, {"shortName": "Unusual Child Process for Spoolsv.Exe or Connhost.Exe", "name": "CAR-2021-01-004", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Privilege Escalation"], "technique": "Technique/T1068", "coverage": "Low"}]}, {"shortName": "Execution with schtasks", "name": "CAR-2013-08-001", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "CertUtil Download With URLCache and Split Arguments", "name": "CAR-2021-05-006", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Command and Control"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "UAC Bypass", "name": "CAR-2019-04-001", "fields": ["process/create/image_path", "process/create/parent_image_path", "process/create/integrity_level", "process/create/user", "process/create/parent_command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1548", "coverage": "Low"}]}, {"shortName": "SMB Copy and Execution", "name": "CAR-2013-05-005", "fields": ["process/create/image_path", "process/create/proto_info", "process/create/hostname"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1078", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1570", "coverage": "Moderate"}]}, {"shortName": "Service Outlier Executables", "name": "CAR-2013-09-005", "fields": ["process/create/parent_image_path"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1543", "coverage": "Moderate"}]}, {"shortName": "SMB Write Request", "name": "CAR-2013-05-003", "fields": ["flow/message/proto_info", "flow/message/dest_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1570", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1078", "coverage": "Moderate"}]}, {"shortName": "Suspicious Arguments", "name": "CAR-2013-07-001", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Command and Control", "Lateral Movement"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "Generic Regsvr32", "name": "CAR-2019-04-002", "fields": ["process/create/exe", "process/create/parent_exe", "process/create/command_line", "process/create/image", "process/create/parent_image"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "Low"}]}, {"shortName": "User Activity from Stopping Windows Defensive Services", "name": "CAR-2016-04-003", "fields": [], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Low"}]}, {"shortName": "Host Discovery Commands", "name": "CAR-2016-03-001", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1087", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1069", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1016", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1082", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1033", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1057", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1007", "coverage": "Moderate"}]}, {"shortName": "Suspicious Run Locations", "name": "CAR-2013-05-002", "fields": ["process/create/image_path"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1036", "coverage": "Low"}]}, {"shortName": "CertUtil Download With VerifyCtl and Split Arguments", "name": "CAR-2021-05-007", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Command and Control"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "User Activity from Clearing Event Logs", "name": "CAR-2016-04-002", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "Moderate"}]}, {"shortName": "Batch File Write to System32", "name": "CAR-2021-05-002", "fields": ["file/create/extension", "file/create/file_path"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1204", "coverage": "Moderate"}]}, {"shortName": "CMSTP", "name": "CAR-2020-11-010", "fields": ["process/create/exe", "process/create/src_ip"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "High"}]}, {"shortName": "Detecting Tampering of Windows Defender Command Prompt", "name": "CAR-2021-01-007", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Medium"}]}, {"shortName": "BCDEdit Failure Recovery Modification", "name": "CAR-2021-05-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Impact"], "technique": "Technique/T1490", "coverage": "Moderate"}]}, {"shortName": "Active Directory Dumping via NTDSUtil", "name": "CAR-2019-08-002", "fields": ["file/create/file_name", "file/create/image_path"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "All Logins Since Last Boot", "name": "CAR-2015-07-001", "fields": ["user_session/login/user"], "attack": []}, {"shortName": "Powershell Execution", "name": "CAR-2014-04-003", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "High"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1059", "coverage": "Moderate"}]}, {"shortName": "User Logged in to Multiple Hosts", "name": "CAR-2013-02-012", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1078", "coverage": "Moderate"}]}, {"shortName": "AppInit DLLs", "name": "CAR-2020-09-005", "fields": ["registry/add/key", "registry/remove/key", "registry/edit/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "Network Share Connection Removal", "name": "CAR-2020-11-007", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "High"}]}, {"shortName": "Command Launched from WinLogon", "name": "CAR-2014-11-008", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "NTFS