diff --git a/README.md b/README.md index 7af01f21..8d3ccfa7 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,7 @@ # Welcome to the Cyber Analytics Repository The MITRE Cyber Analytics Repository (CAR) is a knowledge base of analytics developed by MITRE based on the [MITRE ATT&CK®](https://attack.mitre.org/) adversary model. CAR includes implementations directly targeted at specific tools (e.g., Splunk, EQL) in its analytics. With respect to coverage, CAR is focused on providing a set of validated and well-explained analytics, in particular with regards to their operating theory and rationale. +changes by omkar. If you want to start exploring, try viewing the [Full Analytic List](https://car.mitre.org/analytics). Also, check out the ATT&CK Navigator layer that captures the current set of ATT&CK tactics and techniques covered by CAR. diff --git a/docs/analytics/by_technique/index.md b/docs/analytics/by_technique/index.md index f8de1098..dff0471d 100644 --- a/docs/analytics/by_technique/index.md +++ b/docs/analytics/by_technique/index.md @@ -16,10 +16,6 @@ permalink: /analytics/by_technique T1003: OS Credential Dumping - - T1003.003: NTDS - - T1003.001: LSASS Memory @@ -28,6 +24,10 @@ permalink: /analytics/by_technique T1003.002: Security Account Manager + + T1003.003: NTDS + + T1007: System Service Discovery (N/A - technique only) @@ -62,14 +62,14 @@ permalink: /analytics/by_technique T1021.001: Remote Desktop Protocol - - T1021.002: SMB/Windows Admin Shares - - T1021.006: Windows Remote Management + + T1021.002: SMB/Windows Admin Shares + + T1021.003: Distributed Component Object Model @@ -130,14 +130,14 @@ permalink: /analytics/by_technique T1053: Scheduled Task/Job - - T1053.002: At - - T1053.005: Scheduled Task + + T1053.002: At + + T1055: Process Injection @@ -190,10 +190,6 @@ permalink: /analytics/by_technique T1070: Indicator Removal - - T1070.003: Clear Command History - - T1070.001: Clear Windows Event Logs @@ -202,6 +198,10 @@ permalink: /analytics/by_technique T1070.005: Network Share Connection Removal + + T1070.003: Clear Command History + + T1078: Valid Accounts @@ -277,14 +277,6 @@ permalink: /analytics/by_technique T1218: System Binary Proxy Execution - - T1218.010: Regsvr32 - - - - T1218.011: Rundll32 - - T1218.001: Compiled HTML File @@ -293,6 +285,14 @@ permalink: /analytics/by_technique T1218.003: CMSTP + + T1218.011: Rundll32 + + + + T1218.010: Regsvr32 + + T1222: File and Directory Permissions Modification @@ -327,6 +327,10 @@ permalink: /analytics/by_technique T1546: Event Triggered Execution + + T1546.015: Component Object Model Hijacking + + T1546.001: Change Default File Association @@ -347,17 +351,9 @@ permalink: /analytics/by_technique T1546.002: Screensaver - - T1546.015: Component Object Model Hijacking - - T1547: Boot or Logon Autostart Execution - - T1547.004: Winlogon Helper DLL - - T1547.001: Registry Run Keys / Startup Folder @@ -366,6 +362,10 @@ permalink: /analytics/by_technique T1547.010: Port Monitors + + T1547.004: Winlogon Helper DLL + + T1548: Abuse Elevation Control Mechanism (N/A - technique only) @@ -409,14 +409,14 @@ permalink: /analytics/by_technique T1562: Impair Defenses - - T1562.001: Disable or Modify Tools - - T1562.002: Disable Windows Event Logging + + T1562.001: Disable or Modify Tools + + T1562.006: Indicator Blocking diff --git a/docs/car_attack/car_attack.json b/docs/car_attack/car_attack.json index 25ea6ebd..aceeeeab 100644 --- a/docs/car_attack/car_attack.json +++ b/docs/car_attack/car_attack.json @@ -9,42 +9,55 @@ "domain": "mitre-enterprise", "techniques": [ { - "techniqueID": "T1036", + "techniqueID": "T1564", "color": "#c6dbef", - "comment": "CAR-2013-05-002: Suspicious Run Locations | CAR-2013-05-009: Running executables with same hash and different names | CAR-2021-04-001: Common Windows Process Masquerading", + "comment": "CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities | CAR-2020-08-002: NTFS Alternate Data Stream Execution - LOLBAS", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1559", + "techniqueID": "T1564.004", "color": "#c6dbef", - "comment": "CAR-2021-01-006: Unusual Child Process spawned using DDE exploit", + "comment": "CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities | CAR-2020-08-002: NTFS Alternate Data Stream Execution - LOLBAS", + "enabled": true + }, + { + "techniqueID": "T1218", + "color": "#c6dbef", + "comment": "CAR-2014-03-006: RunDLL32.exe monitoring | CAR-2019-04-002: Generic Regsvr32 | CAR-2019-04-003: Squiblydoo | CAR-2020-11-009: Compiled HTML Access | CAR-2020-11-010: CMSTP", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1559.002", + "techniqueID": "T1218.001", "color": "#c6dbef", - "comment": "CAR-2021-01-006: Unusual Child Process spawned using DDE exploit", + "comment": "CAR-2020-11-009: Compiled HTML Access", "enabled": true }, { - "techniqueID": "T1547", + "techniqueID": "T1070", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2020-05-003: Rare LolBAS Command Lines | CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify | CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key 'Common Startup'", + "comment": "CAR-2016-04-002: User Activity from Clearing Event Logs | CAR-2020-11-005: Clear Powershell Console Command History | CAR-2020-11-007: Network Share Connection Removal | CAR-2021-01-003: Clearing Windows Logs with Wevtutil", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1547.004", + "techniqueID": "T1070.001", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences | CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify", + "comment": "CAR-2016-04-002: User Activity from Clearing Event Logs | CAR-2021-01-003: Clearing Windows Logs with Wevtutil", "enabled": true }, { - "techniqueID": "T1112", + "techniqueID": "T1046", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-11-005: Remote Registry | CAR-2020-05-003: Rare LolBAS Command Lines | CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0 | CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify | CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key 'Common Startup'", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2021-01-001: Identifying Port Scanning Activity", + "enabled": true, + "showSubtechniques": true + }, + { + "techniqueID": "T1040", + "color": "#c6dbef", + "comment": "CAR-2020-11-002: Local Network Sniffing", "enabled": true, "showSubtechniques": true }, @@ -62,89 +75,75 @@ "enabled": true }, { - "techniqueID": "T1047", - "color": "#c6dbef", - "comment": "CAR-2014-11-007: Remote Windows Management Instrumentation (WMI) over RPC | CAR-2014-12-001: Remotely Launched Executables via WMI | CAR-2016-03-002: Create Remote Process via WMIC", - "enabled": true, - "showSubtechniques": true - }, - { - "techniqueID": "T1222", + "techniqueID": "T1569", "color": "#c6dbef", - "comment": "CAR-2019-07-001: Access Permission Modification", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-02-001: Service Binary Modifications | CAR-2014-03-005: Remotely Launched Executables via Services | CAR-2021-05-012: Create Service In Suspicious File Path", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1222.001", - "color": "#c6dbef", - "comment": "CAR-2019-07-001: Access Permission Modification", - "enabled": true - }, - { - "techniqueID": "T1222.002", + "techniqueID": "T1569.002", "color": "#c6dbef", - "comment": "CAR-2019-07-001: Access Permission Modification", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-02-001: Service Binary Modifications | CAR-2014-03-005: Remotely Launched Executables via Services | CAR-2021-05-012: Create Service In Suspicious File Path", "enabled": true }, { - "techniqueID": "T1078", + "techniqueID": "T1562", "color": "#c6dbef", - "comment": "CAR-2013-02-008: Simultaneous Logins on a Host | CAR-2013-02-012: User Logged in to Multiple Hosts | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2013-10-001: User Login Activity Monitoring", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-04-003: User Activity from Stopping Windows Defensive Services | CAR-2020-09-003: Indicator Blocking - Driver Unloaded | CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt | CAR-2022-03-001: Disable Windows Event Logging", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1078.002", + "techniqueID": "T1562.002", "color": "#c6dbef", - "comment": "CAR-2013-02-008: Simultaneous Logins on a Host | CAR-2013-02-012: User Logged in to Multiple Hosts | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2013-10-001: User Login Activity Monitoring", + "comment": "CAR-2022-03-001: Disable Windows Event Logging", "enabled": true }, { - "techniqueID": "T1078.003", + "techniqueID": "T1218.003", "color": "#c6dbef", - "comment": "CAR-2013-02-008: Simultaneous Logins on a Host | CAR-2013-02-012: User Logged in to Multiple Hosts | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2013-10-001: User Login Activity Monitoring", + "comment": "CAR-2020-11-010: CMSTP", "enabled": true }, { - "techniqueID": "T1218", + "techniqueID": "T1560", "color": "#c6dbef", - "comment": "CAR-2014-03-006: RunDLL32.exe monitoring | CAR-2019-04-002: Generic Regsvr32 | CAR-2019-04-003: Squiblydoo | CAR-2020-11-009: Compiled HTML Access | CAR-2020-11-010: CMSTP", + "comment": "CAR-2013-07-005: Command Line Usage of Archiving Software", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1218.010", + "techniqueID": "T1560.001", "color": "#c6dbef", - "comment": "CAR-2019-04-002: Generic Regsvr32 | CAR-2019-04-003: Squiblydoo", + "comment": "CAR-2013-07-005: Command Line Usage of Archiving Software", "enabled": true }, { - "techniqueID": "T1037", + "techniqueID": "T1003", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences | CAR-2020-11-001: Boot or Logon Initialization Scripts", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-07-001: Suspicious Arguments | CAR-2019-04-004: Credential Dumping via Mimikatz | CAR-2019-07-002: Lsass Process Dump via Procdump | CAR-2019-08-001: Credential Dumping via Windows Task Manager | CAR-2019-08-002: Active Directory Dumping via NTDSUtil | CAR-2020-05-001: MiniDump of LSASS | CAR-2021-05-011: Create Remote Thread into LSASS", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1037.001", + "techniqueID": "T1003.001", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences | CAR-2020-11-001: Boot or Logon Initialization Scripts", + "comment": "CAR-2013-07-001: Suspicious Arguments | CAR-2019-04-004: Credential Dumping via Mimikatz | CAR-2019-07-002: Lsass Process Dump via Procdump | CAR-2019-08-001: Credential Dumping via Windows Task Manager | CAR-2021-05-011: Create Remote Thread into LSASS", "enabled": true }, { - "techniqueID": "T1197", + "techniqueID": "T1546", "color": "#c6dbef", - "comment": "CAR-2021-05-004: BITS Job Persistence | CAR-2021-05-005: BITSAdmin Download File", + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2014-11-003: Debuggers for Accessibility Applications | CAR-2014-11-008: Command Launched from WinLogon | CAR-2020-09-002: Component Object Model Hijacking | CAR-2020-09-005: AppInit DLLs | CAR-2020-11-011: Registry Edit from Screensaver", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1105", + "techniqueID": "T1546.015", "color": "#c6dbef", - "comment": "CAR-2013-07-001: Suspicious Arguments | CAR-2021-05-005: BITSAdmin Download File | CAR-2021-05-006: CertUtil Download With URLCache and Split Arguments | CAR-2021-05-007: CertUtil Download With VerifyCtl and Split Arguments", - "enabled": true, - "showSubtechniques": true + "comment": "CAR-2020-09-002: Component Object Model Hijacking", + "enabled": true }, { "techniqueID": "T1053", @@ -154,44 +153,37 @@ "showSubtechniques": true }, { - "techniqueID": "T1053.002", + "techniqueID": "T1053.005", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-05-004: Execution with AT | CAR-2015-04-001: Remotely Scheduled Tasks via AT", + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-08-001: Execution with schtasks | CAR-2015-04-002: Remotely Scheduled Tasks via Schtasks | CAR-2020-09-001: Scheduled Task - FileAccess | CAR-2021-12-001: Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths", "enabled": true }, { - "techniqueID": "T1003", + "techniqueID": "T1021", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-07-001: Suspicious Arguments | CAR-2019-04-004: Credential Dumping via Mimikatz | CAR-2019-07-002: Lsass Process Dump via Procdump | CAR-2019-08-001: Credential Dumping via Windows Task Manager | CAR-2019-08-002: Active Directory Dumping via NTDSUtil | CAR-2020-05-001: MiniDump of LSASS | CAR-2021-05-011: Create Remote Thread into LSASS", + "comment": "CAR-2013-01-003: SMB Events Monitoring | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2013-07-001: Suspicious Arguments | CAR-2013-07-002: RDP Connection Detection | CAR-2013-10-001: User Login Activity Monitoring | CAR-2014-05-001: RPC Activity | CAR-2014-11-004: Remote PowerShell Sessions | CAR-2014-11-006: Windows Remote Management (WinRM) | CAR-2016-04-005: Remote Desktop Logon", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1003.003", + "techniqueID": "T1021.001", "color": "#c6dbef", - "comment": "CAR-2019-08-002: