diff --git a/docs/analytics/by_technique/index.md b/docs/analytics/by_technique/index.md index f8de1098..a52f22b5 100644 --- a/docs/analytics/by_technique/index.md +++ b/docs/analytics/by_technique/index.md @@ -20,14 +20,14 @@ permalink: /analytics/by_technique T1003.003: NTDS - - T1003.001: LSASS Memory - - T1003.002: Security Account Manager + + T1003.001: LSASS Memory + + T1007: System Service Discovery (N/A - technique only) @@ -58,14 +58,14 @@ permalink: /analytics/by_technique (N/A - technique only) - - T1021.001: Remote Desktop Protocol - - T1021.002: SMB/Windows Admin Shares + + T1021.001: Remote Desktop Protocol + + T1021.006: Windows Remote Management @@ -130,14 +130,14 @@ permalink: /analytics/by_technique T1053: Scheduled Task/Job - - T1053.002: At - - T1053.005: Scheduled Task + + T1053.002: At + + T1055: Process Injection @@ -163,14 +163,14 @@ permalink: /analytics/by_technique T1059.003: Windows Command Shell - - T1059.001: PowerShell - - T1059.005: Visual Basic + + T1059.001: PowerShell + + T1068: Exploitation for Privilege Escalation (N/A - technique only) @@ -191,16 +191,16 @@ permalink: /analytics/by_technique T1070: Indicator Removal - T1070.003: Clear Command History - + T1070.005: Network Share Connection Removal + T1070.001: Clear Windows Event Logs - T1070.005: Network Share Connection Removal - + T1070.003: Clear Command History + T1078: Valid Accounts @@ -278,20 +278,20 @@ permalink: /analytics/by_technique T1218: System Binary Proxy Execution - T1218.010: Regsvr32 - + T1218.003: CMSTP + T1218.011: Rundll32 - T1218.001: Compiled HTML File - + T1218.010: Regsvr32 + - T1218.003: CMSTP - + T1218.001: Compiled HTML File + T1222: File and Directory Permissions Modification @@ -327,6 +327,10 @@ permalink: /analytics/by_technique T1546: Event Triggered Execution + + T1546.008: Accessibility Features + + T1546.001: Change Default File Association @@ -335,10 +339,6 @@ permalink: /analytics/by_technique T1546.003: Windows Management Instrumentation Event Subscription - - T1546.008: Accessibility Features - - T1546.010: AppInit DLLs @@ -413,14 +413,14 @@ permalink: /analytics/by_technique T1562.001: Disable or Modify Tools - - T1562.002: Disable Windows Event Logging - - T1562.006: Indicator Blocking + + T1562.002: Disable Windows Event Logging + + T1564: Hide Artifacts T1564.004: NTFS File Attributes @@ -446,28 +446,28 @@ permalink: /analytics/by_technique T1574: Hijack Execution Flow - T1574.007: Path Interception by PATH Environment Variable - + T1574.001: DLL Search Order Hijacking + - T1574.008: Path Interception by Search Order Hijacking - + T1574.011: Services Registry Permissions Weakness + T1574.009: Path Interception by Unquoted Path - T1574.010: Services File Permissions Weakness - + T1574.007: Path Interception by PATH Environment Variable + - T1574.011: Services Registry Permissions Weakness - + T1574.008: Path Interception by Search Order Hijacking + - T1574.001: DLL Search Order Hijacking - + T1574.010: Services File Permissions Weakness + T1606: Forge Web Credentials diff --git a/docs/car_attack/car_attack.json b/docs/car_attack/car_attack.json index 25ea6ebd..dd12e38d 100644 --- a/docs/car_attack/car_attack.json +++ b/docs/car_attack/car_attack.json @@ -9,12 +9,18 @@ "domain": "mitre-enterprise", "techniques": [ { - "techniqueID": "T1036", + "techniqueID": "T1136", "color": "#c6dbef", - "comment": "CAR-2013-05-002: Suspicious Run Locations | CAR-2013-05-009: Running executables with same hash and different names | CAR-2021-04-001: Common Windows Process Masquerading", + "comment": "CAR-2021-05-010: Create local admin accounts using net exe", "enabled": true, "showSubtechniques": true }, + { + "techniqueID": "T1136.001", + "color": "#c6dbef", + "comment": "CAR-2021-05-010: Create local admin accounts using net exe", + "enabled": true + }, { "techniqueID": "T1559", "color": "#c6dbef", @@ -29,134 +35,122 @@ "enabled": true }, { - "techniqueID": "T1547", + "techniqueID": "T1053", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2020-05-003: Rare LolBAS Command Lines | CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify | CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key 'Common Startup'", + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-05-004: Execution with AT | CAR-2013-08-001: Execution with schtasks | CAR-2015-04-001: Remotely Scheduled Tasks via AT | CAR-2015-04-002: Remotely Scheduled Tasks via Schtasks | CAR-2020-09-001: Scheduled Task - FileAccess | CAR-2021-12-001: Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1547.004", + "techniqueID": "T1053.005", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences | CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify", + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-08-001: Execution with schtasks | CAR-2015-04-002: Remotely Scheduled Tasks via Schtasks | CAR-2020-09-001: Scheduled Task - FileAccess | CAR-2021-12-001: Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths", "enabled": true }, { - "techniqueID": "T1112", + "techniqueID": "T1047", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-11-005: Remote Registry | CAR-2020-05-003: Rare LolBAS Command Lines | CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0 | CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify | CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key 'Common Startup'", + "comment": "CAR-2014-11-007: Remote Windows Management Instrumentation (WMI) over RPC | CAR-2014-12-001: Remotely Launched Executables via WMI | CAR-2016-03-002: Create Remote Process via WMIC", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1543", + "techniqueID": "T1070", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-09-005: Service Outlier Executables | CAR-2014-02-001: Service Binary Modifications | CAR-2014-03-005: Remotely Launched Executables via Services | CAR-2014-05-002: Services launching Cmd", + "comment": "CAR-2016-04-002: User Activity from Clearing Event Logs | CAR-2020-11-005: Clear Powershell Console Command History | CAR-2020-11-007: Network Share Connection Removal | CAR-2021-01-003: Clearing Windows Logs with Wevtutil", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1543.003", + "techniqueID": "T1070.005", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-09-005: Service Outlier Executables | CAR-2014-02-001: Service Binary Modifications | CAR-2014-03-005: Remotely Launched Executables via Services | CAR-2014-05-002: Services launching Cmd", + "comment": "CAR-2020-11-007: Network Share Connection Removal", "enabled": true }, { - "techniqueID": "T1047", + "techniqueID": "T1105", "color": "#c6dbef", - "comment": "CAR-2014-11-007: Remote Windows Management Instrumentation (WMI) over RPC | CAR-2014-12-001: Remotely Launched Executables via WMI | CAR-2016-03-002: Create Remote Process via WMIC", + "comment": "CAR-2013-07-001: Suspicious Arguments | CAR-2021-05-005: BITSAdmin Download File | CAR-2021-05-006: CertUtil Download With URLCache and Split Arguments | CAR-2021-05-007: CertUtil Download With VerifyCtl and Split Arguments", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1222", + "techniqueID": "T1548", "color": "#c6dbef", - "comment": "CAR-2019-07-001: Access Permission Modification", + "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2019-04-001: UAC Bypass | CAR-2021-01-008: Disable UAC | CAR-2021-02-002: Get System Elevation", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1222.001", + "techniqueID": "T1574", "color": "#c6dbef", - "comment": "CAR-2019-07-001: Access Permission Modification", - "enabled": true + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-02-001: Service Binary Modifications | CAR-2014-07-001: Service Search Path Interception | CAR-2020-05-003: Rare LolBAS Command Lines | CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0", + "enabled": true, + "showSubtechniques": true }, { - "techniqueID": "T1222.002", + "techniqueID": "T1574.001", "color": "#c6dbef", - "comment": "CAR-2019-07-001: Access Permission Modification", + "comment": "CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0", "enabled": true }, { - "techniqueID": "T1078", + "techniqueID": "T1112", "color": "#c6dbef", - "comment": "CAR-2013-02-008: Simultaneous Logins on a Host | CAR-2013-02-012: User Logged in to Multiple Hosts | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2013-10-001: User Login Activity Monitoring", + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-11-005: Remote Registry | CAR-2020-05-003: Rare LolBAS Command Lines | CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0 | CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify | CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key 'Common Startup'", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1078.002", - "color": "#c6dbef", - "comment": "CAR-2013-02-008: Simultaneous Logins on a Host | CAR-2013-02-012: User Logged in to Multiple Hosts | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2013-10-001: User Login Activity Monitoring", - "enabled": true - }, - { - "techniqueID": "T1078.003", + "techniqueID": "T1053.002", "color": "#c6dbef", - "comment": "CAR-2013-02-008: Simultaneous Logins on a Host | CAR-2013-02-012: User Logged in to Multiple Hosts | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2013-10-001: User Login Activity Monitoring", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-05-004: Execution with AT | CAR-2015-04-001: Remotely Scheduled Tasks via AT", "enabled": true }, { - "techniqueID": "T1218", + "techniqueID": "T1550", "color": "#c6dbef", - "comment": "CAR-2014-03-006: RunDLL32.exe monitoring | CAR-2019-04-002: Generic Regsvr32 | CAR-2019-04-003: Squiblydoo | CAR-2020-11-009: Compiled HTML Access | CAR-2020-11-010: CMSTP", + "comment": "CAR-2016-04-004: Successful Local Account Login", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1218.010", + "techniqueID": "T1550.002", "color": "#c6dbef", - "comment": "CAR-2019-04-002: Generic Regsvr32 | CAR-2019-04-003: Squiblydoo", + "comment": "CAR-2016-04-004: Successful Local Account Login", "enabled": true }, { - "techniqueID": "T1037", + "techniqueID": "T1059", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences | CAR-2020-11-001: Boot or Logon Initialization Scripts", + "comment": "CAR-2013-02-003: Processes Spawning cmd.exe | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-04-003: Powershell Execution | CAR-2014-11-002: Outlier Parents of Cmd | CAR-2014-11-004: Remote PowerShell Sessions | CAR-2021-01-002: Unusually Long Command Line Strings", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1037.001", + "techniqueID": "T1059.003", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences | CAR-2020-11-001: Boot or Logon Initialization Scripts", + "comment": "CAR-2013-02-003: Processes Spawning cmd.exe | CAR-2014-11-002: Outlier Parents of Cmd", "enabled": true }, { - "techniqueID": "T1197", - "color": "#c6dbef", - "comment": "CAR-2021-05-004: BITS Job Persistence | CAR-2021-05-005: BITSAdmin Download File", - "enabled": true, - "showSubtechniques": true - }, - { - "techniqueID": "T1105", + "techniqueID": "T1068", "color": "#c6dbef", - "comment": "CAR-2013-07-001: Suspicious Arguments | CAR-2021-05-005: BITSAdmin Download File | CAR-2021-05-006: CertUtil Download With URLCache and Split Arguments | CAR-2021-05-007: CertUtil Download With VerifyCtl and Split Arguments", + "comment": "CAR-2021-01-004: Unusual Child Process for Spoolsv.Exe or Connhost.Exe", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1053", + "techniqueID": "T1562", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-05-004: Execution with AT | CAR-2013-08-001: Execution with schtasks | CAR-2015-04-001: Remotely Scheduled Tasks via AT | CAR-2015-04-002: Remotely Scheduled Tasks via Schtasks | CAR-2020-09-001: Scheduled Task - FileAccess | CAR-2021-12-001: Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-04-003: User Activity from Stopping Windows Defensive Services | CAR-2020-09-003: Indicator Blocking - Driver Unloaded | CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt | CAR-2022-03-001: Disable Windows Event Logging", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1053.002", + "techniqueID": "T1562.001", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-05-004: Execution with AT | CAR-2015-04-001: Remotely Scheduled Tasks via AT", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-04-003: User Activity from Stopping Windows Defensive Services | CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt", "enabled": true }, { @@ -173,269 +167,279 @@ "enabled": true }, { - "techniqueID": "T1569", + "techniqueID": "T1546", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-02-001: Service Binary Modifications | CAR-2014-03-005: Remotely Launched Executables via Services | CAR-2021-05-012: Create Service In Suspicious File Path", + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2014-11-003: Debuggers for Accessibility Applications | CAR-2014-11-008: Command Launched from WinLogon | CAR-2020-09-002: Component Object Model Hijacking | CAR-2020-09-005: AppInit DLLs | CAR-2020-11-011: Registry Edit from Screensaver", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1569.002", + "techniqueID": "T1546.008", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-02-001: Service Binary Modifications | CAR-2014-03-005: Remotely Launched Executables via Services | CAR-2021-05-012: Create Service In Suspicious File Path", + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2014-11-003: Debuggers for Accessibility Applications | CAR-2014-11-008: Command Launched from WinLogon", "enabled": true }, { - "techniqueID": "T1068", + "techniqueID": "T1087", "color": "#c6dbef", - "comment": "CAR-2021-01-004: Unusual Child Process for Spoolsv.Exe or Connhost.Exe", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1553", + "techniqueID": "T1087.001", "color": "#c6dbef", - "comment": "CAR-2021-05-001: Attempt To Add Certificate To Untrusted Store", - "enabled": true, - "showSubtechniques": true + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", + "enabled": true }, { - "techniqueID": "T1553.004", + "techniqueID": "T1087.002", "color": "#c6dbef", - "comment": "CAR-2021-05-001: Attempt To Add Certificate To Untrusted Store", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", "enabled": true }, { - "techniqueID": "T1606", + "techniqueID": "T1003.002", "color": "#c6dbef", - "comment": "CAR-2021-05-008: Certutil exe certificate extraction", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands", + "enabled": true + }, + { + "techniqueID": "T1069", + "color": "#c6dbef", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands | CAR-2020-11-006: Local Permission Group Discovery", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1606.002", + "techniqueID": "T1069.001", "color": "#c6dbef", - "comment": "CAR-2021-05-008: Certutil exe certificate extraction", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands | CAR-2020-11-006: Local Permission Group Discovery", "enabled": true }, { - "techniqueID": "T1055", + "techniqueID": "T1069.002", "color": "#c6dbef", - "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2020-11-003: DLL Injection with Mavinject | CAR-2020-11-004: Processes Started From Irregular Parent", - "enabled": true, - "showSubtechniques": true + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands | CAR-2020-11-006: Local Permission Group Discovery", + "enabled": true }, { - "techniqueID": "T1055.001", + "techniqueID": "T1057", "color": "#c6dbef", - "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2020-11-003: DLL Injection with Mavinject", - "enabled": true + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", + "enabled": true, + "showSubtechniques": true }, { - "techniqueID": "T1059", + "techniqueID": "T1021", "color": "#c6dbef", - "comment": "CAR-2013-02-003: Processes Spawning cmd.exe | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-04-003: Powershell Execution | CAR-2014-11-002: Outlier Parents of Cmd | CAR-2014-11-004: Remote PowerShell Sessions | CAR-2021-01-002: Unusually Long Command Line Strings", + "comment": "CAR-2013-01-003: SMB Events Monitoring | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2013-07-001: Suspicious Arguments | CAR-2013-07-002: RDP Connection Detection | CAR-2013-10-001: User Login Activity Monitoring | CAR-2014-05-001: RPC Activity | CAR-2014-11-004: Remote PowerShell Sessions | CAR-2014-11-006: Windows Remote Management (WinRM) | CAR-2016-04-005: Remote Desktop Logon", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1059.003", + "techniqueID": "T1021.002", "color": "#c6dbef", - "comment": "CAR-2013-02-003: Processes Spawning cmd.exe | CAR-2014-11-002: Outlier Parents of Cmd", + "comment": "CAR-2013-01-003: SMB Events Monitoring | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2014-05-001: RPC Activity", "enabled": true }, { - "techniqueID": "T1562", + "techniqueID": "T1543", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-04-003: User Activity from Stopping Windows Defensive Services | CAR-2020-09-003: Indicator Blocking - Driver Unloaded | CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt | CAR-2022-03-001: Disable Windows Event Logging", + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-09-005: Service Outlier Executables | CAR-2014-02-001: Service Binary Modifications | CAR-2014-03-005: Remotely Launched Executables via Services | CAR-2014-05-002: Services launching Cmd", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1562.001", + "techniqueID": "T1543.003", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-04-003: User Activity from Stopping Windows Defensive Services | CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt", + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-09-005: Service Outlier Executables | CAR-2014-02-001: Service Binary Modifications | CAR-2014-03-005: Remotely Launched Executables via Services | CAR-2014-05-002: Services launching Cmd", "enabled": true }, { - "techniqueID": "T1059.001", + "techniqueID": "T1574.011", "color": "#c6dbef", - "comment": "CAR-2014-04-003: Powershell Execution | CAR-2014-11-004: Remote PowerShell Sessions", + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2020-05-003: Rare LolBAS Command Lines", "enabled": true }, { - "techniqueID": "T1069", + "techniqueID": "T1018", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands | CAR-2020-11-006: Local Permission Group Discovery", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1069.001", + "techniqueID": "T1569", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands | CAR-2020-11-006: Local Permission Group Discovery", - "enabled": true + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-02-001: Service Binary Modifications | CAR-2014-03-005: Remotely Launched Executables via Services | CAR-2021-05-012: Create Service In Suspicious File Path", + "enabled": true, + "showSubtechniques": true }, { - "techniqueID": "T1069.002", + "techniqueID": "T1569.002", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands | CAR-2020-11-006: Local Permission Group Discovery", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-02-001: Service Binary Modifications | CAR-2014-03-005: Remotely Launched Executables via Services | CAR-2021-05-012: Create Service In Suspicious File Path", "enabled": true }, { - "techniqueID": "T1560", + "techniqueID": "T1029", "color": "#c6dbef", - "comment": "CAR-2013-07-005: Command Line Usage of Archiving Software", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1560.001", + "techniqueID": "T1033", "color": "#c6dbef", - "comment": "CAR-2013-07-005: Command Line Usage of Archiving Software", - "enabled": true + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", + "enabled": true, + "showSubtechniques": true }, { - "techniqueID": "T1505", + "techniqueID": "T1007", "color": "#c6dbef", - "comment": "CAR-2021-02-001: Webshell-Indicative Process Tree", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1505.003", + "techniqueID": "T1082", "color": "#c6dbef", - "comment": "CAR-2021-02-001: Webshell-Indicative Process Tree", - "enabled": true + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", + "enabled": true, + "showSubtechniques": true }, { - "techniqueID": "T1053.005", + "techniqueID": "T1049", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-08-001: Execution with schtasks | CAR-2015-04-002: Remotely Scheduled Tasks via Schtasks | CAR-2020-09-001: Scheduled Task - FileAccess | CAR-2021-12-001: Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths", - "enabled": true + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands", + "enabled": true, + "showSubtechniques": true }, { - "techniqueID": "T1547.001", + "techniqueID": "T1016", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2020-05-003: Rare LolBAS Command Lines | CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key 'Common Startup'", - "enabled": true + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", + "enabled": true, + "showSubtechniques": true }, { - "techniqueID": "T1547.010", + "techniqueID": "T1010", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences", - "enabled": true + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands", + "enabled": true, + "showSubtechniques": true }, { - "techniqueID": "T1574", + "techniqueID": "T1518", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-02-001: Service Binary Modifications | CAR-2014-07-001: Service Search Path Interception | CAR-2020-05-003: Rare LolBAS Command Lines | CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1574.007", + "techniqueID": "T1518.001", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands", "enabled": true }, { - "techniqueID": "T1574.008", + "techniqueID": "T1046", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences", - "enabled": true + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2021-01-001: Identifying Port Scanning Activity", + "enabled": true, + "showSubtechniques": true }, { - "techniqueID": "T1574.009", + "techniqueID": "T1562.006", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences | CAR-2014-07-001: Service Search Path Interception", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2020-09-003: Indicator Blocking - Driver Unloaded", "enabled": true }, { - "techniqueID": "T1574.010", + "techniqueID": "T1098", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences | CAR-2014-02-001: Service Binary Modifications", - "enabled": true + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands", + "enabled": true, + "showSubtechniques": true }, { - "techniqueID": "T1574.011", + "techniqueID": "T1059.005", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2020-05-003: Rare LolBAS Command Lines", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands", "enabled": true }, { - "techniqueID": "T1546", + "techniqueID": "T1012", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences | CAR-2014-11-003: Debuggers for Accessibility Applications | CAR-2014-11-008: Command Launched from WinLogon | CAR-2020-09-002: Component Object Model Hijacking | CAR-2020-09-005: AppInit DLLs | CAR-2020-11-011: Registry Edit from Screensaver", + "comment": "CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2020-05-003: Rare LolBAS Command Lines", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1546.001", - "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences", - "enabled": true - }, - { - "techniqueID": "T1546.003", + "techniqueID": "T1070.001", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences", + "comment": "CAR-2016-04-002: User Activity from Clearing Event Logs | CAR-2021-01-003: Clearing Windows Logs with Wevtutil", "enabled": true }, { - "techniqueID": "T1546.008", + "techniqueID": "T1606", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences | CAR-2014-11-003: Debuggers for Accessibility Applications | CAR-2014-11-008: Command Launched from WinLogon", - "enabled": true + "comment": "CAR-2021-05-008: Certutil exe certificate extraction", + "enabled": true, + "showSubtechniques": true }, { - "techniqueID": "T1546.010", + "techniqueID": "T1606.002", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences | CAR-2020-09-005: AppInit DLLs", + "comment": "CAR-2021-05-008: Certutil exe certificate extraction", "enabled": true }, { - "techniqueID": "T1490", + "techniqueID": "T1218", "color": "#c6dbef", - "comment": "CAR-2021-01-009: Detecting Shadow Copy Deletion or Resize | CAR-2021-05-003: BCDEdit Failure Recovery Modification", + "comment": "CAR-2014-03-006: RunDLL32.exe monitoring | CAR-2019-04-002: Generic Regsvr32 | CAR-2019-04-003: Squiblydoo | CAR-2020-11-009: Compiled HTML Access | CAR-2020-11-010: CMSTP", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1562.002", + "techniqueID": "T1218.003", "color": "#c6dbef", - "comment": "CAR-2022-03-001: Disable Windows Event Logging", + "comment": "CAR-2020-11-010: CMSTP", "enabled": true }, { - "techniqueID": "T1070", + "techniqueID": "T1490", "color": "#c6dbef", - "comment": "CAR-2016-04-002: User Activity from Clearing Event Logs | CAR-2020-11-005: Clear Powershell Console Command History | CAR-2020-11-007: Network Share Connection Removal | CAR-2021-01-003: Clearing Windows Logs with Wevtutil", + "comment": "CAR-2021-01-009: Detecting Shadow Copy Deletion or Resize | CAR-2021-05-003: BCDEdit Failure Recovery Modification", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1070.003", + "techniqueID": "T1039", "color": "#c6dbef", - "comment": "CAR-2020-11-005: Clear Powershell Console Command History", - "enabled": true + "comment": "CAR-2013-01-003: SMB Events Monitoring", + "enabled": true, + "showSubtechniques": true }, { - "techniqueID": "T1546.002", + "techniqueID": "T1078", "color": "#c6dbef", - "comment": "CAR-2020-11-011: Registry Edit from Screensaver", - "enabled": true + "comment": "CAR-2013-02-008: Simultaneous Logins on a Host | CAR-2013-02-012: User Logged in to Multiple Hosts | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2013-10-001: User Login Activity Monitoring", + "enabled": true, + "showSubtechniques": true }, { - "techniqueID": "T1218.011", + "techniqueID": "T1078.002", "color": "#c6dbef", - "comment": "CAR-2014-03-006: RunDLL32.exe monitoring", + "comment": "CAR-2013-02-008: Simultaneous Logins on a Host | CAR-2013-02-012: User Logged in to Multiple Hosts | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2013-10-001: User Login Activity Monitoring", "enabled": true }, { - "techniqueID": "T1036.005", + "techniqueID": "T1078.003", "color": "#c6dbef", - "comment": "CAR-2021-04-001: Common Windows Process Masquerading", + "comment": "CAR-2013-02-008: Simultaneous Logins on a Host | CAR-2013-02-012: User Logged in to Multiple Hosts | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2013-10-001: User Login Activity Monitoring", "enabled": true }, { @@ -458,126 +462,113 @@ "enabled": true }, { - "techniqueID": "T1003.001", - "color": "#c6dbef", - "comment": "CAR-2013-07-001: Suspicious Arguments | CAR-2019-04-004: Credential Dumping via Mimikatz | CAR-2019-07-002: Lsass Process Dump via Procdump | CAR-2019-08-001: Credential Dumping via Windows Task Manager | CAR-2021-05-011: Create Remote Thread into LSASS", - "enabled": true - }, - { - "techniqueID": "T1548", + "techniqueID": "T1564", "color": "#c6dbef", - "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2019-04-001: UAC Bypass | CAR-2021-01-008: Disable UAC | CAR-2021-02-002: Get System Elevation", + "comment": "CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities | CAR-2020-08-002: NTFS Alternate Data Stream Execution - LOLBAS", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1548.002", + "techniqueID": "T1564.004", "color": "#c6dbef", - "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2019-04-001: UAC Bypass | CAR-2021-01-008: Disable UAC", + "comment": "CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities | CAR-2020-08-002: NTFS Alternate Data Stream Execution - LOLBAS", "enabled": true }, { - "techniqueID": "T1136", + "techniqueID": "T1187", "color": "#c6dbef", - "comment": "CAR-2021-05-010: Create local admin accounts using net exe", + "comment": "CAR-2013-09-003: SMB Session Setups", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1136.001", - "color": "#c6dbef", - "comment": "CAR-2021-05-010: Create local admin accounts using net exe", - "enabled": true - }, - { - "techniqueID": "T1021", + "techniqueID": "T1560", "color": "#c6dbef", - "comment": "CAR-2013-01-003: SMB Events Monitoring | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2013-07-001: Suspicious Arguments | CAR-2013-07-002: RDP Connection Detection | CAR-2013-10-001: User Login Activity Monitoring | CAR-2014-05-001: RPC Activity | CAR-2014-11-004: Remote PowerShell Sessions | CAR-2014-11-006: Windows Remote Management (WinRM) | CAR-2016-04-005: Remote Desktop Logon", + "comment": "CAR-2013-07-005: Command Line Usage of Archiving Software", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1021.001", + "techniqueID": "T1560.001", "color": "#c6dbef", - "comment": "CAR-2013-07-002: RDP Connection Detection | CAR-2013-10-001: User Login Activity Monitoring | CAR-2016-04-005: Remote Desktop Logon", + "comment": "CAR-2013-07-005: Command Line Usage of Archiving Software", "enabled": true }, { - "techniqueID": "T1570", + "techniqueID": "T1204", "color": "#c6dbef", - "comment": "CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2014-03-001: SMB Write Request - NamedPipes", + "comment": "CAR-2021-05-002: Batch File Write to System32", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1070.001", + "techniqueID": "T1204.002", "color": "#c6dbef", - "comment": "CAR-2016-04-002: User Activity from Clearing Event Logs | CAR-2021-01-003: Clearing Windows Logs with Wevtutil", + "comment": "CAR-2021-05-002: Batch File Write to System32", "enabled": true }, { - "techniqueID": "T1012", + "techniqueID": "T1505", "color": "#c6dbef", - "comment": "CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2020-05-003: Rare LolBAS Command Lines", + "comment": "CAR-2021-02-001: Webshell-Indicative Process Tree", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1040", + "techniqueID": "T1505.003", "color": "#c6dbef", - "comment": "CAR-2020-11-002: Local Network Sniffing", - "enabled": true, - "showSubtechniques": true + "comment": "CAR-2021-02-001: Webshell-Indicative Process Tree", + "enabled": true }, { - "techniqueID": "T1564", + "techniqueID": "T1055", "color": "#c6dbef", - "comment": "CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities | CAR-2020-08-002: NTFS Alternate Data Stream Execution - LOLBAS", + "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2020-11-003: DLL Injection with Mavinject | CAR-2020-11-004: Processes Started From Irregular Parent", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1564.004", + "techniqueID": "T1055.001", "color": "#c6dbef", - "comment": "CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities | CAR-2020-08-002: NTFS Alternate Data Stream Execution - LOLBAS", + "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2020-11-003: DLL Injection with Mavinject", "enabled": true }, { - "techniqueID": "T1070.005", + "techniqueID": "T1548.002", "color": "#c6dbef", - "comment": "CAR-2020-11-007: Network Share Connection Removal", + "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2019-04-001: UAC Bypass | CAR-2021-01-008: Disable UAC", "enabled": true }, { - "techniqueID": "T1218.001", + "techniqueID": "T1218.011", "color": "#c6dbef", - "comment": "CAR-2020-11-009: Compiled HTML Access", + "comment": "CAR-2014-03-006: RunDLL32.exe monitoring", "enabled": true }, { - "techniqueID": "T1036.003", + "techniqueID": "T1222", "color": "#c6dbef", - "comment": "CAR-2013-05-009: Running executables with same hash and different names", - "enabled": true + "comment": "CAR-2019-07-001: Access Permission Modification", + "enabled": true, + "showSubtechniques": true }, { - "techniqueID": "T1021.002", + "techniqueID": "T1222.001", "color": "#c6dbef", - "comment": "CAR-2013-01-003: SMB Events Monitoring | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2014-05-001: RPC Activity", + "comment": "CAR-2019-07-001: Access Permission Modification", "enabled": true }, { - "techniqueID": "T1021.006", + "techniqueID": "T1222.002", "color": "#c6dbef", - "comment": "CAR-2014-05-001: RPC Activity | CAR-2014-11-004: Remote PowerShell Sessions | CAR-2014-11-006: Windows Remote Management (WinRM)", + "comment": "CAR-2019-07-001: Access Permission Modification", "enabled": true }, { - "techniqueID": "T1140", + "techniqueID": "T1021.001", "color": "#c6dbef", - "comment": "CAR-2021-05-009: CertUtil With Decode Argument", - "enabled": true, - "showSubtechniques": true + "comment": "CAR-2013-07-002: RDP Connection Detection | CAR-2013-10-001: User Login Activity Monitoring | CAR-2016-04-005: Remote Desktop Logon", + "enabled": true }, { "techniqueID": "T1569.001", @@ -586,213 +577,222 @@ "enabled": true }, { - "techniqueID": "T1218.003", + "techniqueID": "T1055.012", "color": "#c6dbef", - "comment": "CAR-2020-11-010: CMSTP", + "comment": "CAR-2020-11-004: Processes Started From Irregular Parent", "enabled": true }, { - "techniqueID": "T1039", + "techniqueID": "T1574.009", "color": "#c6dbef", - "comment": "CAR-2013-01-003: SMB Events Monitoring", + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2014-07-001: Service Search Path Interception", + "enabled": true + }, + { + "techniqueID": "T1036", + "color": "#c6dbef", + "comment": "CAR-2013-05-002: Suspicious Run Locations | CAR-2013-05-009: Running executables with same hash and different names | CAR-2021-04-001: Common Windows Process Masquerading", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1546.015", + "techniqueID": "T1036.005", "color": "#c6dbef", - "comment": "CAR-2020-09-002: Component Object Model Hijacking", + "comment": "CAR-2021-04-001: Common Windows Process Masquerading", "enabled": true }, { - "techniqueID": "T1087", + "techniqueID": "T1547", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2020-05-003: Rare LolBAS Command Lines | CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify | CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key 'Common Startup'", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1087.001", + "techniqueID": "T1547.004", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify", "enabled": true }, { - "techniqueID": "T1087.002", + "techniqueID": "T1547.001", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2020-05-003: Rare LolBAS Command Lines | CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key 'Common Startup'", "enabled": true }, { - "techniqueID": "T1003.002", + "techniqueID": "T1547.010", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands", + "comment": "CAR-2013-01-002: Autorun Differences", "enabled": true }, { - "techniqueID": "T1057", + "techniqueID": "T1574.007", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", - "enabled": true, - "showSubtechniques": true + "comment": "CAR-2013-01-002: Autorun Differences", + "enabled": true }, { - "techniqueID": "T1018", + "techniqueID": "T1574.008", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands", - "enabled": true, - "showSubtechniques": true + "comment": "CAR-2013-01-002: Autorun Differences", + "enabled": true }, { - "techniqueID": "T1029", + "techniqueID": "T1574.010", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands", - "enabled": true, - "showSubtechniques": true + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2014-02-001: Service Binary Modifications", + "enabled": true }, { - "techniqueID": "T1033", + "techniqueID": "T1546.001", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", - "enabled": true, - "showSubtechniques": true + "comment": "CAR-2013-01-002: Autorun Differences", + "enabled": true }, { - "techniqueID": "T1007", + "techniqueID": "T1546.003", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", - "enabled": true, - "showSubtechniques": true + "comment": "CAR-2013-01-002: Autorun Differences", + "enabled": true }, { - "techniqueID": "T1082", + "techniqueID": "T1546.010", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", - "enabled": true, - "showSubtechniques": true + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2020-09-005: AppInit DLLs", + "enabled": true }, { - "techniqueID": "T1049", + "techniqueID": "T1037", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands", + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2020-11-001: Boot or Logon Initialization