Alternate Data Stream Execution - System Utilities", "name": "CAR-2020-08-001", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1564", "coverage": "Low"}]}, {"shortName": "Simultaneous Logins on a Host", "name": "CAR-2013-02-008", "fields": ["user_session/login/user", "user_session/login/hostname"], "attack": [{"tactics": ["Initial Access"], "technique": "Technique/T1078", "coverage": "Low"}]}, {"shortName": "MiniDump of LSASS", "name": "CAR-2020-05-001", "fields": [], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Scheduled Task - FileAccess", "name": "CAR-2020-09-001", "fields": ["file/create/file_path", "file/create/image_path"], "attack": [{"tactics": ["Execution", "Persistence", "Privilege Escalation"], "technique": "Technique/T1053", "coverage": "Low"}]}, {"shortName": "Modification of Default Startup Folder in the Registry Key 'Common Startup'", "name": "CAR-2021-12-002", "fields": ["process/create/command_line", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1547", "coverage": "Medium"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Medium"}]}, {"shortName": "Remote Desktop Logon", "name": "CAR-2016-04-005", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "Windows Remote Management (WinRM)", "name": "CAR-2014-11-006", "fields": ["flow/start/dest_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "Create Remote Thread into LSASS", "name": "CAR-2021-05-011", "fields": ["thread/remote_create"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Moderate"}]}, {"shortName": "Command Line Usage of Archiving Software", "name": "CAR-2013-07-005", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Exfiltration"], "technique": "Technique/T1560", "coverage": "Moderate"}]}, {"shortName": "Debuggers for Accessibility Applications", "name": "CAR-2014-11-003", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "RDP Connection Detection", "name": "CAR-2013-07-002", "fields": ["flow/end/dest_port", "flow/start/dest_ip", "flow/start/dest_port", "flow/start/src_ip"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Medium"}]}, {"shortName": "BITS Job Persistence", "name": "CAR-2021-05-004", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion", "Persistence"], "technique": "Technique/T1197", "coverage": "Moderate"}]}, {"shortName": "Detecting Shadow Copy Deletion or Resize", "name": "CAR-2021-01-009", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Impact"], "technique": "Technique/T1490", "coverage": "Low"}]}, {"shortName": "NTFS Alternate Data Stream Execution - LOLBAS", "name": "CAR-2020-08-002", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1564", "coverage": "Low"}]}, {"shortName": "Quick execution of a series of suspicious commands", "name": "CAR-2013-04-002", "fields": ["process/create/hostname", "process/create/ppid", "process/create/exe"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1087", "coverage": "Low"}, {"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1069", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1057", "coverage": "Low"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1543", "coverage": "Low"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1018", "coverage": "Low"}, {"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation", "Execution"], "technique": "Technique/T1053", "coverage": "Low"}, {"tactics": ["Exfiltration"], "technique": "Technique/T1029", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1033", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1007", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1082", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1049", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1016", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1010", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1518", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1046", "coverage": "Low"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Low"}, {"tactics": ["Credential Access"], "technique": "Technique/T1098", "coverage": "Low"}, {"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1012", "coverage": "Low"}]}, {"shortName": "Remote Windows Management Instrumentation (WMI) over RPC", "name": "CAR-2014-11-007", "fields": ["flow/message/proto_info"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1047", "coverage": "Moderate"}]}, {"shortName": "Autorun Differences", "name": "CAR-2013-01-002", "fields": [], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1543", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1053", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1547", "coverage": "Moderate"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Moderate"}, {"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1546", "coverage": "Moderate"}, {"tactics": ["Persistence", "Execution"], "technique": "Technique/T1112", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1037", "coverage": "Moderate"}]}, {"shortName": "Local Permission Group Discovery", "name": "CAR-2020-11-006", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1069", "coverage": "Moderate"}]}, {"shortName": "Certutil exe certificate