Active Directory Dumping via NTDSUtil | CAR-2020-05-001: MiniDump of LSASS", + "comment": "CAR-2013-07-002: RDP Connection Detection | CAR-2013-10-001: User Login Activity Monitoring | CAR-2016-04-005: Remote Desktop Logon", "enabled": true }, { - "techniqueID": "T1569", + "techniqueID": "T1037", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-02-001: Service Binary Modifications | CAR-2014-03-005: Remotely Launched Executables via Services | CAR-2021-05-012: Create Service In Suspicious File Path", + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2020-11-001: Boot or Logon Initialization Scripts", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1569.002", + "techniqueID": "T1037.001", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-02-001: Service Binary Modifications | CAR-2014-03-005: Remotely Launched Executables via Services | CAR-2021-05-012: Create Service In Suspicious File Path", + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2020-11-001: Boot or Logon Initialization Scripts", "enabled": true }, - { - "techniqueID": "T1068", - "color": "#c6dbef", - "comment": "CAR-2021-01-004: Unusual Child Process for Spoolsv.Exe or Connhost.Exe", - "enabled": true, - "showSubtechniques": true - }, { "techniqueID": "T1553", "color": "#c6dbef", @@ -206,50 +198,43 @@ "enabled": true }, { - "techniqueID": "T1606", + "techniqueID": "T1197", "color": "#c6dbef", - "comment": "CAR-2021-05-008: Certutil exe certificate extraction", + "comment": "CAR-2021-05-004: BITS Job Persistence | CAR-2021-05-005: BITSAdmin Download File", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1606.002", + "techniqueID": "T1053.002", "color": "#c6dbef", - "comment": "CAR-2021-05-008: Certutil exe certificate extraction", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-05-004: Execution with AT | CAR-2015-04-001: Remotely Scheduled Tasks via AT", "enabled": true }, { - "techniqueID": "T1055", + "techniqueID": "T1112", "color": "#c6dbef", - "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2020-11-003: DLL Injection with Mavinject | CAR-2020-11-004: Processes Started From Irregular Parent", + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-11-005: Remote Registry | CAR-2020-05-003: Rare LolBAS Command Lines | CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0 | CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify | CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key 'Common Startup'", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1055.001", - "color": "#c6dbef", - "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2020-11-003: DLL Injection with Mavinject", - "enabled": true - }, - { - "techniqueID": "T1059", + "techniqueID": "T1078", "color": "#c6dbef", - "comment": "CAR-2013-02-003: Processes Spawning cmd.exe | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-04-003: Powershell Execution | CAR-2014-11-002: Outlier Parents of Cmd | CAR-2014-11-004: Remote PowerShell Sessions | CAR-2021-01-002: Unusually Long Command Line Strings", + "comment": "CAR-2013-02-008: Simultaneous Logins on a Host | CAR-2013-02-012: User Logged in to Multiple Hosts | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2013-10-001: User Login Activity Monitoring", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1059.003", + "techniqueID": "T1078.002", "color": "#c6dbef", - "comment": "CAR-2013-02-003: Processes Spawning cmd.exe | CAR-2014-11-002: Outlier Parents of Cmd", + "comment": "CAR-2013-02-008: Simultaneous Logins on a Host | CAR-2013-02-012: User Logged in to Multiple Hosts | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2013-10-001: User Login Activity Monitoring", "enabled": true }, { - "techniqueID": "T1562", + "techniqueID": "T1078.003", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-04-003: User Activity from Stopping Windows Defensive Services | CAR-2020-09-003: Indicator Blocking - Driver Unloaded | CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt | CAR-2022-03-001: Disable Windows Event Logging", - "enabled": true, - "showSubtechniques": true + "comment": "CAR-2013-02-008: Simultaneous Logins on a Host | CAR-2013-02-012: User Logged in to Multiple Hosts | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2013-10-001: User Login Activity Monitoring", + "enabled": true }, { "techniqueID": "T1562.001", @@ -258,61 +243,64 @@ "enabled": true }, { - "techniqueID": "T1059.001", - "color": "#c6dbef", - "comment": "CAR-2014-04-003: Powershell Execution | CAR-2014-11-004: Remote PowerShell Sessions", - "enabled": true - }, - { - "techniqueID": "T1069", + "techniqueID": "T1055", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands | CAR-2020-11-006: Local Permission Group Discovery", + "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2020-11-003: DLL Injection with Mavinject | CAR-2020-11-004: Processes Started From Irregular Parent", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1069.001", + "techniqueID": "T1055.001", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands | CAR-2020-11-006: Local Permission Group Discovery", + "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2020-11-003: DLL Injection with Mavinject", "enabled": true }, { - "techniqueID": "T1069.002", + "techniqueID": "T1136", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands | CAR-2020-11-006: Local Permission Group Discovery", + "comment": "CAR-2021-05-010: Create local admin accounts using net exe", + "enabled": true, + "showSubtechniques": true + }, + { + "techniqueID": "T1136.001", + "color": "#c6dbef", + "comment": "CAR-2021-05-010: Create local admin accounts using net exe", "enabled": true }, { - "techniqueID": "T1560", + "techniqueID": "T1068", "color": "#c6dbef", - "comment": "CAR-2013-07-005: Command Line Usage of Archiving Software", + "comment": "CAR-2021-01-004: Unusual Child Process for Spoolsv.Exe or Connhost.Exe", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1560.001", + "techniqueID": "T1047", "color": "#c6dbef", - "comment": "CAR-2013-07-005: Command Line Usage of Archiving Software", - "enabled": true + "comment": "CAR-2014-11-007: Remote Windows Management Instrumentation (WMI) over RPC | CAR-2014-12-001: Remotely Launched Executables via WMI | CAR-2016-03-002: Create Remote Process via WMIC", + "enabled": true, + "showSubtechniques": true }, { - "techniqueID": "T1505", + "techniqueID": "T1036", "color": "#c6dbef", - "comment": "CAR-2021-02-001: Webshell-Indicative Process Tree", + "comment": "CAR-2013-05-002: Suspicious Run Locations | CAR-2013-05-009: Running executables with same hash and different names | CAR-2021-04-001: Common Windows Process Masquerading", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1505.003", + "techniqueID": "T1036.005", "color": "#c6dbef", - "comment": "CAR-2021-02-001: Webshell-Indicative Process Tree", + "comment": "CAR-2021-04-001: Common Windows Process Masquerading", "enabled": true }, { - "techniqueID": "T1053.005", + "techniqueID": "T1547", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-08-001: Execution with schtasks | CAR-2015-04-002: Remotely Scheduled Tasks via Schtasks | CAR-2020-09-001: Scheduled Task - FileAccess | CAR-2021-12-001: Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths", - "enabled": true + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2020-05-003: Rare LolBAS Command Lines | CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify | CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key 'Common Startup'", + "enabled": true, + "showSubtechniques": true }, { "techniqueID": "T1547.001", @@ -326,6 +314,12 @@ "comment": "CAR-2013-01-002: Autorun Differences", "enabled": true }, + { + "techniqueID": "T1547.004", + "color": "#c6dbef", + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify", + "enabled": true + }, { "techniqueID": "T1574", "color": "#c6dbef", @@ -363,13 +357,6 @@ "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2020-05-003: Rare LolBAS Command Lines", "enabled": true }, - { - "techniqueID": "T1546", - "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences | CAR-2014-11-003: Debuggers for Accessibility Applications | CAR-2014-11-008: Command Launched from WinLogon | CAR-2020-09-002: Component Object Model Hijacking | CAR-2020-09-005: AppInit DLLs | CAR-2020-11-011: Registry Edit from Screensaver", - "enabled": true, - "showSubtechniques": true - }, { "techniqueID": "T1546.001", "color": "#c6dbef", @@ -395,404 +382,417 @@ "enabled": true }, { - "techniqueID": "T1490", + "techniqueID": "T1059", "color": "#c6dbef", - "comment": "CAR-2021-01-009: Detecting Shadow Copy Deletion or Resize | CAR-2021-05-003: BCDEdit Failure Recovery Modification", + "comment": "CAR-2013-02-003: Processes Spawning cmd.exe | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-04-003: Powershell Execution | CAR-2014-11-002: Outlier Parents of Cmd | CAR-2014-11-004: Remote PowerShell Sessions | CAR-2021-01-002: Unusually Long Command Line Strings", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1562.002", + "techniqueID": "T1059.003", "color": "#c6dbef", - "comment": "CAR-2022-03-001: Disable Windows Event Logging", + "comment": "CAR-2013-02-003: Processes Spawning cmd.exe | CAR-2014-11-002: Outlier Parents of Cmd", "enabled": true }, { - "techniqueID": "T1070", + "techniqueID": "T1548", "color": "#c6dbef", - "comment": "CAR-2016-04-002: User Activity from Clearing Event Logs | CAR-2020-11-005: Clear Powershell Console Command History | CAR-2020-11-007: Network Share Connection Removal | CAR-2021-01-003: Clearing Windows Logs with Wevtutil", + "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2019-04-001: UAC Bypass | CAR-2021-01-008: Disable UAC | CAR-2021-02-002: Get System Elevation", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1070.003", + "techniqueID": "T1548.002", "color": "#c6dbef", - "comment": "CAR-2020-11-005: Clear Powershell Console Command History", + "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2019-04-001: UAC Bypass | CAR-2021-01-008: Disable UAC", "enabled": true }, { - "techniqueID": "T1546.002", + "techniqueID": "T1021.006", "color": "#c6dbef", - "comment": "CAR-2020-11-011: Registry Edit from Screensaver", + "comment": "CAR-2014-05-001: RPC Activity | CAR-2014-11-004: Remote PowerShell Sessions | CAR-2014-11-006: Windows Remote Management (WinRM)", "enabled": true }, { - "techniqueID": "T1218.011", + "techniqueID": "T1012", "color": "#c6dbef", - "comment": "CAR-2014-03-006: RunDLL32.exe monitoring", - "enabled": true + "comment": "CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2020-05-003: Rare LolBAS Command Lines", + "enabled": true, + "showSubtechniques": true }, { - "techniqueID": "T1036.005", + "techniqueID": "T1069", "color": "#c6dbef", - "comment": "CAR-2021-04-001: Common Windows Process Masquerading", - "enabled": true + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands | CAR-2020-11-006: Local Permission Group Discovery", + "enabled": true, + "showSubtechniques": true }, { - "techniqueID": "T1552", + "techniqueID": "T1069.001", "color": "#c6dbef", - "comment": "CAR-2020-09-004: Credentials in Files & Registry", - "enabled": true, - "showSubtechniques": true + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands | CAR-2020-11-006: Local Permission Group Discovery", + "enabled": true }, { - "techniqueID": "T1552.001", + "techniqueID": "T1069.002", "color": "#c6dbef", - "comment": "CAR-2020-09-004: Credentials in Files & Registry", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands | CAR-2020-11-006: Local Permission Group Discovery", "enabled": true }, { - "techniqueID": "T1552.002", + "techniqueID": "T1059.001", "color": "#c6dbef", - "comment": "CAR-2020-09-004: Credentials in Files & Registry", + "comment": "CAR-2014-04-003: Powershell Execution | CAR-2014-11-004: Remote PowerShell Sessions", "enabled": true }, { - "techniqueID": "T1003.001", + "techniqueID": "T1087", "color": "#c6dbef", - "comment": "CAR-2013-07-001: Suspicious Arguments | CAR-2019-04-004: Credential Dumping via Mimikatz | CAR-2019-07-002: Lsass Process Dump via Procdump | CAR-2019-08-001: Credential Dumping via Windows Task Manager | CAR-2021-05-011: Create Remote Thread into LSASS", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", + "enabled": true, + "showSubtechniques": true + }, + { + "techniqueID": "T1087.001", + "color": "#c6dbef", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", "enabled": true }, { - "techniqueID": "T1548", + "techniqueID": "T1087.002", "color": "#c6dbef", - "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2019-04-001: UAC Bypass | CAR-2021-01-008: Disable UAC | CAR-2021-02-002: Get System Elevation", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", + "enabled": true + }, + { + "techniqueID": "T1016", + "color": "#c6dbef", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1548.002", + "techniqueID": "T1082", "color": "#c6dbef", - "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2019-04-001: UAC Bypass | CAR-2021-01-008: Disable UAC", - "enabled": true + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", + "enabled": true, + "showSubtechniques": true }, { - "techniqueID": "T1136", + "techniqueID": "T1033", "color": "#c6dbef", - "comment": "CAR-2021-05-010: Create local admin accounts using net exe", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1136.001", + "techniqueID": "T1057", "color": "#c6dbef", - "comment": "CAR-2021-05-010: Create local admin accounts using net exe", - "enabled": true + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", + "enabled": true, + "showSubtechniques": true }, { - "techniqueID": "T1021", + "techniqueID": "T1007", "color": "#c6dbef", - "comment": "CAR-2013-01-003: SMB Events Monitoring | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2013-07-001: Suspicious Arguments | CAR-2013-07-002: RDP Connection Detection | CAR-2013-10-001: User Login Activity Monitoring | CAR-2014-05-001: RPC Activity | CAR-2014-11-004: Remote PowerShell Sessions | CAR-2014-11-006: Windows Remote Management (WinRM) | CAR-2016-04-005: Remote Desktop Logon", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1021.001", + "techniqueID": "T1187", "color": "#c6dbef", - "comment": "CAR-2013-07-002: RDP Connection Detection | CAR-2013-10-001: User Login Activity Monitoring | CAR-2016-04-005: Remote Desktop Logon", - "enabled": true + "comment": "CAR-2013-09-003: SMB Session Setups", + "enabled": true, + "showSubtechniques": true }, { - "techniqueID": "T1570", + "techniqueID": "T1204", "color": "#c6dbef", - "comment": "CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2014-03-001: SMB Write Request - NamedPipes", + "comment": "CAR-2021-05-002: Batch File Write to System32", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1070.001", + "techniqueID": "T1204.002", "color": "#c6dbef", - "comment": "CAR-2016-04-002: User Activity from Clearing Event Logs | CAR-2021-01-003: Clearing Windows Logs with Wevtutil", + "comment": "CAR-2021-05-002: Batch File Write to System32", "enabled": true }, { - "techniqueID": "T1012", + "techniqueID": "T1562.006", "color": "#c6dbef", - "comment": "CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2020-05-003: Rare LolBAS Command Lines", - "enabled": true, - "showSubtechniques": true + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2020-09-003: Indicator Blocking - Driver Unloaded", + "enabled": true }, { - "techniqueID": "T1040", + "techniqueID": "T1490", "color": "#c6dbef", - "comment": "CAR-2020-11-002: Local Network Sniffing", + "comment": "CAR-2021-01-009: Detecting Shadow Copy Deletion or Resize | CAR-2021-05-003: BCDEdit Failure Recovery Modification", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1564", + "techniqueID": "T1552", "color": "#c6dbef", - "comment": "CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities | CAR-2020-08-002: NTFS Alternate Data Stream Execution - LOLBAS", + "comment": "CAR-2020-09-004: Credentials in Files & Registry", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1564.004", + "techniqueID": "T1552.001", "color": "#c6dbef", - "comment": "CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities | CAR-2020-08-002: NTFS Alternate Data Stream Execution - LOLBAS", + "comment": "CAR-2020-09-004: Credentials in Files & Registry", "enabled": true }, { - "techniqueID": "T1070.005", + "techniqueID": "T1552.002", "color": "#c6dbef", - "comment": "CAR-2020-11-007: Network Share Connection Removal", + "comment": "CAR-2020-09-004: Credentials in Files & Registry", "enabled": true }, { - "techniqueID": "T1218.001", + "techniqueID": "T1021.002", "color": "#c6dbef", - "comment": "CAR-2020-11-009: Compiled HTML Access", + "comment": "CAR-2013-01-003: SMB Events Monitoring | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2014-05-001: RPC Activity", "enabled": true }, { - "techniqueID": "T1036.003", + "techniqueID": "T1021.003", "color": "#c6dbef", - "comment": "CAR-2013-05-009: Running executables with same hash and different names", + "comment": "CAR-2014-05-001: RPC Activity", "enabled": true }, { - "techniqueID": "T1021.002", + "techniqueID": "T1003.002", "color": "#c6dbef", - "comment": "CAR-2013-01-003: SMB Events Monitoring | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2014-05-001: RPC Activity", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands", "enabled": true }, { - "techniqueID": "T1021.006", + "techniqueID": "T1018", "color": "#c6dbef", - "comment": "CAR-2014-05-001: RPC Activity | CAR-2014-11-004: Remote PowerShell Sessions | CAR-2014-11-006: Windows Remote Management (WinRM)", - "enabled": true + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands", + "enabled": true, + "showSubtechniques": true }, { - "techniqueID": "T1140", + "techniqueID": "T1029", "color": "#c6dbef", - "comment": "CAR-2021-05-009: CertUtil With Decode Argument", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1569.001", + "techniqueID": "T1049", "color": "#c6dbef", - "comment": "CAR-2021-05-012: Create Service In Suspicious File Path", - "enabled": true + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands", + "enabled": true, + "showSubtechniques": true }, { - "techniqueID": "T1218.003", + "techniqueID": "T1010", "color": "#c6dbef", - "comment": "CAR-2020-11-010: CMSTP", - "enabled": true + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands", + "enabled": true, + "showSubtechniques": true }, { - "techniqueID": "T1039", + "techniqueID": "T1518", "color": "#c6dbef", - "comment": "CAR-2013-01-003: SMB Events Monitoring", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1546.015", + "techniqueID": "T1518.001", "color": "#c6dbef", - "comment": "CAR-2020-09-002: Component Object Model Hijacking", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands", "enabled": true }, { - "techniqueID": "T1087", + "techniqueID": "T1098", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1087.001", + "techniqueID": "T1059.005", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands", "enabled": true }, { - "techniqueID": "T1087.002", + "techniqueID": "T1222", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", + "comment": "CAR-2019-07-001: Access Permission Modification", + "enabled": true, + "showSubtechniques": true + }, + { + "techniqueID": "T1222.001", + "color": "#c6dbef", + "comment": "CAR-2019-07-001: Access Permission Modification", "enabled": true }, { - "techniqueID": "T1003.002", + "techniqueID": "T1222.002", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands", + "comment": "CAR-2019-07-001: Access Permission Modification", "enabled": true }, { - "techniqueID": "T1057", + "techniqueID": "T1127", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", + "comment": "CAR-2020-11-008: MSBuild and msxsl", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1018", + "techniqueID": "T1127.001", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands", - "enabled": true, - "showSubtechniques": true + "comment": "CAR-2020-11-008: MSBuild and msxsl", + "enabled": true }, { - "techniqueID": "T1029", + "techniqueID": "T1550", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands", + "comment": "CAR-2016-04-004: Successful Local Account Login", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1033", + "techniqueID": "T1550.002", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", - "enabled": true, - "showSubtechniques": true + "comment": "CAR-2016-04-004: Successful Local Account Login", + "enabled": true }, { - "techniqueID": "T1007", + "techniqueID": "T1105", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", + "comment": "CAR-2013-07-001: Suspicious Arguments | CAR-2021-05-005: BITSAdmin Download File | CAR-2021-05-006: CertUtil Download With URLCache and Split Arguments | CAR-2021-05-007: CertUtil Download With VerifyCtl and Split Arguments", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1082", + "techniqueID": "T1569.001", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", - "enabled": true, - "showSubtechniques": true + "comment": "CAR-2021-05-012: Create Service In Suspicious File Path", + "enabled": true }, { - "techniqueID": "T1049", + "techniqueID": "T1055.012", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands", - "enabled": true, - "showSubtechniques": true + "comment": "CAR-2020-11-004: Processes Started From Irregular Parent", + "enabled": true }, { - "techniqueID": "T1016", + "techniqueID": "T1218.011", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", - "enabled": true, - "showSubtechniques": true + "comment": "CAR-2014-03-006: RunDLL32.exe monitoring", + "enabled": true }, { - "techniqueID": "T1010", + "techniqueID": "T1039", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands", + "comment": "CAR-2013-01-003: SMB Events Monitoring", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1518", + "techniqueID": "T1606", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands", + "comment": "CAR-2021-05-008: Certutil exe certificate extraction", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1518.001", + "techniqueID": "T1606.002", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands", + "comment": "CAR-2021-05-008: Certutil exe certificate extraction", "enabled": true }, { - "techniqueID": "T1046", - "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2021-01-001: Identifying Port Scanning Activity", - "enabled": true, - "showSubtechniques": true - }, - { - "techniqueID": "T1562.006", + "techniqueID": "T1546.002", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2020-09-003: Indicator Blocking - Driver Unloaded", + "comment": "CAR-2020-11-011: Registry Edit from Screensaver", "enabled": true }, { - "techniqueID": "T1098", + "techniqueID": "T1570", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands", + "comment": "CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2014-03-001: SMB Write Request - NamedPipes", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1059.005", + "techniqueID": "T1218.010", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands", + "comment": "CAR-2019-04-002: Generic Regsvr32 | CAR-2019-04-003: Squiblydoo", "enabled": true }, { - "techniqueID": "T1127", + "techniqueID": "T1140", "color": "#c6dbef", - "comment": "CAR-2020-11-008: MSBuild and msxsl", + "comment": "CAR-2021-05-009: CertUtil With Decode Argument", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1127.001", + "techniqueID": "T1574.001", "color": "#c6dbef", - "comment": "CAR-2020-11-008: MSBuild and msxsl", + "comment": "CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0", "enabled": true }, { - "techniqueID": "T1055.012", + "techniqueID": "T1036.003", "color": "#c6dbef", - "comment": "CAR-2020-11-004: Processes Started From Irregular Parent", + "comment": "CAR-2013-05-009: Running executables with same hash and different names", "enabled": true }, { - "techniqueID": "T1550", + "techniqueID": "T1505", "color": "#c6dbef", - "comment": "CAR-2016-04-004: Successful Local Account Login", + "comment": "CAR-2021-02-001: Webshell-Indicative Process Tree", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1550.002", + "techniqueID": "T1505.003", "color": "#c6dbef", - "comment": "CAR-2016-04-004: Successful Local Account Login", + "comment": "CAR-2021-02-001: Webshell-Indicative Process Tree", "enabled": true }, { - "techniqueID": "T1574.001", + "techniqueID": "T1070.005", "color": "#c6dbef", - "comment": "CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0", + "comment": "CAR-2020-11-007: Network Share Connection Removal", "enabled": true }, { - "techniqueID": "T1204", + "techniqueID": "T1559", "color": "#c6dbef", - "comment": "CAR-2021-05-002: Batch File Write to System32", + "comment": "CAR-2021-01-006: Unusual Child Process spawned using DDE exploit", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1204.002", + "techniqueID": "T1559.002", "color": "#c6dbef", - "comment": "CAR-2021-05-002: Batch File Write to System32", + "comment": "CAR-2021-01-006: Unusual Child Process spawned using DDE exploit", "enabled": true }, { - "techniqueID": "T1187", + "techniqueID": "T1003.003", "color": "#c6dbef", - "comment": "CAR-2013-09-003: SMB Session Setups", - "enabled": true, - "showSubtechniques": true + "comment": "CAR-2019-08-002: Active Directory Dumping via NTDSUtil | CAR-2020-05-001: MiniDump of LSASS", + "enabled": true }, { - "techniqueID": "T1021.003", + "techniqueID": "T1070.003", "color": "#c6dbef", - "comment": "CAR-2014-05-001: RPC Activity", + "comment": "CAR-2020-11-005: Clear Powershell Console Command History", "enabled": true } ] diff --git a/docs/data/analytics.json b/docs/data/analytics.json index 4efe5bfe..d7e9556b 100644 --- a/docs/data/analytics.json +++ b/docs/data/analytics.json @@ -1 +1 @@ -{"analytics": [{"shortName": "Suspicious Run Locations", "name": "CAR-2013-05-002", "fields": ["process/create/image_path"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1036", "coverage": "Low"}]}, {"shortName": "Unusual Child Process spawned using DDE exploit", "name": "CAR-2021-01-006", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1559", "coverage": "Low"}]}, {"shortName": "Registry Edit with Modification of Userinit, Shell or