Scripts", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1016", + "techniqueID": "T1037.001", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", - "enabled": true, - "showSubtechniques": true + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2020-11-001: Boot or Logon Initialization Scripts", + "enabled": true }, { - "techniqueID": "T1010", + "techniqueID": "T1218.010", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands", - "enabled": true, - "showSubtechniques": true + "comment": "CAR-2019-04-002: Generic Regsvr32 | CAR-2019-04-003: Squiblydoo", + "enabled": true }, { - "techniqueID": "T1518", + "techniqueID": "T1040", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands", + "comment": "CAR-2020-11-002: Local Network Sniffing", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1518.001", + "techniqueID": "T1562.002", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands", + "comment": "CAR-2022-03-001: Disable Windows Event Logging", "enabled": true }, { - "techniqueID": "T1046", + "techniqueID": "T1127", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2021-01-001: Identifying Port Scanning Activity", + "comment": "CAR-2020-11-008: MSBuild and msxsl", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1562.006", + "techniqueID": "T1127.001", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2020-09-003: Indicator Blocking - Driver Unloaded", + "comment": "CAR-2020-11-008: MSBuild and msxsl", "enabled": true }, { - "techniqueID": "T1098", + "techniqueID": "T1003.001", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands", + "comment": "CAR-2013-07-001: Suspicious Arguments | CAR-2019-04-004: Credential Dumping via Mimikatz | CAR-2019-07-002: Lsass Process Dump via Procdump | CAR-2019-08-001: Credential Dumping via Windows Task Manager | CAR-2021-05-011: Create Remote Thread into LSASS", + "enabled": true + }, + { + "techniqueID": "T1553", + "color": "#c6dbef", + "comment": "CAR-2021-05-001: Attempt To Add Certificate To Untrusted Store", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1059.005", + "techniqueID": "T1553.004", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands", + "comment": "CAR-2021-05-001: Attempt To Add Certificate To Untrusted Store", "enabled": true }, { - "techniqueID": "T1127", + "techniqueID": "T1021.006", "color": "#c6dbef", - "comment": "CAR-2020-11-008: MSBuild and msxsl", + "comment": "CAR-2014-05-001: RPC Activity | CAR-2014-11-004: Remote PowerShell Sessions | CAR-2014-11-006: Windows Remote Management (WinRM)", + "enabled": true + }, + { + "techniqueID": "T1570", + "color": "#c6dbef", + "comment": "CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2014-03-001: SMB Write Request - NamedPipes", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1127.001", + "techniqueID": "T1021.003", "color": "#c6dbef", - "comment": "CAR-2020-11-008: MSBuild and msxsl", + "comment": "CAR-2014-05-001: RPC Activity", "enabled": true }, { - "techniqueID": "T1055.012", + "techniqueID": "T1218.001", "color": "#c6dbef", - "comment": "CAR-2020-11-004: Processes Started From Irregular Parent", + "comment": "CAR-2020-11-009: Compiled HTML Access", "enabled": true }, { - "techniqueID": "T1550", + "techniqueID": "T1546.002", "color": "#c6dbef", - "comment": "CAR-2016-04-004: Successful Local Account Login", - "enabled": true, - "showSubtechniques": true + "comment": "CAR-2020-11-011: Registry Edit from Screensaver", + "enabled": true }, { - "techniqueID": "T1550.002", + "techniqueID": "T1546.015", "color": "#c6dbef", - "comment": "CAR-2016-04-004: Successful Local Account Login", + "comment": "CAR-2020-09-002: Component Object Model Hijacking", "enabled": true }, { - "techniqueID": "T1574.001", + "techniqueID": "T1140", "color": "#c6dbef", - "comment": "CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0", - "enabled": true + "comment": "CAR-2021-05-009: CertUtil With Decode Argument", + "enabled": true, + "showSubtechniques": true }, { - "techniqueID": "T1204", + "techniqueID": "T1197", "color": "#c6dbef", - "comment": "CAR-2021-05-002: Batch File Write to System32", + "comment": "CAR-2021-05-004: BITS Job Persistence | CAR-2021-05-005: BITSAdmin Download File", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1204.002", + "techniqueID": "T1059.001", "color": "#c6dbef", - "comment": "CAR-2021-05-002: Batch File Write to System32", + "comment": "CAR-2014-04-003: Powershell Execution | CAR-2014-11-004: Remote PowerShell Sessions", "enabled": true }, { - "techniqueID": "T1187", + "techniqueID": "T1036.003", "color": "#c6dbef", - "comment": "CAR-2013-09-003: SMB Session Setups", - "enabled": true, - "showSubtechniques": true + "comment": "CAR-2013-05-009: Running executables with same hash and different names", + "enabled": true }, { - "techniqueID": "T1021.003", + "techniqueID": "T1070.003", "color": "#c6dbef", - "comment": "CAR-2014-05-001: RPC Activity", + "comment": "CAR-2020-11-005: Clear Powershell Console Command History", "enabled": true } ] diff --git a/docs/data/analytics.json b/docs/data/analytics.json index 4efe5bfe..402f2d6c 100644 --- a/docs/data/analytics.json +++ b/docs/data/analytics.json @@ -1 +1 @@ -{"analytics": [{"shortName": "Suspicious Run Locations", "name": "CAR-2013-05-002", "fields": ["process/create/image_path"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1036", "coverage": "Low"}]}, {"shortName": "Unusual Child Process spawned using DDE exploit", "name": "CAR-2021-01-006", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1559", "coverage": "Low"}]}, {"shortName": "Registry Edit with Modification of Userinit, Shell or Notify", "name": "CAR-2021-11-002", "fields": ["process/create/command_line", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1547", "coverage": "Medium"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Medium"}]}, {"shortName": "Service Outlier Executables", "name": "CAR-2013-09-005", "fields": ["process/create/parent_image_path"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1543", "coverage": "Moderate"}]}, {"shortName": "Remote Windows Management Instrumentation (WMI) over RPC", "name": "CAR-2014-11-007", "fields": ["flow/message/proto_info"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1047", "coverage": "Moderate"}]}, {"shortName": "Access Permission Modification", "name": "CAR-2019-07-001", "fields": [], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1222", "coverage": "Moderate"}]}, {"shortName": "User Logged in to Multiple Hosts", "name": "CAR-2013-02-012", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1078", "coverage": "Moderate"}]}, {"shortName": "Squiblydoo", "name": "CAR-2019-04-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "Moderate"}]}, {"shortName": "All Logins Since Last Boot", "name": "CAR-2015-07-001", "fields": ["user_session/login/user"], "attack": []}, {"shortName": "Boot or Logon Initialization Scripts", "name": "CAR-2020-11-001", "fields": ["process/create/command_line", "process/create/exe", "registry/add/key", "registry/edit/key"], "attack": [{"tactics": ["Persistence", "Lateral Movement"], "technique": "Technique/T1037", "coverage": "Moderate"}]}, {"shortName": "BITSAdmin Download File", "name": "CAR-2021-05-005", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion", "Persistence"], "technique": "Technique/T1197", "coverage": "Moderate"}, {"tactics": ["Command and Control"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "Remotely