extraction", "name": "CAR-2021-05-008", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1606", "coverage": "Moderate"}]}, {"shortName": "Remotely Launched Executables via Services", "name": "CAR-2014-03-005", "fields": ["flow/start/pid", "process/create/parent_exe", "process/create/pid"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1543", "coverage": "Moderate"}, {"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Moderate"}]}, {"shortName": "Processes Started From Irregular Parent", "name": "CAR-2020-11-004", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1055", "coverage": "Low"}]}, {"shortName": "User Login Activity Monitoring", "name": "CAR-2013-10-001", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1078", "coverage": "Moderate"}]}, {"shortName": "Rare LolBAS Command Lines", "name": "CAR-2020-05-003", "fields": [], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1012", "coverage": "Low"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Low"}, {"tactics": ["Persistence"], "technique": "Technique/T1547", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Low"}]}, {"shortName": "Access Permission Modification", "name": "CAR-2019-07-001", "fields": [], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1222", "coverage": "Moderate"}]}, {"shortName": "BITSAdmin Download File", "name": "CAR-2021-05-005", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion", "Persistence"], "technique": "Technique/T1197", "coverage": "Moderate"}, {"tactics": ["Command and Control"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "Local Network Sniffing", "name": "CAR-2020-11-002", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Credential Access", "Discovery"], "technique": "Technique/T1040", "coverage": "Moderate"}]}, {"shortName": "Unusually Long Command Line Strings", "name": "CAR-2021-01-002", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Low"}]}, {"shortName": "Create Remote Process via WMIC", "name": "CAR-2016-03-002", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1047", "coverage": "Low"}]}, {"shortName": "Shadow Copy Deletion", "name": "CAR-2020-04-001", "fields": [], "attack": []}, {"shortName": "SMB Events Monitoring", "name": "CAR-2013-01-003", "fields": ["flow/message/dest_port", "flow/message/proto_info"], "attack": [{"tactics": ["Collection"], "technique": "Technique/T1039", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "Remotely Scheduled Tasks via AT", "name": "CAR-2015-04-001", "fields": ["flow/message/proto_info"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "Webshell-Indicative Process Tree", "name": "CAR-2021-02-001", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1505", "coverage": "Moderate"}]}, {"shortName": "DLL Injection with Mavinject", "name": "CAR-2020-11-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Privilege Escalation", "Defense Evasion"], "technique": "Technique/T1055", "coverage": "Low"}]}, {"shortName": "Execution with AT", "name": "CAR-2013-05-004", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Execution", "Persistence", "Privilege Escalation"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "Remote PowerShell Sessions", "name": "CAR-2014-11-004", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}]} \ No newline at end of file diff --git a/docs/sensors/auditd_2.8.md b/docs/sensors/auditd_2.8.md index f82c2af1..235304ad 100644 --- a/docs/sensors/auditd_2.8.md +++ b/docs/sensors/auditd_2.8.md @@ -15,21 +15,6 @@ auditd is the userspace component to the Linux Auditing System. It's responsible ## Data Model Coverage -### [process](../data_model/process) - -| | `access_level` | `call_trace` | `command_line` | `current_working_directory` | `env_vars` | `exe` | `fqdn` | `guid` | `hostname` | `image_path` | `integrity_level` | `md5_hash` | `parent_command_line` | `parent_exe` | `parent_guid` | `parent_image_path` | `pid` | `ppid` | `sha1_hash` | `sha256_hash` | `sid` | `signature_valid` | `signer` | `target_address` | `target_guid` | `target_name` | `target_pid` | `uid` | `user` | -|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| `access` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `create` | | |✓|✓| |✓| | | |✓| |✓| | | | |✓|✓|✓|✓| | | | | | | | |✓| -| `terminate` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - -### [driver](../data_model/driver) - -| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | -|---|---|---|---|---|---|---|---|---|---|---| -| `load` | | | |✓|✓|✓| |✓|✓| | | -| `unload` | | | | | | | | | | | | - ### [flow](../data_model/flow) | | `application_protocol` | `content` | `dest_fqdn` | `dest_hostname` | `dest_ip` | `dest_port` | `end_time` | `exe` | `fqdn` | `hostname` | `image_path` | `in_bytes` | `network_direction` | `out_bytes` | `packet_count` | `pid` | `ppid` | `proto_info` | `src_fqdn` | `src_hostname` | `src_ip` | `src_port` | `start_time` | `tcp_flags` | `transport_protocol` | `uid` | `user` | @@ -50,6 +35,21 @@ auditd is the userspace component to the Linux Auditing System. It's responsible | `timestomp` | | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓| | `write` | | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓| +### [process](../data_model/process) + +| | `access_level` | `call_trace` | `command_line` | `current_working_directory` | `env_vars` | `exe` | `fqdn` | `guid` | `hostname` | `image_path` | `integrity_level` | `md5_hash` | `parent_command_line` | `parent_exe` | `parent_guid` | `parent_image_path` | `pid` | `ppid` | `sha1_hash` | `sha256_hash` | `sid` | `signature_valid` | `signer` | `target_address` | `target_guid` | `target_name` | `target_pid` | `uid` | `user` | +|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +| `access` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `create` | | |✓|✓| |✓| | | |✓| |✓| | | | |✓|✓|✓|✓| | | | | | | | |✓| +| `terminate` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | + +### [driver](../data_model/driver) + +| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | +|---|---|---|---|---|---|---|---|---|---|---| +| `load` | | | |✓|✓|✓| |✓|✓| | | +| `unload` | | | | | | | | | | | | + diff --git a/docs/sensors/autoruns_13.98.md b/docs/sensors/autoruns_13.98.md index 2cf2b3de..a32f571b 100644 --- a/docs/sensors/autoruns_13.98.md +++ b/docs/sensors/autoruns_13.98.md @@ -14,14 +14,17 @@ Autoruns reports Explorer shell extensions, toolbars, browser helper objects, Wi ## Data Model Coverage -### [registry](../data_model/registry) +### [file](../data_model/file) -| | `data` | `fqdn` | `hive` | `hostname` | `image_path` | `key` | `new_content` | `pid` | `type` | `user` | `value` | -|---|---|---|---|---|---|---|---|---|---|---| -| `add` | ✓|✓|✓|✓| |✓| | |✓| |✓| -| `key_edit` | ✓|✓|✓|✓| |✓|✓| |✓| |✓| -| `remove` | | | | | | | | | | | | -| `value_edit` | ✓|✓|✓|✓| |✓|✓| |✓| |✓| +| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` | +|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +| `acl_modify` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `create` | ✓| |✓| |✓|✓|✓| | |✓|✓| |✓| | | | | | | |✓|✓| |✓| | | +| `delete` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `modify` | ✓| |✓| |✓|✓|✓| | |✓|✓| |✓| | | | | | | |✓|✓| |✓| | | +| `read` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `timestomp` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `write` | | | | | | | | | | | | | | | | | | | | | | | | | | | ### [service](../data_model/service) @@ -33,17 +36,14 @@ Autoruns reports Explorer shell extensions, toolbars, browser helper objects, Wi | `start` | | | | | | | | | | | | `stop` | | | | | | | | | | | -### [file](../data_model/file) +### [registry](../data_model/registry) -| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` | -|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| `acl_modify` | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `create` | ✓| |✓| |✓|✓|✓| | |✓|✓| |✓| | | | | | | |✓|✓| |✓| | | -| `delete` | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `modify` | ✓| |✓| |✓|✓|✓| | |✓|✓| |✓| | | | | | | |✓|✓| |✓| | | -| `read` | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `timestomp` | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `write` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| | `data` | `fqdn` | `hive` | `hostname` | `image_path` | `key` | `new_content` | `pid` | `type` | `user` | `value` | +|---|---|---|---|---|---|---|---|---|---|---| +| `add` | ✓|✓|✓|✓| |✓| | |✓| |✓| +| `key_edit` | ✓|✓|✓|✓| |✓|✓| |✓| |✓| +| `remove` | | | | | | | | | | | | +| `value_edit` | ✓|✓|✓|✓| |✓|✓| |✓| |✓| diff --git a/docs/sensors/osquery_4.1.2.md b/docs/sensors/osquery_4.1.2.md index 17e2e2d5..a05ba2c9 100644 --- a/docs/sensors/osquery_4.1.2.md +++ b/docs/sensors/osquery_4.1.2.md @@ -14,21 +14,6 @@ osquery exposes an operating system as a high-performance relational database. T ## Data Model Coverage -### [process](../data_model/process) - -| | `access_level` | `call_trace` | `command_line` | `current_working_directory` | `env_vars` | `exe` | `fqdn` | `guid` | `hostname` | `image_path` | `integrity_level` | `md5_hash` | `parent_command_line` | `parent_exe` | `parent_guid` | `parent_image_path` | `pid` | `ppid` | `sha1_hash` | `sha256_hash` | `sid` | `signature_valid` | `signer` | `target_address` | `target_guid` | `target_name` | `target_pid` | `uid` | `user` | -|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| `access` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `create` | | |✓|✓| |✓| | | |✓| |✓| | | | |✓|✓|✓|✓| | | | | | | | |✓| -| `terminate` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - -### [driver](../data_model/driver) - -| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | -|---|---|---|---|---|---|---|---|---|---|---| -| `load` | | | |✓|✓|✓| |✓|✓| | | -| `unload` | | | | | | | | | | | | - ### [flow](../data_model/flow) | | `application_protocol` | `content` | `dest_fqdn` | `dest_hostname` | `dest_ip` | `dest_port` | `end_time` | `exe` | `fqdn` | `hostname` | `image_path` | `in_bytes` | `network_direction` | `out_bytes` | `packet_count` | `pid` | `ppid` | `proto_info` | `src_fqdn` | `src_hostname` | `src_ip` | `src_port` | `start_time` | `tcp_flags` | `transport_protocol` | `uid` | `user` | @@ -49,6 +34,21 @@ osquery exposes an operating system as a high-performance relational database. T | `timestomp` | | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓| | `write` | | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓| +### [process](../data_model/process) + +| | `access_level` | `call_trace` | `command_line` | `current_working_directory` | `env_vars` | `exe` | `fqdn` | `guid` | `hostname` | `image_path` | `integrity_level` | `md5_hash` | `parent_command_line` | `parent_exe` | `parent_guid` | `parent_image_path` | `pid` | `ppid` | `sha1_hash` | `sha256_hash` | `sid` | `signature_valid` | `signer` | `target_address` | `target_guid` | `target_name` | `target_pid` | `uid` | `user` | +|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +| `access` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `create` | | |✓|✓| |✓| | | |✓| |✓| | | | |✓|✓|✓|✓| | | | | | | | |✓| +| `terminate` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | + +### [driver](../data_model/driver) + +| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | +|---|---|---|---|---|---|---|---|---|---|---| +| `load` | | | |✓|✓|✓| |✓|✓| | | +| `unload` | | | | | | | | | | | | + diff --git a/docs/sensors/osquery_4.6.0.md b/docs/sensors/osquery_4.6.0.md index 878a4c27..024c5c8d 100644 --- a/docs/sensors/osquery_4.6.0.md +++ b/docs/sensors/osquery_4.6.0.md @@ -14,21 +14,6 @@ osquery exposes an operating system as a high-performance relational database. T ## Data Model Coverage -### [process](../data_model/process) - -| | `access_level` | `call_trace` | `command_line` | `current_working_directory` | `env_vars` | `exe` | `fqdn` | `guid` | `hostname` | `image_path` | `integrity_level` | `md5_hash` | `parent_command_line` | `parent_exe` | `parent_guid` | `parent_image_path` | `pid` | `ppid` | `sha1_hash` | `sha256_hash` | `sid` | `signature_valid` | `signer` | `target_address` | `target_guid` | `target_name` | `target_pid` | `uid` | `user` | -|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| `access` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `create` | | |✓|✓|✓|✓| | | |✓| |✓| | | | |✓|✓|✓|✓| | | | | | | |✓| | -| `terminate` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - -### [driver](../data_model/driver) - -| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | -|---|---|---|---|---|---|---|---|---|---|---| -| `load` | | | |✓|✓|✓| |✓|✓| | | -| `unload` | | | | | | | | | | | | - ### [flow](../data_model/flow) | | `application_protocol` | `content` | `dest_fqdn` | `dest_hostname` | `dest_ip` | `dest_port` | `end_time` | `exe` | `fqdn` | `hostname` | `image_path` | `in_bytes` | `network_direction` | `out_bytes` | `packet_count` | `pid` | `ppid` | `proto_info` | `src_fqdn` | `src_hostname` | `src_ip` | `src_port` | `start_time` | `tcp_flags` | `transport_protocol` | `uid` | `user` | @@ -49,6 +34,21 @@ osquery exposes an operating system as a high-performance relational database. T | `timestomp` | | |✓| |✓|✓| | | | |✓| |✓| |✓| | |✓|✓| |✓|✓| | | |✓| | `write` | | |✓| |✓|✓| | | | |✓| |✓| |✓| | |✓|✓| |✓|✓| | | |✓| +### [process](../data_model/process) + +| | `access_level` | `call_trace` | `command_line` | `current_working_directory` | `env_vars` | `exe` | `fqdn` | `guid` | `hostname` | `image_path` | `integrity_level` | `md5_hash` | `parent_command_line` | `parent_exe` | `parent_guid` | `parent_image_path` | `pid` | `ppid` | `sha1_hash` | `sha256_hash` | `sid` | `signature_valid` | `signer` | `target_address` | `target_guid` | `target_name` | `target_pid` | `uid` | `user` | +|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +| `access` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `create` | | |✓|✓|✓|✓| | | |✓| |✓| | | | |✓|✓|✓|✓| | | | | | | |✓| | +| `terminate` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | + +### [driver](../data_model/driver) + +| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | +|---|---|---|---|---|---|---|---|---|---|---| +| `load` | | | |✓|✓|✓| |✓|✓| | | +| `unload` | | | | | | | | | | | | + diff --git a/docs/sensors/sysmon_10.4.md b/docs/sensors/sysmon_10.4.md index 7ad43bc1..4a474305 100644 --- a/docs/sensors/sysmon_10.4.md +++ b/docs/sensors/sysmon_10.4.md @@ -14,13 +14,25 @@ Sysmon is a freely available program from Microsoft that is provided as part of ## Data Model Coverage -### [process](../data_model/process) +### [flow](../data_model/flow) -| | `access_level` | `call_trace` | `command_line` | `current_working_directory` | `env_vars` | `exe` | `fqdn` | `guid` | `hostname` | `image_path` | `integrity_level` | `md5_hash` | `parent_command_line` | `parent_exe` | `parent_guid` | `parent_image_path` | `pid` | `ppid` | `sha1_hash` | `sha256_hash` | `sid` | `signature_valid` | `signer` | `target_address` | `target_guid` | `target_name` | `target_pid` | `uid` | `user` | -|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| `access` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `create` | | |✓|✓| | |✓| | |✓|✓|✓|✓| | |✓|✓|✓|✓|✓| | | | | | | | |✓| -| `terminate` | | | | | | |✓| | |✓| | | | | | |✓| | | | | | | | | | | | | +| | `application_protocol` | `content` | `dest_fqdn` | `dest_hostname` | `dest_ip` | `dest_port` | `end_time` | `exe` | `fqdn` | `hostname` | `image_path` | `in_bytes` | `network_direction` | `out_bytes` | `packet_count` | `pid` | `ppid` | `proto_info` | `src_fqdn` | `src_hostname` | `src_ip` | `src_port` | `start_time` | `tcp_flags` | `transport