Notify", "name": "CAR-2021-11-002", "fields": ["process/create/command_line", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1547", "coverage": "Medium"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Medium"}]}, {"shortName": "Service Outlier Executables", "name": "CAR-2013-09-005", "fields": ["process/create/parent_image_path"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1543", "coverage": "Moderate"}]}, {"shortName": "Remote Windows Management Instrumentation (WMI) over RPC", "name": "CAR-2014-11-007", "fields": ["flow/message/proto_info"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1047", "coverage": "Moderate"}]}, {"shortName": "Access Permission Modification", "name": "CAR-2019-07-001", "fields": [], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1222", "coverage": "Moderate"}]}, {"shortName": "User Logged in to Multiple Hosts", "name": "CAR-2013-02-012", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1078", "coverage": "Moderate"}]}, {"shortName": "Squiblydoo", "name": "CAR-2019-04-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "Moderate"}]}, {"shortName": "All Logins Since Last Boot", "name": "CAR-2015-07-001", "fields": ["user_session/login/user"], "attack": []}, {"shortName": "Boot or Logon Initialization Scripts", "name": "CAR-2020-11-001", "fields": ["process/create/command_line", "process/create/exe", "registry/add/key", "registry/edit/key"], "attack": [{"tactics": ["Persistence", "Lateral Movement"], "technique": "Technique/T1037", "coverage": "Moderate"}]}, {"shortName": "BITSAdmin Download File", "name": "CAR-2021-05-005", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion", "Persistence"], "technique": "Technique/T1197", "coverage": "Moderate"}, {"tactics": ["Command and Control"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "Remotely Scheduled Tasks via AT", "name": "CAR-2015-04-001", "fields": ["flow/message/proto_info"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "Active Directory Dumping via NTDSUtil", "name": "CAR-2019-08-002", "fields": ["file/create/file_name", "file/create/image_path"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Remotely Launched Executables via Services", "name": "CAR-2014-03-005", "fields": ["flow/start/pid", "process/create/parent_exe", "process/create/pid"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1543", "coverage": "Moderate"}, {"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Moderate"}]}, {"shortName": "Unusual Child Process for Spoolsv.Exe or Connhost.Exe", "name": "CAR-2021-01-004", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Privilege Escalation"], "technique": "Technique/T1068", "coverage": "Low"}]}, {"shortName": "Attempt To Add Certificate To Untrusted Store", "name": "CAR-2021-05-001", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1553", "coverage": "Moderate"}]}, {"shortName": "Services launching Cmd", "name": "CAR-2014-05-002", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1543", "coverage": "Moderate"}]}, {"shortName": "Certutil exe certificate extraction", "name": "CAR-2021-05-008", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1606", "coverage": "Moderate"}]}, {"shortName": "CertUtil Download With VerifyCtl and Split Arguments", "name": "CAR-2021-05-007", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Command and Control"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "DLL Injection with Mavinject", "name": "CAR-2020-11-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Privilege Escalation", "Defense Evasion"], "technique": "Technique/T1055", "coverage": "Low"}]}, {"shortName": "Outlier Parents of Cmd", "name": "CAR-2014-11-002", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}]}, {"shortName": "User Activity from Stopping Windows Defensive Services", "name": "CAR-2016-04-003", "fields": [], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Low"}]}, {"shortName": "Powershell Execution", "name": "CAR-2014-04-003", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "High"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1059", "coverage": "Moderate"}]}, {"shortName": "Local Permission Group Discovery", "name": "CAR-2020-11-006", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1069", "coverage": "Moderate"}]}, {"shortName": "Command Line Usage of Archiving Software", "name": "CAR-2013-07-005", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Exfiltration"], "technique": "Technique/T1560", "coverage": "Moderate"}]}, {"shortName": "Webshell-Indicative Process Tree", "name": "CAR-2021-02-001", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1505", "coverage": "Moderate"}]}, {"shortName": "Autorun Differences", "name": "CAR-2013-01-002", "fields": [], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1543", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1053", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1547", "coverage": "Moderate"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Moderate"}, {"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1546", "coverage": "Moderate"}, {"tactics": ["Persistence", "Execution"], "technique": "Technique/T1112", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1037", "coverage": "Moderate"}]}, {"shortName": "Detecting Shadow Copy Deletion or Resize", "name": "CAR-2021-01-009", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Impact"], "technique": "Technique/T1490", "coverage": "Low"}]}, {"shortName": "Disable Windows Event Logging", "name": "CAR-2022-03-001", "fields": ["registry/value_edit/value", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Moderate"}]}, {"shortName": "Clear Powershell Console Command History", "name": "CAR-2020-11-005", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "Low"}]}, {"shortName": "Registry Edit from Screensaver", "name": "CAR-2020-11-011", "fields": ["registry/edit/key", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1546", "coverage": "High"}]}, {"shortName": "RunDLL32.exe monitoring", "name": "CAR-2014-03-006", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "Moderate"}]}, {"shortName": "Remotely Scheduled Tasks via Schtasks", "name": "CAR-2015-04-002", "fields": ["flow/message/dest_port", "flow/message/src_port", "flow/message/proto_info"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "Command Launched from WinLogon", "name": "CAR-2014-11-008", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "Processes Spawning cmd.exe", "name": "CAR-2013-02-003", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}]}, {"shortName": "Common Windows Process Masquerading", "name": "CAR-2021-04-001", "fields": ["process/create/exe", "process/create/image_path", "process/access/exe", "process/access/image_path", "process/terminate/exe", "process/terminate/image_path"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1036", "coverage": "Moderate"}]}, {"shortName": "Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths", "name": "CAR-2021-12-001", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Execution", "Persistence", "Privilege Escalation"], "technique": "Technique/T1053", "coverage": "Medium"}]}, {"shortName": "Credentials in Files & Registry", "name": "CAR-2020-09-004", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1552", "coverage": "Low"}]}, {"shortName": "Credential Dumping via Windows Task Manager", "name": "CAR-2019-08-001", "fields": ["file/create/file_name", "file/create/image_path"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "UAC Bypass", "name": "CAR-2019-04-001", "fields": ["process/create/image_path", "process/create/parent_image_path", "process/create/integrity_level", "process/create/user", "process/create/parent_command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1548", "coverage": "Low"}]}, {"shortName": "Create local admin accounts using net exe", "name": "CAR-2021-05-010", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1136", "coverage": "Moderate"}]}, {"shortName": "Remote Desktop Logon", "name": "CAR-2016-04-005", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "SMB Write Request - NamedPipes", "name": "CAR-2014-03-001", "fields": ["flow/message/proto_info", "flow/start/dest_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1570", "coverage": "Low"}]}, {"shortName": "Remotely Launched Executables via WMI", "name": "CAR-2014-12-001", "fields": ["flow/message/dest_port", "flow/message/proto_info", "flow/message/src_port", "process/create/command_line", "process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1047", "coverage": "High"}]}, {"shortName": "Clearing Windows Logs with Wevtutil", "name": "CAR-2021-01-003", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "Low"}]}, {"shortName": "MiniDump of LSASS", "name": "CAR-2020-05-001", "fields": [], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Modification of Default Startup Folder in the Registry Key 'Common Startup'", "name": "CAR-2021-12-002", "fields": ["process/create/command_line", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1547", "coverage": "Medium"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Medium"}]}, {"shortName": "Reg.exe called from Command Shell", "name": "CAR-2013-03-001", "fields": ["process/create/command_line", "process/create/hostname", "process/create/exe", "process/create/parent_exe", "process/create/pid", "process/create/ppid"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1012", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1547", "coverage": "Moderate"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Moderate"}]}, {"shortName": "Execution with schtasks", "name": "CAR-2013-08-001", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "Service Binary Modifications", "name": "CAR-2014-02-001", "fields": ["file/create/file_path", "file/create/image_path", "process/create/image_path", "process/create/parent_exe"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1543", "coverage": "Moderate"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Moderate"}, {"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Moderate"}]}, {"shortName": "Scheduled Task - FileAccess", "name": "CAR-2020-09-001", "fields": ["file/create/file_path", "file/create/image_path"], "attack": [{"tactics": ["Execution", "Persistence", "Privilege Escalation"], "technique": "Technique/T1053", "coverage": "Low"}]}, {"shortName": "Local Network Sniffing", "name": "CAR-2020-11-002", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Credential Access", "Discovery"], "technique": "Technique/T1040", "coverage": "Moderate"}]}, {"shortName": "Service Search Path Interception", "name": "CAR-2014-07-001", "fields": ["process/create/command_line", "process/create/image_path", "process/create/parent_exe"], "attack": [{"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1574", "coverage": "High"}]}, {"shortName": "NTFS Alternate Data Stream Execution - LOLBAS", "name": "CAR-2020-08-002", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1564", "coverage": "Low"}]}, {"shortName": "Network Share Connection Removal", "name": "CAR-2020-11-007", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "High"}]}, {"shortName": "Compiled HTML Access", "name": "CAR-2020-11-009", "fields": ["process/create/exe"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "High"}]}, {"shortName": "BCDEdit Failure Recovery Modification", "name": "CAR-2021-05-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Impact"], "technique": "Technique/T1490", "coverage": "Moderate"}]}, {"shortName": "RDP Connection Detection", "name": "CAR-2013-07-002", "fields": ["flow/end/dest_port", "flow/start/dest_ip", "flow/start/dest_port", "flow/start/src_ip"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Medium"}]}, {"shortName": "Running executables with same hash and different names", "name": "CAR-2013-05-009", "fields": ["process/create/exe", "process/create/md5_hash"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1036", "coverage": "Moderate"}]}, {"shortName": "SMB Write Request", "name": "CAR-2013-05-003", "fields": ["flow/message/proto_info", "flow/message/dest_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1570", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1078", "coverage": "Moderate"}]}, {"shortName": "Simultaneous Logins on a Host", "name": "CAR-2013-02-008", "fields": ["user_session/login/user", "user_session/login/hostname"], "attack": [{"tactics": ["Initial Access"], "technique": "Technique/T1078", "coverage": "Low"}]}, {"shortName": "Windows Remote Management (WinRM)", "name": "CAR-2014-11-006", "fields": ["flow/start/dest_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "CertUtil With Decode Argument", "name": "CAR-2021-05-009", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1140", "coverage": "Moderate"}]}, {"shortName": "Create Service In Suspicious File Path", "name": "CAR-2021-05-012", "fields": ["service/create/image_path"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Moderate"}]}, {"shortName": "Create Remote Process via WMIC", "name": "CAR-2016-03-002", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1047", "coverage": "Low"}]}, {"shortName": "Remote