Scheduled Tasks via AT", "name": "CAR-2015-04-001", "fields": ["flow/message/proto_info"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "Active Directory Dumping via NTDSUtil", "name": "CAR-2019-08-002", "fields": ["file/create/file_name", "file/create/image_path"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Remotely Launched Executables via Services", "name": "CAR-2014-03-005", "fields": ["flow/start/pid", "process/create/parent_exe", "process/create/pid"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1543", "coverage": "Moderate"}, {"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Moderate"}]}, {"shortName": "Unusual Child Process for Spoolsv.Exe or Connhost.Exe", "name": "CAR-2021-01-004", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Privilege Escalation"], "technique": "Technique/T1068", "coverage": "Low"}]}, {"shortName": "Attempt To Add Certificate To Untrusted Store", "name": "CAR-2021-05-001", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1553", "coverage": "Moderate"}]}, {"shortName": "Services launching Cmd", "name": "CAR-2014-05-002", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1543", "coverage": "Moderate"}]}, {"shortName": "Certutil exe certificate extraction", "name": "CAR-2021-05-008", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1606", "coverage": "Moderate"}]}, {"shortName": "CertUtil Download With VerifyCtl and Split Arguments", "name": "CAR-2021-05-007", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Command and Control"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "DLL Injection with Mavinject", "name": "CAR-2020-11-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Privilege Escalation", "Defense Evasion"], "technique": "Technique/T1055", "coverage": "Low"}]}, {"shortName": "Outlier Parents of Cmd", "name": "CAR-2014-11-002", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}]}, {"shortName": "User Activity from Stopping Windows Defensive Services", "name": "CAR-2016-04-003", "fields": [], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Low"}]}, {"shortName": "Powershell Execution", "name": "CAR-2014-04-003", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "High"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1059", "coverage": "Moderate"}]}, {"shortName": "Local Permission Group Discovery", "name": "CAR-2020-11-006", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1069", "coverage": "Moderate"}]}, {"shortName": "Command Line Usage of Archiving Software", "name": "CAR-2013-07-005", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Exfiltration"], "technique": "Technique/T1560", "coverage": "Moderate"}]}, {"shortName": "Webshell-Indicative Process Tree", "name": "CAR-2021-02-001", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1505", "coverage": "Moderate"}]}, {"shortName": "Autorun Differences", "name": "CAR-2013-01-002", "fields": [], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1543", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1053", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1547", "coverage": "Moderate"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Moderate"}, {"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1546", "coverage": "Moderate"}, {"tactics": ["Persistence", "Execution"], "technique": "Technique/T1112", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1037", "coverage": "Moderate"}]}, {"shortName": "Detecting Shadow Copy Deletion or Resize", "name": "CAR-2021-01-009", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Impact"], "technique": "Technique/T1490", "coverage": "Low"}]}, {"shortName": "Disable Windows Event Logging", "name": "CAR-2022-03-001", "fields": ["registry/value_edit/value", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Moderate"}]}, {"shortName": "Clear Powershell Console Command History", "name": "CAR-2020-11-005", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "Low"}]}, {"shortName": "Registry Edit from Screensaver", "name": "CAR-2020-11-011", "fields": ["registry/edit/key", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1546", "coverage": "High"}]}, {"shortName": "RunDLL32.exe monitoring", "name": "CAR-2014-03-006", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "Moderate"}]}, {"shortName": "Remotely Scheduled Tasks via Schtasks", "name": "CAR-2015-04-002", "fields": ["flow/message/dest_port", "flow/message/src_port", "flow/message/proto_info"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "Command Launched from WinLogon", "name": "CAR-2014-11-008", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "Processes Spawning cmd.exe", "name": "CAR-2013-02-003", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}]}, {"shortName": "Common Windows Process Masquerading", "name": "CAR-2021-04-001", "fields": ["process/create/exe", "process/create/image_path", "process/access/exe", "process/access/image_path", "process/terminate/exe", "process/terminate/image_path"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1036", "coverage": "Moderate"}]}, {"shortName": "Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths", "name": "CAR-2021-12-001", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Execution", "Persistence", "Privilege Escalation"], "technique": "Technique/T1053", "coverage": "Medium"}]}, {"shortName": "Credentials in Files & Registry", "name": "CAR-2020-09-004", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1552", "coverage": "Low"}]}, {"shortName": "Credential Dumping via Windows Task Manager", "name": "CAR-2019-08-001", "fields": ["file/create/file_name", "file/create/image_path"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "UAC Bypass", "name": "CAR-2019-04-001", "fields": ["process/create/image_path", "process/create/parent_image_path", "process/create/integrity_level", "process/create/user", "process/create/parent_command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1548", "coverage": "Low"}]}, {"shortName": "Create local admin accounts using net exe", "name": "CAR-2021-05-010", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1136", "coverage": "Moderate"}]}, {"shortName": "Remote Desktop Logon", "name": "CAR-2016-04-005", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "SMB Write Request - NamedPipes", "name": "CAR-2014-03-001", "fields": ["flow/message/proto_info", "flow/start/dest_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1570", "coverage": "Low"}]}, {"shortName": "Remotely Launched Executables via WMI", "name": "CAR-2014-12-001", "fields": ["flow/message/dest_port", "flow/message/proto_info", "flow/message/src_port", "process/create/command_line", "process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1047", "coverage": "High"}]}, {"shortName": "Clearing Windows Logs with Wevtutil", "name": "CAR-2021-01-003", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "Low"}]}, {"shortName": "MiniDump of LSASS", "name": "CAR-2020-05-001", "fields": [], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Modification of Default Startup Folder in the Registry Key 'Common Startup'", "name": "CAR-2021-12-002", "fields": ["process/create/command_line", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1547", "coverage": "Medium"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Medium"}]}, {"shortName": "Reg.exe called from Command