_protocol` | `uid` | `user` | +|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +| `end` | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `message` | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `start` | | | |✓|✓|✓| | | | |✓| | | | |✓| | | |✓|✓|✓|✓| | | |✓| + +### [file](../data_model/file) + +| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` | +|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +| `acl_modify` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `create` | | |✓| |✓| |✓| | | |✓| | | | | | |✓| | | | | | | | | +| `delete` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `modify` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `read` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `timestomp` | | |✓| |✓| |✓| | | |✓| | | | | | |✓| |✓| | | | | | | +| `write` | | | | | | | | | | | | | | | | | | | | | | | | | | | ### [registry](../data_model/registry) @@ -31,13 +43,6 @@ Sysmon is a freely available program from Microsoft that is provided as part of | `remove` | |✓|✓| |✓|✓| |✓| | |✓| | `value_edit` | | | | | | | | | | | | -### [driver](../data_model/driver) - -| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | -|---|---|---|---|---|---|---|---|---|---|---| -| `load` | |✓| |✓|✓| | |✓|✓| |✓| -| `unload` | | | | | | | | | | | | - ### [module](../data_model/module) | | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `module_path` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `tid` | @@ -45,6 +50,14 @@ Sysmon is a freely available program from Microsoft that is provided as part of | `load` | |✓| |✓|✓| |✓|✓|✓|✓| |✓| | | `unload` | | | | | | | | | | | | | | +### [process](../data_model/process) + +| | `access_level` | `call_trace` | `command_line` | `current_working_directory` | `env_vars` | `exe` | `fqdn` | `guid` | `hostname` | `image_path` | `integrity_level` | `md5_hash` | `parent_command_line` | `parent_exe` | `parent_guid` | `parent_image_path` | `pid` | `ppid` | `sha1_hash` | `sha256_hash` | `sid` | `signature_valid` | `signer` | `target_address` | `target_guid` | `target_name` | `target_pid` | `uid` | `user` | +|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +| `access` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `create` | | |✓|✓| | |✓| | |✓|✓|✓|✓| | |✓|✓|✓|✓|✓| | | | | | | | |✓| +| `terminate` | | | | | | |✓| | |✓| | | | | | |✓| | | | | | | | | | | | | + ### [thread](../data_model/thread) | | `hostname` | `src_pid` | `src_tid` | `stack_base` | `stack_limit` | `start_address` | `start_function` | `start_module` | `start_module_name` | `tgt_pid` | `tgt_tid` | `uid` | `user` | `user_stack_base` | `user_stack_limit` | @@ -54,25 +67,12 @@ Sysmon is a freely available program from Microsoft that is provided as part of | `suspend` | | | | | | | | | | | | | | | | | `terminate` | | | | | | | | | | | | | | | | -### [flow](../data_model/flow) - -| | `application_protocol` | `content` | `dest_fqdn` | `dest_hostname` | `dest_ip` | `dest_port` | `end_time` | `exe` | `fqdn` | `hostname` | `image_path` | `in_bytes` | `network_direction` | `out_bytes` | `packet_count` | `pid` | `ppid` | `proto_info` | `src_fqdn` | `src_hostname` | `src_ip` | `src_port` | `start_time` | `tcp_flags` | `transport_protocol` | `uid` | `user` | -|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| `end` | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `message` | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `start` | | | |✓|✓|✓| | | | |✓| | | | |✓| | | |✓|✓|✓|✓| | | |✓| - -### [file](../data_model/file) +### [driver](../data_model/driver) -| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` | -|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| `acl_modify` | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `create` | | |✓| |✓| |✓| | | |✓| | | | | | |✓| | | | | | | | | -| `delete` | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `modify` | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `read` | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `timestomp` | | |✓| |✓| |✓| | | |✓| | | | | | |✓| |✓| | | | | | | -| `write` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | +|---|---|---|---|---|---|---|---|---|---|---| +| `load` | |✓| |✓|✓| | |✓|✓| |✓| +| `unload` | | | | | | | | | | | | diff --git a/docs/sensors/sysmon_11.0.md b/docs/sensors/sysmon_11.0.md index 41c5e2ea..0f919912 100644 --- a/docs/sensors/sysmon_11.0.md +++ b/docs/sensors/sysmon_11.0.md @@ -14,13 +14,25 @@ Sysmon is a freely available program from Microsoft that is provided as part of ## Data Model Coverage -### [process](../data_model/process) +### [flow](../data_model/flow) -| | `access_level` | `call_trace` | `command_line` | `current_working_directory` | `env_vars` | `exe` | `fqdn` | `guid` | `hostname` | `image_path` | `integrity_level` | `md5_hash` | `parent_command_line` | `parent_exe` | `parent_guid` | `parent_image_path` | `pid` | `ppid` | `sha1_hash` | `sha256_hash` | `sid` | `signature_valid` | `signer` | `target_address` | `target_guid` | `target_name` | `target_pid` | `uid` | `user` | -|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| `access` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `create` | | |✓|✓| | |✓| | |✓|✓|✓|✓| | |✓|✓|✓|✓|✓| | |✓| | | | | |✓| -| `terminate` | | | | | | |✓| | |✓| | | | | | |✓| | | | | | | | | | | | | +| | `application_protocol` | `content` | `dest_fqdn` | `dest_hostname` | `dest_ip` | `dest_port` | `end_time` | `exe` | `fqdn` | `hostname` | `image_path` | `in_bytes` | `network_direction` | `out_bytes` | `packet_count` | `pid` | `ppid` | `proto_info` | `src_fqdn` | `src_hostname` | `src_ip` | `src_port` | `start_time` | `tcp_flags` | `transport_protocol` | `uid` | `user` | +|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +| `end` | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `message` | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `start` | | |✓| |✓|✓| | |✓| |✓| | | | |✓| | |✓| |✓|✓|✓| | | |✓| + +### [file](../data_model/file) + +| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` | +|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +| `acl_modify` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `create` | | |✓| | |✓|✓| | | |✓| | | | | | |✓| | | | | | | | | +| `delete` | | | | | |✓|✓| | | |✓| |✓| | | | |✓| | |✓|✓| | | |✓| +| `modify` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `read` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `timestomp` | | |✓| | |✓|✓| | | |✓| | | | | | |✓| |✓| | | | | | | +| `write` | | | | | | | | | | | | | | | | | | | | | | | | | | | ### [registry](../data_model/registry) @@ -31,13 +43,6 @@ Sysmon is a freely available program from Microsoft that is provided as part of | `remove` | |✓|✓| |✓|✓| |✓| | |✓| | `value_edit` | | | | | | | | | | | | -### [driver](../data_model/driver) - -| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | -|---|---|---|---|---|---|---|---|---|---|---| -| `load` | |✓| |✓|✓| | |✓|✓| |✓| -| `unload` | | | | | | | | | | | | - ### [module](../data_model/module) | | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `module_path` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `tid` | @@ -45,6 +50,14 @@ Sysmon is a freely available program from Microsoft that is provided as part of | `load` | |✓| |✓|✓| |✓|✓|✓|✓| |✓| | | `unload` | | | | | | | | | | | | | | +### [process](../data_model/process) + +| | `access_level` | `call_trace` | `command_line` | `current_working_directory` | `env_vars` | `exe` | `fqdn` | `guid` | `hostname` | `image_path` | `integrity_level` | `md5_hash` | `parent_command_line` | `parent_exe` | `parent_guid` | `parent_image_path` | `pid` | `ppid` | `sha1_hash` | `sha256_hash` | `sid` | `signature_valid` | `signer` | `target_address` | `target_guid` | `target_name` | `target_pid` | `uid` | `user` | +|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +| `access` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `create` | | |✓|✓| | |✓| | |✓|✓|✓|✓| | |✓|✓|✓|✓|✓| | |✓| | | | | |✓| +| `terminate` | | | | | | |✓| | |✓| | | | | | |✓| | | | | | | | | | | | | + ### [thread](../data_model/thread) | | `hostname` | `src_pid` | `src_tid` | `stack_base` | `stack_limit` | `start_address` | `start_function` | `start_module` | `start_module_name` | `tgt_pid` | `tgt_tid` | `uid` | `user` | `user_stack_base` | `user_stack_limit` | @@ -54,25 +67,12 @@ Sysmon is a freely available program from Microsoft that is provided as part of | `suspend` | | | | | | | | | | | | | | | | | `terminate` | | | | | | | | | | | | | | | | -### [flow](../data_model/flow) - -| | `application_protocol` | `content` | `dest_fqdn` | `dest_hostname` | `dest_ip` | `dest_port` | `end_time` | `exe` | `fqdn` | `hostname` | `image_path` | `in_bytes` | `network_direction` | `out_bytes` | `packet_count` | `pid` | `ppid` | `proto_info` | `src_fqdn` | `src_hostname` | `src_ip` | `src_port` | `start_time` | `tcp_flags` | `transport_protocol` | `uid` | `user` | -|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| `end` | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `message` | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `start` | | |✓| |✓|✓| | |✓| |✓| | | | |✓| | |✓| |✓|✓|✓| | | |✓| - -### [file](../data_model/file) +### [driver](../data_model/driver) -| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` | -|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| `acl_modify` | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `create` | | |✓| | |✓|✓| | | |✓| | | | | | |✓| | | | | | | | | -| `delete` | | | | | |✓|✓| | | |✓| |✓| | | | |✓| | |✓|✓| | | |✓| -| `modify` | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `read` | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `timestomp` | | |✓| | |✓|✓| | | |✓| | | | | | |✓| |✓| | | | | | | -| `write` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | +|---|---|---|---|---|---|---|---|---|---|---| +| `load` | |✓| |✓|✓| | |✓|✓| |✓| +| `unload` | | | | | | | | | | | | diff --git a/docs/sensors/sysmon_13.md b/docs/sensors/sysmon_13.md index 2c091e37..8defa72a 100644 --- a/docs/sensors/sysmon_13.md +++ b/docs/sensors/sysmon_13.md @@ -14,13 +14,25 @@ Sysmon is a freely available program from Microsoft that is provided as part of ## Data Model Coverage -### [process](../data_model/process) +### [flow](../data_model/flow) -| | `access_level` | `call_trace` | `command_line` | `current_working_directory` | `env_vars` | `exe` | `fqdn` | `guid` | `hostname` | `image_path` | `integrity_level` | `md5_hash` | `parent_command_line` | `parent_exe` | `parent_guid` | `parent_image_path` | `pid` | `ppid` | `sha1_hash` | `sha256_hash` | `sid` | `signature_valid` | `signer` | `target_address` | `target_guid` | `target_name` | `target_pid` | `uid` | `user` | -|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| `access` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `create` | | |✓|✓| | |✓| | |✓|✓|✓|✓| | |✓|✓|✓| |✓|✓| | | | | | | |✓| -| `terminate` | | | | | | |✓| | |✓| | | | | | |✓| | | | | | | | | | | | | +| | `application_protocol` | `content` | `dest_fqdn` | `dest_hostname` | `dest_ip` | `dest_port` | `end_time` | `exe` | `fqdn` | `hostname` | `image_path` | `in_bytes` | `network_direction` | `out_bytes` | `packet_count` | `pid` | `ppid` | `proto_info` | `src_fqdn` | `src_hostname` | `src_ip` | `src_port` | `start_time` | `tcp_flags` | `transport_protocol` | `uid` | `user` | +|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +| `end` | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `message` | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `start` | | |✓| |✓|✓| | |✓| |✓| | | | |✓| | |✓| |✓|✓|✓| | |✓|✓| + +### [file](../data_model/file) + +| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` | +|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +| `acl_modify` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `create` | | |✓| | |✓|✓| | | |✓| | | | | | |✓| | | | | | | | | +| `delete` | | | | | |✓|✓| | | |✓| |✓| | | | |✓| | |✓|✓| | |✓|✓| +| `modify` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `read` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `timestomp` | | |✓| | |✓|✓| | | |✓| | | | | | |✓| |✓| | | | | | | +| `write` | | | | | | | | | | | | | | | | | | | | | | | | | | | ### [registry](../data_model/registry) @@ -31,13 +43,6 @@ Sysmon is a freely available program from Microsoft that is provided as part of | `remove` | |✓|✓| |✓|✓| |✓| | |✓| | `value_edit` | |✓|✓| |✓|✓|✓|✓| | |✓| -### [driver](../data_model/driver) - -| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | -|---|---|---|---|---|---|---|---|---|---|---| -| `load` | |✓| |✓|✓| | |✓|✓|✓|✓| -| `unload` | | | | | | | | | | | | - ### [module](../data_model/module) | | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `module_path` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `tid` | @@ -45,6 +50,14 @@ Sysmon is a freely available program from Microsoft that is provided as part of | `load` | |✓| |✓|✓| |✓|✓|✓| |✓|✓|✓| | `unload` | | | | | | | | | | | | | | +### [process](../data_model/process) + +| | `access_level` | `call_trace` | `command_line` | `current_working_directory` | `env_vars` | `exe` | `fqdn` | `guid` | `hostname` | `image_path` | `integrity_level` | `md5_hash` | `parent_command_line` | `parent_exe` | `parent_guid` | `parent_image_path` | `pid` | `ppid` | `sha1_hash` | `sha256_hash` | `sid` | `signature_valid` | `signer` | `target_address` | `target_guid` | `target_name` | `target_pid` | `uid` | `user` | +|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +| `access` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `create` | | |✓|✓| | |✓| | |✓|✓|✓|✓| | |✓|✓|✓| |✓|✓| | | | | | | |✓| +| `terminate` | | | | | | |✓| | |✓| | | | | | |✓| | | | | | | | | | | | | + ### [thread](../data_model/thread) | | `hostname` | `src_pid` | `src_tid` | `stack_base` | `stack_limit` | `start_address` | `start_function` | `start_module` | `start_module_name` | `tgt_pid` | `tgt_tid` | `uid` | `user` | `user_stack_base` | `user_stack_limit` | @@ -54,25 +67,12 @@ Sysmon is a freely available program from Microsoft that is provided as part of | `suspend` | | | | | | | | | | | | | | | | | `terminate` | | | | | | | | | | | | | | | | -### [flow](../data_model/flow) - -| | `application_protocol` | `content` | `dest_fqdn` | `dest_hostname` | `dest_ip` | `dest_port` | `end_time` | `exe` | `fqdn` | `hostname` | `image_path` | `in_bytes` | `network_direction` | `out_bytes` | `packet_count` | `pid` | `ppid` | `proto_info` | `src_fqdn` | `src_hostname` | `src_ip` | `src_port` | `start_time` | `tcp_flags` | `transport_protocol` | `uid` | `user` | -|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| `end` | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `message` | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `start` | | |✓| |✓|✓| | |✓| |✓| | | | |✓| | |✓| |✓|✓|✓| | |✓|✓| - -### [file](../data_model/file) +### [driver](../data_model/driver) -| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` | -|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| `acl_modify` | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `create` | | |✓| | |✓|✓| | | |✓| | | | | | |✓| | | | | | | | | -| `delete` | | | | | |✓|✓| | | |✓| |✓| | | | |✓| | |✓|✓| | |✓|✓| -| `modify` | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `read` | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `timestomp` | | |✓| | |✓|✓| | | |✓| | | | | | |✓| |✓| | | | | | | -| `write` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | +|---|---|---|---|---|---|---|---|---|---|---| +| `load` | |✓| |✓|✓| | |✓|✓|✓|✓| +| `unload` | | | | | | | | | | | |