Registry", "name": "CAR-2014-11-005", "fields": ["flow/message/dest_port", "flow/message/proto_info"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Moderate"}]}, {"shortName": "BITS Job Persistence", "name": "CAR-2021-05-004", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion", "Persistence"], "technique": "Technique/T1197", "coverage": "Moderate"}]}, {"shortName": "CMSTP", "name": "CAR-2020-11-010", "fields": ["process/create/exe", "process/create/src_ip"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "High"}]}, {"shortName": "SMB Events Monitoring", "name": "CAR-2013-01-003", "fields": ["flow/message/dest_port", "flow/message/proto_info"], "attack": [{"tactics": ["Collection"], "technique": "Technique/T1039", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "AppInit DLLs", "name": "CAR-2020-09-005", "fields": ["registry/add/key", "registry/remove/key", "registry/edit/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "Component Object Model Hijacking", "name": "CAR-2020-09-002", "fields": ["registry/add/key", "registry/remove/key", "registry/edit/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "Suspicious Arguments", "name": "CAR-2013-07-001", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Command and Control", "Lateral Movement"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "Debuggers for Accessibility Applications", "name": "CAR-2014-11-003", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "Remote PowerShell Sessions", "name": "CAR-2014-11-004", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "NTFS Alternate Data Stream Execution - System Utilities", "name": "CAR-2020-08-001", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1564", "coverage": "Low"}]}, {"shortName": "Quick execution of a series of suspicious commands", "name": "CAR-2013-04-002", "fields": ["process/create/hostname", "process/create/ppid", "process/create/exe"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1087", "coverage": "Low"}, {"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1069", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1057", "coverage": "Low"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1543", "coverage": "Low"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1018", "coverage": "Low"}, {"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation", "Execution"], "technique": "Technique/T1053", "coverage": "Low"}, {"tactics": ["Exfiltration"], "technique": "Technique/T1029", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1033", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1007", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1082", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1049", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1016", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1010", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1518", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1046", "coverage": "Low"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Low"}, {"tactics": ["Credential Access"], "technique": "Technique/T1098", "coverage": "Low"}, {"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1012", "coverage": "Low"}]}, {"shortName": "Shadow Copy Deletion", "name": "CAR-2020-04-001", "fields": [], "attack": []}, {"shortName": "User Activity from Clearing Event Logs", "name": "CAR-2016-04-002", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "Moderate"}]}, {"shortName": "Generic Regsvr32", "name": "CAR-2019-04-002", "fields": ["process/create/exe", "process/create/parent_exe", "process/create/command_line", "process/create/image", "process/create/parent_image"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "Low"}]}, {"shortName": "MSBuild and msxsl", "name": "CAR-2020-11-008", "fields": ["process/create/exe", "process/create/image_path"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1127", "coverage": "High"}]}, {"shortName": "Execution with AT", "name": "CAR-2013-05-004", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Execution", "Persistence", "Privilege Escalation"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "DLL Injection via Load Library", "name": "CAR-2013-10-002", "fields": ["thread/remote_create/src_pid", "thread/remote_create/start_function"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1055", "coverage": "Moderate"}, {"tactics": ["Privilege Escalation"], "technique": "Technique/T1548", "coverage": "Moderate"}]}, {"shortName": "CertUtil Download With URLCache and Split Arguments", "name": "CAR-2021-05-006", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Command and Control"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "Disable UAC", "name": "CAR-2021-01-008", "fields": ["process/create/image_path", "process/create/command_line"], "attack": [{"tactics": ["Privilege Escalation"], "technique": "Technique/T1548", "coverage": "Medium"}]}, {"shortName": "Processes Started From Irregular Parent", "name": "CAR-2020-11-004", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1055", "coverage": "Low"}]}, {"shortName": "Successful Local Account Login", "name": "CAR-2016-04-004", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1550", "coverage": "Moderate"}]}, {"shortName": "SMB Copy and Execution", "name": "CAR-2013-05-005", "fields": ["process/create/image_path", "process/create/proto_info", "process/create/hostname"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1078", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1570", "coverage": "Moderate"}]}, {"shortName": "Registry Edit with Creation of SafeDllSearchMode Key Set to 0", "name": "CAR-2021-11-001", "fields": ["process/create/command_line", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation", "Defense Evasion"], "technique": "Technique/T1574", "coverage": "Medium"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Medium"}]}, {"shortName": "Get System Elevation", "name": "CAR-2021-02-002", "fields": ["process/create/exe", "process/create/parent_exe", "process/create/command_line", "service/create/command_line"], "attack": [{"tactics": ["Privilege Escalation", "Defense Evasion"], "technique": "Technique/T1548", "coverage": "Moderate"}]}, {"shortName": "Indicator Blocking - Driver Unloaded", "name": "CAR-2020-09-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Low"}]}, {"shortName": "Create Remote Thread into LSASS", "name": "CAR-2021-05-011", "fields": ["thread/remote_create"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Moderate"}]}, {"shortName": "Lsass Process Dump via Procdump", "name": "CAR-2019-07-002", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Batch File Write to System32", "name": "CAR-2021-05-002", "fields": ["file/create/extension", "file/create/file_path"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1204", "coverage": "Moderate"}]}, {"shortName": "Host Discovery Commands", "name": "CAR-2016-03-001", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1087", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1069", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1016", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1082", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1033", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1057", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1007", "coverage": "Moderate"}]}, {"shortName": "SMB Session Setups", "name": "CAR-2013-09-003", "fields": ["flow/message/dest_port", "flow/message/proto_info", "flow/message/protocol"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1187", "coverage": "Low"}]}, {"shortName": "Credential Dumping via Mimikatz", "name": "CAR-2019-04-004", "fields": [], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Identifying Port Scanning Activity", "name": "CAR-2021-01-001", "fields": ["flow/start/dest_ip"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1046", "coverage": "Moderate"}]}, {"shortName": "Unusually Long Command Line Strings", "name": "CAR-2021-01-002", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Low"}]}, {"shortName": "Rare LolBAS Command Lines", "name": "CAR-2020-05-003", "fields": [], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1012", "coverage": "Low"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Low"}, {"tactics": ["Persistence"], "technique": "Technique/T1547", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Low"}]}, {"shortName": "User Login Activity Monitoring", "name": "CAR-2013-10-001", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1078", "coverage": "Moderate"}]}, {"shortName": "Detecting Tampering of Windows Defender Command Prompt", "name": "CAR-2021-01-007", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Medium"}]}, {"shortName": "RPC Activity", "name": "CAR-2014-05-001", "fields": ["flow/start/dest_port", "flow/start/src_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}]} \ No newline at end of file +{"analytics": [{"shortName": "NTFS Alternate Data Stream Execution - LOLBAS", "name": "CAR-2020-08-002", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1564", "coverage": "Low"}]}, {"shortName": "Compiled HTML Access", "name": "CAR-2020-11-009", "fields": ["process/create/exe"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "High"}]}, {"shortName": "User Activity from Clearing Event Logs", "name": "CAR-2016-04-002", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "Moderate"}]}, {"shortName": "Identifying Port Scanning Activity", "name": "CAR-2021-01-001", "fields": ["flow/start/dest_ip"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1046", "coverage": "Moderate"}]}, {"shortName": "Local Network Sniffing", "name": "CAR-2020-11-002", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Credential Access", "Discovery"], "technique": "Technique/T1040", "coverage": "Moderate"}]}, {"shortName": "Remotely Launched Executables via Services", "name": "CAR-2014-03-005", "fields": ["flow/start/pid", "process/create/parent_exe", "process/create/pid"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1543", "coverage": "Moderate"}, {"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Moderate"}]}, {"shortName": "Disable Windows Event Logging", "name": "CAR-2022-03-001", "fields": ["registry/value_edit/value", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Moderate"}]}, {"shortName": "CMSTP", "name": "CAR-2020-11-010", "fields": ["process/create/exe", "process/create/src_ip"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "High"}]}, {"shortName": "Clearing Windows Logs with Wevtutil", "name": "CAR-2021-01-003", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "Low"}]}, {"shortName": "Command Line Usage of Archiving Software", "name": "CAR-2013-07-005", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Exfiltration"], "technique": "Technique/T1560", "coverage": "Moderate"}]}, {"shortName": "Service Outlier Executables", "name": "CAR-2013-09-005", "fields": ["process/create/parent_image_path"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1543", "coverage": "Moderate"}]}, {"shortName": "Create Remote Thread into LSASS", "name": "CAR-2021-05-011", "fields": ["thread/remote_create"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Moderate"}]}, {"shortName": "All Logins Since Last Boot", "name": "CAR-2015-07-001", "fields": ["user_session/login/user"], "attack": []}, {"shortName": "Component Object Model Hijacking", "name": "CAR-2020-09-002", "fields": ["registry/add/key", "registry/remove/key", "registry/edit/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "Execution with schtasks", "name": "CAR-2013-08-001", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "Remote Desktop Logon", "name": "CAR-2016-04-005", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "Boot or Logon Initialization Scripts", "name": "CAR-2020-11-001", "fields": ["process/create/command_line", "process/create/exe", "registry/add/key", "registry/edit/key"], "attack": [{"tactics": ["Persistence", "Lateral Movement"], "technique": "Technique/T1037", "coverage": "Moderate"}]}, {"shortName": "Attempt To Add Certificate To Untrusted Store", "name": "CAR-2021-05-001", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1553", "coverage": "Moderate"}]}, {"shortName": "BITS Job Persistence", "name": "CAR-2021-05-004", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion", "Persistence"], "technique": "Technique/T1197", "coverage": "Moderate"}]}, {"shortName": "Execution with AT", "name": "CAR-2013-05-004", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Execution", "Persistence", "Privilege Escalation"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "Remote Registry", "name": "CAR-2014-11-005", "fields": ["flow/message/dest_port", "flow/message/proto_info"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Moderate"}]}, {"shortName": "Simultaneous Logins on a Host", "name": "CAR-2013-02-008", "fields": ["user_session/login/user", "user_session/login/hostname"], "attack": [{"tactics": ["Initial Access"], "technique": "Technique/T1078", "coverage": "Low"}]}, {"shortName": "Detecting Tampering of Windows Defender Command Prompt", "name": "CAR-2021-01-007", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Medium"}]}, {"shortName": "DLL Injection with Mavinject", "name": "CAR-2020-11-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Privilege Escalation", "Defense Evasion"], "technique": "Technique/T1055", "coverage": "Low"}]}, {"shortName": "Create local admin accounts using net exe", "name": "CAR-2021-05-010", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1136", "coverage": "Moderate"}]}, {"shortName": "Unusual Child Process for Spoolsv.Exe or Connhost.Exe", "name": "CAR-2021-01-004", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Privilege Escalation"], "technique": "Technique/T1068", "coverage": "Low"}]}, {"shortName": "Remote Windows Management Instrumentation (WMI) over RPC", "name": "CAR-2014-11-007", "fields": ["flow/message/proto_info"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1047", "coverage": "Moderate"}]}, {"shortName": "Scheduled Task - FileAccess", "name": "CAR-2020-09-001", "fields": ["file/create/file_path", "file/create/image_path"], "attack": [{"tactics": ["Execution", "Persistence", "Privilege Escalation"], "technique": "Technique/T1053", "coverage": "Low"}]}, {"shortName": "Credential Dumping via Mimikatz", "name": "CAR-2019-04-004", "fields": [], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Common Windows Process Masquerading", "name": "CAR-2021-04-001", "fields": ["process/create/exe", "process/create/image_path", "process/access/exe", "process/access/image_path", "process/terminate/exe", "process/terminate/image_path"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1036", "coverage": "Moderate"}]}, {"shortName": "Autorun Differences", "name": "CAR-2013-01-002", "fields": [], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1543", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1053", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1547", "coverage": "Moderate"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Moderate"}, {"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1546", "coverage": "Moderate"}, {"tactics": ["Persistence", "Execution"], "technique": "Technique/T1112", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1037", "coverage": "Moderate"}]}, {"shortName": "Remotely Launched Executables via WMI", "name": "CAR-2014-12-001", "fields": ["flow/message/dest_port", "flow/message/proto_info", "flow/message/src_port", "process/create/command_line", "process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1047", "coverage": "High"}]}, {"shortName": "Processes Spawning cmd.exe", "name": "CAR-2013-02-003", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}]}, {"shortName": "Debuggers for Accessibility Applications", "name": "CAR-2014-11-003", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "DLL Injection via Load Library", "name": "CAR-2013-10-002", "fields": ["thread/remote_create/src_pid", "thread/remote_create/start_function"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1055", "coverage": "Moderate"}, {"tactics": ["Privilege Escalation"], "technique": "Technique/T1548", "coverage": "Moderate"}]}, {"shortName": "Windows Remote Management (WinRM)", "name": "CAR-2014-11-006", "fields": ["flow/start/dest_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "Reg.exe called from Command Shell", "name": "CAR-2013-03-001", "fields": ["process/create/command_line", "process/create/hostname", "process/create/exe", "process/create/parent_exe", "process/create/pid", "process/create/ppid"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1012", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1547", "coverage": "Moderate"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Moderate"}]}, {"shortName": "Service Binary Modifications", "name": "CAR-2014-02-001", "fields": ["file/create/file_path", "file/create/image_path", "process/create/image_path", "process/create/parent_exe"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1543", "coverage": "Moderate"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Moderate"}, {"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Moderate"}]}, {"shortName": "Local Permission Group Discovery", "name": "CAR-2020-11-006", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1069", "coverage": "Moderate"}]}, {"shortName": "Remote PowerShell Sessions", "name": "CAR-2014-11-004", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "Host Discovery Commands", "name": "CAR-2016-03-001", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1087", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1069", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1016", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1082", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1033", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1057", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1007", "coverage": "Moderate"}]}, {"shortName": "SMB Session Setups", "name": "CAR-2013-09-003", "fields": ["flow/message/dest_port", "flow/message/proto_info", "flow/message/protocol"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1187", "coverage": "Low"}]}, {"shortName": "Batch File Write to System32", "name": "CAR-2021-05-002", "fields": ["file/create/extension", "file/create/file_path"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1204", "coverage": "Moderate"}]}, {"shortName": "Rare LolBAS Command Lines", "name": "CAR-2020-05-003", "fields": [], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1012", "coverage": "Low"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Low"}, {"tactics": ["Persistence"], "technique": "Technique/T1547", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Low"}]}, {"shortName": "NTFS Alternate Data Stream Execution - System Utilities", "name": "CAR-2020-08-001", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1564", "coverage": "Low"}]}, {"shortName": "Outlier Parents of Cmd", "name": "CAR-2014-11-002", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}]}, {"shortName": "Indicator Blocking - Driver Unloaded", "name": "CAR-2020-09-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Low"}]}, {"shortName": "Detecting Shadow Copy Deletion or Resize", "name": "CAR-2021-01-009", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Impact"], "technique": "Technique/T1490", "coverage": "Low"}]}, {"shortName": "BCDEdit Failure Recovery Modification", "name": "CAR-2021-05-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Impact"], "technique": "Technique/T1490", "coverage": "Moderate"}]}, {"shortName": "Credentials in Files & Registry", "name": "CAR-2020-09-004", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1552", "coverage": "Low"}]}, {"shortName": "RDP Connection Detection", "name": "CAR-2013-07-002", "fields": ["flow/end/dest_port", "flow/start/dest_ip", "flow/start/dest_port", "flow/start/src_ip"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Medium"}]}, {"shortName": "Unusually Long Command Line Strings", "name": "CAR-2021-01-002", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Low"}]}, {"shortName": "Lsass Process Dump via Procdump", "name": "CAR-2019-07-002", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "RPC Activity", "name": "CAR-2014-05-001", "fields": ["flow/start/dest_port", "flow/start/src_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "Credential Dumping via Windows Task Manager", "name": "CAR-2019-08-001", "fields": ["file/create/file_name", "file/create/image_path"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Powershell Execution", "name": "CAR-2014-04-003", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "High"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1059", "coverage": "Moderate"}]}, {"shortName": "Quick execution of a series of suspicious commands", "name": "CAR-2013-04-002", "fields": ["process/create/hostname", "process/create/ppid", "process/create/exe"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1087", "coverage": "Low"}, {"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1069", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1057", "coverage": "Low"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1543", "coverage": "Low"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1018", "coverage": "Low"}, {"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation", "Execution"], "technique": "Technique/T1053", "coverage": "Low"}, {"tactics": ["Exfiltration"], "technique": "Technique/T1029", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1033", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1007", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1082", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1049", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1016", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1010", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1518", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1046", "coverage": "Low"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Low"}, {"tactics": ["Credential Access"], "technique": "Technique/T1098", "coverage": "Low"}, {"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1012", "coverage": "Low"}]}, {"shortName": "Access Permission Modification", "name": "CAR-2019-07-001", "fields": [], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1222", "coverage": "Moderate"}]}, {"shortName": "MSBuild and msxsl", "name": "CAR-2020-11-008", "fields": ["process/create/exe", "process/create/image_path"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1127", "coverage": "High"}]}, {"shortName": "Successful Local Account Login", "name": "CAR-2016-04-004", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1550", "coverage": "Moderate"}]}, {"shortName": "CertUtil Download With VerifyCtl and Split Arguments", "name": "CAR-2021-05-007", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Command and Control"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "Create Service In Suspicious File Path", "name": "CAR-2021-05-012", "fields": ["service/create/image_path"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Moderate"}]}, {"shortName": "Processes Started From Irregular Parent", "name": "CAR-2020-11-004", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1055", "coverage": "Low"}]}, {"shortName": "Service Search Path Interception", "name": "CAR-2014-07-001", "fields": ["process/create/command_line", "process/create/image_path", "process/create/parent_exe"], "attack": [{"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1574", "coverage": "High"}]}, {"shortName": "User Activity from Stopping Windows Defensive Services", "name": "CAR-2016-04-003", "fields": [], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Low"}]}, {"shortName": "RunDLL32.exe monitoring", "name": "CAR-2014-03-006", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "Moderate"}]}, {"shortName": "Remotely Scheduled Tasks via AT", "name": "CAR-2015-04-001", "fields": ["flow/message/proto_info"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "Services launching Cmd", "name": "CAR-2014-05-002", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1543", "coverage": "Moderate"}]}, {"shortName": "Disable UAC", "name": "CAR-2021-01-008", "fields": ["process/create/image_path", "process/create/command_line"], "attack": [{"tactics": ["Privilege Escalation"], "technique": "Technique/T1548", "coverage": "Medium"}]}, {"shortName": "Get System Elevation", "name": "CAR-2021-02-002", "fields": ["process/create/exe", "process/create/parent_exe", "process/create/command_line", "service/create/command_line"], "attack": [{"tactics": ["Privilege Escalation", "Defense Evasion"], "technique": "Technique/T1548", "coverage": "Moderate"}]}, {"shortName": "SMB Events Monitoring", "name": "CAR-2013-01-003", "fields": ["flow/message/dest_port", "flow/message/proto_info"], "attack": [{"tactics": ["Collection"], "technique": "Technique/T1039", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "Certutil exe certificate extraction", "name": "CAR-2021-05-008", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1606", "coverage": "Moderate"}]}, {"shortName": "Registry Edit from Screensaver", "name": "CAR-2020-11-011", "fields": ["registry/edit/key", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1546", "coverage": "High"}]}, {"shortName": "Create Remote Process via WMIC", "name": "CAR-2016-03-002", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1047", "coverage": "Low"}]}, {"shortName": "SMB Write Request", "name": "CAR-2013-05-003", "fields": ["flow/message/proto_info", "flow/message/dest_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1570", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1078", "coverage": "Moderate"}]}, {"shortName": "Suspicious Run Locations", "name": "CAR-2013-05-002", "fields": ["process/create/image_path"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1036", "coverage": "Low"}]}, {"shortName": "Squiblydoo", "name": "CAR-2019-04-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "Moderate"}]}, {"shortName": "CertUtil With Decode Argument", "name": "CAR-2021-05-009", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1140", "coverage": "Moderate"}]}, {"shortName": "SMB Copy and Execution", "name": "CAR-2013-05-005", "fields": ["process/create/image_path", "process/create/proto_info", "process/create/hostname"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1078", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1570", "coverage": "Moderate"}]}, {"shortName": "User Logged in to Multiple Hosts", "name": "CAR-2013-02-012", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1078", "coverage": "Moderate"}]}, {"shortName": "Registry Edit with Modification of Userinit, Shell or Notify", "name": "CAR-2021-11-002", "fields": ["process/create/command_line", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1547", "coverage": "Medium"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Medium"}]}, {"shortName": "User Login Activity Monitoring", "name": "CAR-2013-10-001", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1078", "coverage": "Moderate"}]}, {"shortName": "Registry Edit with Creation of SafeDllSearchMode Key Set to 0", "name": "CAR-2021-11-001", "fields": ["process/create/command_line", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation", "Defense Evasion"], "technique": "Technique/T1574", "coverage": "Medium"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Medium"}]}, {"shortName": "Running executables with same hash and different names", "name": "CAR-2013-05-009", "fields": ["process/create/exe", "process/create/md5_hash"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1036", "coverage": "Moderate"}]}, {"shortName": "Shadow Copy Deletion", "name": "CAR-2020-04-001", "fields": [], "attack": []}, {"shortName": "AppInit DLLs", "name": "CAR-2020-09-005", "fields": ["registry/add/key", "registry/remove/key", "registry/edit/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "Webshell-Indicative Process Tree", "name": "CAR-2021-02-001", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1505", "coverage": "Moderate"}]}, {"shortName": "UAC Bypass", "name": "CAR-2019-04-001", "fields": ["process/create/image_path", "process/create/parent_image_path", "process/create/integrity_level", "process/create/user", "process/create/parent_command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1548", "coverage": "Low"}]}, {"shortName": "Network Share Connection Removal", "name": "CAR-2020-11-007", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "High"}]}, {"shortName": "Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths", "name": "CAR-2021-12-001", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Execution", "Persistence", "Privilege Escalation"], "technique": "Technique/T1053", "coverage": "Medium"}]}, {"shortName": "Generic Regsvr32", "name": "CAR-2019-04-002", "fields": ["process/create/exe", "process/create/parent_exe", "process/create/command_line", "process/create/image", "process/create/parent_image"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "Low"}]}, {"shortName": "Suspicious Arguments", "name": "CAR-2013-07-001", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Command and Control", "Lateral Movement"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "Remotely Scheduled Tasks via Schtasks", "name": "CAR-2015-04-002", "fields": ["flow/message/dest_port", "flow/message/src_port", "flow/message/proto_info"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "Unusual Child Process spawned using DDE exploit", "name": "CAR-2021-01-006", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1559", "coverage": "Low"}]}, {"shortName": "Active Directory Dumping via NTDSUtil", "name": "CAR-2019-08-002", "fields": ["file/create/file_name", "file/create/image_path"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Modification of Default Startup Folder in the Registry Key 'Common Startup'", "name": "CAR-2021-12-002", "fields": ["process/create/command_line", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1547", "coverage": "Medium"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Medium"}]}, {"shortName": "Command Launched from WinLogon", "name": "CAR-2014-11-008", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "BITSAdmin Download File", "name": "CAR-2021-05-005", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion", "Persistence"], "technique": "Technique/T1197", "coverage": "Moderate"}, {"tactics": ["Command and Control"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "MiniDump of LSASS", "name": "CAR-2020-05-001", "fields": [], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "CertUtil Download With URLCache and Split Arguments", "name": "CAR-2021-05-006", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Command and Control"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "Clear Powershell Console Command History", "name": "CAR-2020-11-005", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "Low"}]}, {"shortName": "SMB Write Request - NamedPipes", "name": "CAR-2014-03-001", "fields": ["flow/message/proto_info", "flow/start/dest_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1570", "coverage": "Low"}]}]} \ No newline at end of file diff --git a/docs/sensors/auditd_2.8.md b/docs/sensors/auditd_2.8.md index aa3ef2a0..f0199070 100644 --- a/docs/sensors/auditd_2.8.md +++ b/docs/sensors/auditd_2.8.md @@ -15,14 +15,6 @@ auditd is the userspace component to the Linux Auditing System. It's responsible ## Data Model Coverage -### [flow](../data_model/flow) - -| | `application_protocol` | `content` | `dest_fqdn` | `dest_hostname` | `dest_ip` | `dest_port` | `end_time` | `exe` | `fqdn` | `hostname` | `image_path` | `in_bytes` | `network_direction` | `out_bytes` | `packet_count` | `pid` | `ppid` | `proto_info` | `src_fqdn` | `src_hostname` | `src_ip` | `src_port` | `start_time` | `tcp_flags` | `transport_protocol` | `uid` | `user` | -|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| `end` | | | | |✓|✓| | | | |✓| | | | |✓| | | | |✓|✓|✓| | | |✓| -| `message` | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `start` | | | | |✓|✓| | | | |✓| | | | |✓| | | | |✓|✓|✓| | | |✓| - ### [driver](../data_model/driver) | | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | @@ -50,6 +42,14 @@ auditd is the userspace component to the Linux Auditing System. It's responsible | `timestomp` | | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓| | `write` | | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓| +### [flow](../data_model/flow) + +| | `application_protocol` | `content` | `dest_fqdn` | `dest_hostname` | `dest_ip` | `dest_port` | `end_time` | `exe` | `fqdn` | `hostname` | `image_path` | `in_bytes` | `network_direction` | `out_bytes` | `packet_count` | `pid` | `ppid` | `proto_info` | `src_fqdn` | `src_hostname` | `src_ip` | `src_port` | `start_time` | `tcp_flags` | `transport_protocol` | `uid` | `user` | +|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +| `end` | | | | |✓|✓| | | | |✓| | | | |✓| | | | |✓|✓|✓| | | |✓| +| `message` | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `start` | | | | |✓|✓| | | | |✓| | | | |✓| | | | |✓|✓|✓| | | |✓| + diff --git a/docs/sensors/autoruns_13.98.md b/docs/sensors/autoruns_13.98.md index 2cf2b3de..083adbe5 100644 --- a/docs/sensors/autoruns_13.98.md +++ b/docs/sensors/autoruns_13.98.md @@ -14,15 +14,6 @@ Autoruns reports Explorer shell extensions, toolbars, browser helper objects, Wi ## Data Model Coverage -### [registry](../data_model/registry) - -| | `data` | `fqdn` | `hive` | `hostname` | `image_path` | `key` | `new_content` | `pid` | `type` | `user` | `value` | -|---|---|---|---|---|---|---|---|---|---|---| -| `add` | ✓|✓|✓|✓| |✓| | |✓| |✓| -| `key_edit` | ✓|✓|✓|✓| |✓|✓| |✓| |✓| -| `remove` | | | | | | | | | | | | -| `value_edit` | ✓|✓|✓|✓| |✓|✓| |✓| |✓| - ### [service](../data_model/service) | | `command_line` | `exe` | `fqdn` | `hostname` | `image_path` | `name` | `pid` | `ppid` | `uid` | `user` | @@ -45,6 +36,15 @@ Autoruns reports Explorer shell extensions, toolbars, browser helper objects, Wi | `timestomp` | | | | | | | | | | | | | | | | | | | | | | | | | | | | `write` | | | | | | | | | | | | | | | | | | | | | | | | | | | +### [registry](../data_model/registry) + +| | `data` | `fqdn` | `hive` | `hostname` | `image_path` | `key` | `new_content` | `pid` | `type` | `user` | `value` | +|---|---|---|---|---|---|---|---|---|---|---| +| `add` | ✓|✓|✓|✓| |✓| | |✓| |✓| +| `key_edit` | ✓|✓|✓|✓| |✓|✓| |✓| |✓| +| `remove` | | | | | | | | | | | | +| `value_edit` | ✓|✓|✓|✓| |✓|✓| |✓| |✓| + diff --git a/docs/sensors/osquery_4.1.2.md b/docs/sensors/osquery_4.1.2.md index f484782a..cb1312c9 100644 --- a/docs/sensors/osquery_4.1.2.md +++ b/docs/sensors/osquery_4.1.2.md @@ -14,14 +14,6 @@ osquery exposes an operating system as a high-performance relational database. T ## Data Model Coverage -### [flow](../data_model/flow) - -| | `application_protocol` | `content` | `dest_fqdn` | `dest_hostname` | `dest_ip` | `dest_port` | `end_time` | `exe` | `fqdn` | `hostname` | `image_path` | `in_bytes` | `network_direction` | `out_bytes` | `packet_count` | `pid` | `ppid` | `proto_info` | `src_fqdn` | `src_hostname` | `src_ip` | `src_port` | `start_time` | `tcp_flags` | `transport_protocol` | `uid` | `user` | -|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| `end` | | | | |✓|✓| | | | |✓| | | | |✓| | | | |✓|✓|✓| | | |✓| -| `message` | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `start` | | | | |✓|✓| | | | |✓| | | | |✓| | | | |✓|✓|✓| | | |✓| - ### [driver](../data_model/driver) | | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | @@ -49,6 +41,14 @@ osquery exposes an operating system as a high-performance relational database. T | `timestomp` | | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓| | `write` | | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓| +### [flow](../data_model/flow) + +| | `application_protocol` | `content` | `dest_fqdn` | `dest_hostname` | `dest_ip` | `dest_port` | `end_time` | `exe` | `fqdn` | `hostname` | `image_path` | `in_bytes` | `network_direction` | `out_bytes` | `packet_count` | `pid` | `ppid` | `proto_info` | `src_fqdn` | `src_hostname` | `src_ip` | `src_port` | `start_time` | `tcp_flags` | `transport_protocol` | `uid` | `user` | +|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +| `end` | | | | |✓|✓| | | | |✓| | | | |✓| | | | |✓|✓|✓| | | |✓| +| `message` | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `start` | | | | |✓|✓| | | | |✓| | | | |✓| | | | |✓|✓|✓| | | |✓| + diff --git a/docs/sensors/osquery_4.6.0.md b/docs/sensors/osquery_4.6.0.md index 5fce086a..578e7938 100644 --- a/docs/sensors/osquery_4.6.0.md +++ b/docs/sensors/osquery_4.6.0.md @@ -14,14 +14,6 @@ osquery exposes an operating system as a high-performance relational database. T ## Data Model Coverage -### [flow](../data_model/flow) - -| | `application_protocol` | `content` | `dest_fqdn` | `dest_hostname` | `dest_ip` | `dest_port` | `end_time` | `exe` | `fqdn` | `hostname` | `image_path` | `in_bytes` | `network_direction` | `out_bytes` | `packet_count` | `pid` | `ppid` | `proto_info` | `src_fqdn` | `src_hostname` | `src_ip` | `src_port` | `start_time` | `tcp_flags` | `transport_protocol` | `uid` | `user` | -|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| `end` | | | | |✓|✓| | | | |✓| | | | |✓| | | | |✓|✓|✓| | | |✓| -| `message` | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `start` | | | | |✓|✓| | | | |✓| | | | |✓| | | | |✓|✓|✓| | | |✓| - ### [driver](../data_model/driver) | | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | @@ -49,6 +41,14 @@ osquery exposes an operating system as a high-performance relational database. T | `timestomp` | | |✓| |✓|✓| | | | |✓| |✓| |✓| | |✓|✓| |✓|✓| | | |✓| | `write` | | |✓| |✓|✓| | | | |✓| |✓| |✓| | |✓|✓| |✓|✓| | | |✓| +### [flow](../data_model/flow) + +| | `application_protocol` | `content` | `dest_fqdn` | `dest_hostname` | `dest_ip` | `dest_port` | `end_time` | `exe` | `fqdn` | `hostname` | `image_path` | `in_bytes` | `network_direction` | `out_bytes` | `packet_count` | `pid` | `ppid` | `proto_info` | `src_fqdn` | `src_hostname` | `src_ip` | `src_port` | `start_time` | `tcp_flags` | `transport_protocol` | `uid` | `user` | +|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +| `end` | | | | |✓|✓| | | | |✓| | | | |✓| | | | |✓|✓|✓| | | |✓| +| `message` | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `start` | | | | |✓|✓| | | | |✓| | | | |✓| | | | |✓|✓|✓| | | |✓| + diff --git a/docs/sensors/sysmon_10.4.md b/docs/sensors/sysmon_10.4.md index ac500184..47a07ec3 100644 --- a/docs/sensors/sysmon_10.4.md +++ b/docs/sensors/sysmon_10.4.md @@ -14,30 +14,6 @@ Sysmon is a freely available program from Microsoft that is provided as part of ## Data Model Coverage -### [registry](../data_model/registry) - -| | `data` | `fqdn` | `hive` | `hostname` | `image_path` | `key` | `new_content` | `pid` | `type` | `user` | `value` | -|---|---|---|---|---|---|---|---|---|---|---| -| `add` | |✓|✓| |✓|✓| |✓| | |✓| -| `key_edit` | | | | | | | | | | | | -| `remove` | |✓|✓| |✓|✓| |✓| | |✓| -| `value_edit` | | | | | | | | | | | | - -### [flow](../data_model/flow) - -| | `application_protocol` | `content` | `dest_fqdn` | `dest_hostname` | `dest_ip` | `dest_port` | `end_time` | `exe` | `fqdn` | `hostname` | `image_path` | `in_bytes` | `network_direction` | `out_bytes` | `packet_count` | `pid` | `ppid` | `proto_info` | `src_fqdn` | `src_hostname` | `src_ip` | `src_port` | `start_time` | `tcp_flags` | `transport_protocol` | `uid` | `user` | -|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| `end` | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `message` | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `start` | | | |✓|✓|✓| | | | |✓| | | | |✓| | | |✓|✓|✓|✓| | | |✓| - -### [module](../data_model/module) - -| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `module_path` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `tid` | -|---|---|---|---|---|---|---|---|---|---|---|---|---| -| `load` | |✓| |✓|✓| |✓|✓|✓|✓| |✓| | -| `unload` | | | | | | | | | | | | | | - ### [driver](../data_model/driver) | | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | @@ -53,15 +29,6 @@ Sysmon is a freely available program from Microsoft that is provided as part of | `create` | | |✓|✓| | |✓| | |✓|✓|✓|✓| | |✓|✓|✓|✓|✓| | | | | | | | |✓| | `terminate` | | | | | | |✓| | |✓| | | | | | |✓| | | | | | | | | | | | | -### [thread](../data_model/thread) - -| | `hostname` | `src_pid` | `src_tid` | `stack_base` | `stack_limit` | `start_address` | `start_function` | `start_module` | `start_module_name` | `tgt_pid` | `tgt_tid` | `uid` | `user` | `user_stack_base` | `user_stack_limit` | -|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| `create` | ✓|✓| | | |✓|✓|✓| |✓|✓| | | | | -| `remote_create` | ✓|✓| | | |✓|✓|✓| |✓|✓| | | | | -| `suspend` | | | | | | | | | | | | | | | | -| `terminate` | | | | | | | | | | | | | | | | - ### [file](../data_model/file) | | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` | @@ -74,6 +41,39 @@ Sysmon is a freely available program from Microsoft that is provided as part of | `timestomp` | | |✓| |✓| |✓| | | |✓| | | | | | |✓| |✓| | | | | | | | `write` | | | | | | | | | | | | | | | | | | | | | | | | | | | +### [thread](../data_model/thread) + +| | `hostname` | `src_pid` | `src_tid` | `stack_base` | `stack_limit` | `start_address` | `start_function` | `start_module` | `start_module_name` | `tgt_pid` | `tgt_tid` | `uid` | `user` | `user_stack_base` | `user_stack_limit` | +|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +| `create` | ✓|✓| | | |✓|✓|✓| |✓|✓| | | | | +| `remote_create` | ✓|✓| | | |✓|✓|✓| |✓|✓| | | | | +| `suspend` | | | | | | | | | | | | | | | | +| `terminate` | | | | | | | | | | | | | | | | + +### [flow](../data_model/flow) + +| | `application_protocol` | `content` | `dest_fqdn` | `dest_hostname` | `dest_ip` | `dest_port` | `end_time` | `exe` | `fqdn` | `hostname` | `image_path` | `in_bytes` | `network_direction` | `out_bytes` | `packet_count` | `pid` | `ppid` | `proto_info` | `src_fqdn` | `src_hostname` | `src_ip` | `src_port` | `start_time` | `tcp_flags` | `transport_protocol` | `uid` | `user` | +|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +| `end` | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `message` | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `start` | | | |✓|✓|✓| | | | |✓| | | | |✓| | | |✓|✓|✓|✓| | | |✓| + +### [module](../data_model/module) + +| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `module_path` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `tid` | +|---|---|---|---|---|---|---|---|---|---|---|---|---| +| `load` | |✓| |✓|✓| |✓|✓|✓|✓| |✓| | +| `unload` | | | | | | | | | | | | | | + +### [registry](../data_model/registry) + +| | `data` | `fqdn` | `hive` | `hostname` | `image_path` | `key` | `new_content` | `pid` | `type` | `user` | `value` | +|---|---|---|---|---|---|---|---|---|---|---| +| `add` | |✓|✓| |✓|✓| |✓| | |✓| +| `key_edit` | | | | | | | | | | | | +| `remove` | |✓|✓| |✓|✓| |✓| | |✓| +| `value_edit` | | | | | | | | | | | | + diff --git a/docs/sensors/sysmon_11.0.md b/docs/sensors/sysmon_11.0.md index 4d5461d1..5acbda78 100644 --- a/docs/sensors/sysmon_11.0.md +++ b/docs/sensors/sysmon_11.0.md @@ -14,30 +14,6 @@ Sysmon is a freely available program from Microsoft that is provided as part of ## Data Model Coverage -### [registry](../data_model/registry) - -| | `data` | `fqdn` | `hive` | `hostname` | `image_path` | `key` | `new_content` | `pid` | `type` | `user` | `value` | -|---|---|---|---|---|---|---|---|---|---|---| -| `add` | |✓|✓| |✓|✓| |✓| | |✓| -| `key_edit` | | | | | | | | | | | | -| `remove` | |✓|✓| |✓|✓| |✓| | |✓| -| `value_edit` | | | | | | | | | | | | - -### [flow](../data_model/flow) - -| | `application_protocol` | `content` | `dest_fqdn` | `dest_hostname` | `dest_ip` | `dest_port` | `end_time` | `exe` | `fqdn` | `hostname` | `image_path` | `in_bytes` | `network_direction` | `out_bytes` | `packet_count` | `pid` | `ppid` | `proto_info` | `src_fqdn` | `src_hostname` | `src_ip` | `src_port` | `start_time` | `tcp_flags` | `transport_protocol` | `uid` | `user` | -|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| `end` | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `message` | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `start` | | |✓| |✓|✓| | |✓| |✓| | | | |✓| | |✓| |✓|✓|✓| | | |✓| - -### [module](../data_model/module) - -| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `module_path` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `tid` | -|---|---|---|---|---|---|---|---|---|---|---|---|---| -| `load` | |✓| |✓|✓| |✓|✓|✓|✓| |✓| | -| `unload` | | | | | | | | | | | | | | - ### [driver](../data_model/driver) | | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | @@ -53,15 +29,6 @@ Sysmon is a freely available program from Microsoft that is provided as part of | `create` | | |✓|✓| | |✓| | |✓|✓|✓|✓| | |✓|✓|✓|✓|✓| | |✓| | | | | |✓| | `terminate` | | | | | | |✓| | |✓| | | | | | |✓| | | | | | | | | | | | | -### [thread](../data_model/thread) - -| | `hostname` | `src_pid` | `src_tid` | `stack_base` | `stack_limit` | `start_address` | `start_function` | `start_module` | `start_module_name` | `tgt_pid` | `tgt_tid` | `uid` | `user` | `user_stack_base` | `user_stack_limit` | -|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| `create` | ✓|✓| | | |✓|✓|✓| |✓|✓| | | | | -| `remote_create` | ✓|✓| | | |✓|✓|✓| |✓|✓| | | | | -| `suspend` | | | | | | | | | | | | | | | | -| `terminate` | | | | | | | | | | | | | | | | - ### [file](../data_model/file) | | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` | @@ -74,6 +41,39 @@ Sysmon is a freely available program from Microsoft that is provided as part of | `timestomp` | | |✓| | |✓|✓| | | |✓| | | | | | |✓| |✓| | | | | | | | `write` | | | | | | | | | | | | | | | | | | | | | | | | | | | +### [thread](../data_model/thread) + +| | `hostname` | `src_pid` | `src_tid` | `stack_base` | `stack_limit` | `start_address` | `start_function` | `start_module` | `start_module_name` | `tgt_pid` | `tgt_tid` | `uid` | `user` | `user_stack_base` | `user_stack_limit` | +|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +| `create` | ✓|✓| | | |✓|✓|✓| |✓|✓| | | | | +| `remote_create` | ✓|✓| | | |✓|✓|✓| |✓|✓| | | | | +| `suspend` | | | | | | | | | | | | | | | | +| `terminate` | | | | | | | | | | | | | | | | + +### [flow](../data_model/flow) + +| | `application_protocol` | `content` | `dest_fqdn` | `dest_hostname` | `dest_ip` | `dest_port` | `end_time` | `exe` | `fqdn` | `hostname` | `image_path` | `in_bytes` | `network_direction` | `out_bytes` | `packet_count` | `pid` | `ppid` | `proto_info` | `src_fqdn` | `src_hostname` | `src_ip` | `src_port` | `start_time` | `tcp_flags` | `transport_protocol` | `uid` | `user` | +|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +| `end` | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `message` | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `start` | | |✓| |✓|✓| | |✓| |✓| | | | |✓| | |✓| |✓|✓|✓| | | |✓| + +### [module](../data_model/module) + +| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `module_path` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `tid` | +|---|---|---|---|---|---|---|---|---|---|---|---|---| +| `load` | |✓| |✓|✓| |✓|✓|✓|✓| |✓| | +| `unload` | | | | | | | | | | | | | | + +### [registry](../data_model/registry) + +| | `data` | `fqdn` | `hive` | `hostname` | `image_path` | `key` | `new_content` | `pid` | `type` | `user` | `value` | +|---|---|---|---|---|---|---|---|---|---|---| +| `add` | |✓|✓| |✓|✓| |✓| | |✓| +| `key_edit` | | | | | | | | | | | | +| `remove` | |✓|✓| |✓|✓| |✓| | |✓| +| `value_edit` | | | | | | | | | | | | + diff --git a/docs/sensors/sysmon_13.md b/docs/sensors/sysmon_13.md index 8d28e3c5..81ce6a2a 100644 --- a/docs/sensors/sysmon_13.md +++ b/docs/sensors/sysmon_13.md @@ -14,30 +14,6 @@ Sysmon is a freely available program from Microsoft that is provided as part of ## Data Model Coverage -### [registry](../data_model/registry) - -| | `data` | `fqdn` | `hive` | `hostname` | `image_path` | `key` | `new_content` | `pid` | `type` | `user` | `value` | -|---|---|---|---|---|---|---|---|---|---|---| -| `add` | ✓|✓|✓| |✓|✓| |✓| | |✓| -| `key_edit` | |✓|✓| |✓|✓|✓|✓| | |✓| -| `remove` | |✓|✓| |✓|✓| |✓| | |✓| -| `value_edit` | |✓|✓| |✓|✓|✓|✓| | |✓| - -### [flow](../data_model/flow) - -| | `application_protocol` | `content` | `dest_fqdn` | `dest_hostname` | `dest_ip` | `dest_port` | `end_time` | `exe` | `fqdn` | `hostname` | `image_path` | `in_bytes` | `network_direction` | `out_bytes` | `packet_count` | `pid` | `ppid` | `proto_info` | `src_fqdn` | `src_hostname` | `src_ip` | `src_port` | `start_time` | `tcp_flags` | `transport_protocol` | `uid` | `user` | -|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| `end` | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `message` | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `start` | | |✓| |✓|✓| | |✓| |✓| | | | |✓| | |✓| |✓|✓|✓| | |✓|✓| - -### [module](../data_model/module) - -| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `module_path` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `tid` | -|---|---|---|---|---|---|---|---|---|---|---|---|---| -| `load` | |✓| |✓|✓| |✓|✓|✓| |✓|✓|✓| -| `unload` | | | | | | | | | | | | | | - ### [driver](../data_model/driver) | | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | @@ -53,15 +29,6 @@ Sysmon is a freely available program from Microsoft that is provided as part of | `create` | | |✓|✓| | |✓| | |✓|✓|✓|✓| | |✓|✓|✓| |✓|✓| | | | | | | |✓| | `terminate` | | | | | | |✓| | |✓| | | | | | |✓| | | | | | | | | | | | | -### [thread](../data_model/thread) - -| | `hostname` | `src_pid` | `src_tid` | `stack_base` | `stack_limit` | `start_address` | `start_function` | `start_module` | `start_module_name` | `tgt_pid` | `tgt_tid` | `uid` | `user` | `user_stack_base` | `user_stack_limit` | -|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| `create` | ✓|✓| | | |✓|✓|✓| |✓|✓|✓| | | | -| `remote_create` | ✓|✓| | | |✓|✓|✓| |✓|✓|✓| | | | -| `suspend` | | | | | | | | | | | | | | | | -| `terminate` | | | | | | | | | | | | | | | | - ### [file](../data_model/file) | | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` | @@ -74,6 +41,39 @@ Sysmon is a freely available program from Microsoft that is provided as part of | `timestomp` | | |✓| | |✓|✓| | | |✓| | | | | | |✓| |✓| | | | | | | | `write` | | | | | | | | | | | | | | | | | | | | | | | | | | | +### [thread](../data_model/thread) + +| | `hostname` | `src_pid` | `src_tid` | `stack_base` | `stack_limit` | `start_address` | `start_function` | `start_module` | `start_module_name` | `tgt_pid` | `tgt_tid` | `uid` | `user` | `user_stack_base` | `user_stack_limit` | +|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +| `create` | ✓|✓| | | |✓|✓|✓| |✓|✓|✓| | | | +| `remote_create` | ✓|✓| | | |✓|✓|✓| |✓|✓|✓| | | | +| `suspend` | | | | | | | | | | | | | | | | +| `terminate` | | | | | | | | | | | | | | | | + +### [flow](../data_model/flow) + +| | `application_protocol` | `content` | `dest_fqdn` | `dest_hostname` | `dest_ip` | `dest_port` | `end_time` | `exe` | `fqdn` | `hostname` | `image_path` | `in_bytes` | `network_direction` | `out_bytes` | `packet_count` | `pid` | `ppid` | `proto_info` | `src_fqdn` | `src_hostname` | `src_ip` | `src_port` | `start_time` | `tcp_flags` | `transport_protocol` | `uid` | `user` | +|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +| `end` | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `message` | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `start` | | |✓| |✓|✓| | |✓| |✓| | | | |✓| | |✓| |✓|✓|✓| | |✓|✓| + +### [module](../data_model/module) + +| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `module_path` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `tid` | +|---|---|---|---|---|---|---|---|---|---|---|---|---| +| `load` | |✓| |✓|✓| |✓|✓|✓| |✓|✓|✓| +| `unload` | | | | | | | | | | | | | | + +### [registry](../data_model/registry) + +| | `data` | `fqdn` | `hive` | `hostname` | `image_path` | `key` | `new_content` | `pid` | `type` | `user` | `value` | +|---|---|---|---|---|---|---|---|---|---|---| +| `add` | ✓|✓|✓| |✓|✓| |✓| | |✓| +| `key_edit` | |✓|✓| |✓|✓|✓|✓| | |✓| +| `remove` | |✓|✓| |✓|✓| |✓| | |✓| +| `value_edit` | |✓|✓| |✓|✓|✓|✓| | |✓| +