Shell", "name": "CAR-2013-03-001", "fields": ["process/create/command_line", "process/create/hostname", "process/create/exe", "process/create/parent_exe", "process/create/pid", "process/create/ppid"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1012", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1547", "coverage": "Moderate"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Moderate"}]}, {"shortName": "Execution with schtasks", "name": "CAR-2013-08-001", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "Service Binary Modifications", "name": "CAR-2014-02-001", "fields": ["file/create/file_path", "file/create/image_path", "process/create/image_path", "process/create/parent_exe"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1543", "coverage": "Moderate"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Moderate"}, {"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Moderate"}]}, {"shortName": "Scheduled Task - FileAccess", "name": "CAR-2020-09-001", "fields": ["file/create/file_path", "file/create/image_path"], "attack": [{"tactics": ["Execution", "Persistence", "Privilege Escalation"], "technique": "Technique/T1053", "coverage": "Low"}]}, {"shortName": "Local Network Sniffing", "name": "CAR-2020-11-002", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Credential Access", "Discovery"], "technique": "Technique/T1040", "coverage": "Moderate"}]}, {"shortName": "Service Search Path Interception", "name": "CAR-2014-07-001", "fields": ["process/create/command_line", "process/create/image_path", "process/create/parent_exe"], "attack": [{"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1574", "coverage": "High"}]}, {"shortName": "NTFS Alternate Data Stream Execution - LOLBAS", "name": "CAR-2020-08-002", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1564", "coverage": "Low"}]}, {"shortName": "Network Share Connection Removal", "name": "CAR-2020-11-007", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "High"}]}, {"shortName": "Compiled HTML Access", "name": "CAR-2020-11-009", "fields": ["process/create/exe"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "High"}]}, {"shortName": "BCDEdit Failure Recovery Modification", "name": "CAR-2021-05-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Impact"], "technique": "Technique/T1490", "coverage": "Moderate"}]}, {"shortName": "RDP Connection Detection", "name": "CAR-2013-07-002", "fields": ["flow/end/dest_port", "flow/start/dest_ip", "flow/start/dest_port", "flow/start/src_ip"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Medium"}]}, {"shortName": "Running executables with same hash and different names", "name": "CAR-2013-05-009", "fields": ["process/create/exe", "process/create/md5_hash"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1036", "coverage": "Moderate"}]}, {"shortName": "SMB Write Request", "name": "CAR-2013-05-003", "fields": ["flow/message/proto_info", "flow/message/dest_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1570", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1078", "coverage": "Moderate"}]}, {"shortName": "Simultaneous Logins on a Host", "name": "CAR-2013-02-008", "fields": ["user_session/login/user", "user_session/login/hostname"], "attack": [{"tactics": ["Initial Access"], "technique": "Technique/T1078", "coverage": "Low"}]}, {"shortName": "Windows Remote Management (WinRM)", "name": "CAR-2014-11-006", "fields": ["flow/start/dest_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "CertUtil With Decode Argument", "name": "CAR-2021-05-009", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1140", "coverage": "Moderate"}]}, {"shortName": "Create Service In Suspicious File Path", "name": "CAR-2021-05-012", "fields": ["service/create/image_path"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Moderate"}]}, {"shortName": "Create Remote Process via WMIC", "name": "CAR-2016-03-002", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1047", "coverage": "Low"}]}, {"shortName": "Remote Registry", "name": "CAR-2014-11-005", "fields": ["flow/message/dest_port", "flow/message/proto_info"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Moderate"}]}, {"shortName": "BITS Job Persistence", "name": "CAR-2021-05-004", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion", "Persistence"], "technique": "Technique/T1197", "coverage": "Moderate"}]}, {"shortName": "CMSTP", "name": "CAR-2020-11-010", "fields": ["process/create/exe", "process/create/src_ip"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "High"}]}, {"shortName": "SMB Events Monitoring", "name": "CAR-2013-01-003", "fields": ["flow/message/dest_port", "flow/message/proto_info"], "attack": [{"tactics": ["Collection"], "technique": "Technique/T1039", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "AppInit DLLs", "name": "CAR-2020-09-005", "fields": ["registry/add/key", "registry/remove/key", "registry/edit/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "Component Object Model Hijacking", "name": "CAR-2020-09-002", "fields": ["registry/add/key", "registry/remove/key", "registry/edit/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "Suspicious Arguments", "name": "CAR-2013-07-001", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Command and Control", "Lateral Movement"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "Debuggers for Accessibility Applications", "name": "CAR-2014-11-003", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "Remote PowerShell Sessions", "name": "CAR-2014-11-004", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "NTFS Alternate Data Stream Execution - System Utilities", "name": "CAR-2020-08-001", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1564", "coverage": "Low"}]}, {"shortName": "Quick execution of a series of suspicious commands", "name": "CAR-2013-04-002", "fields": ["process/create/hostname", "process/create/ppid", "process/create/exe"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1087", "coverage": "Low"}, {"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1069", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1057", "coverage": "Low"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1543", "coverage": "Low"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1018", "coverage": "Low"}, {"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation", "Execution"], "technique": "Technique/T1053", "coverage": "Low"}, {"tactics": ["Exfiltration"], "technique": "Technique/T1029", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1033", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1007", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1082", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1049", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1016", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1010", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1518", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1046", "coverage": "Low"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Low"}, {"tactics": ["Credential Access"], "technique": "Technique/T1098", "coverage": "Low"}, {"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1012", "coverage": "Low"}]}, {"shortName": "Shadow Copy Deletion", "name": "CAR-2020-04-001", "fields": [], "attack": []}, {"shortName": "User Activity from Clearing Event Logs", "name": "CAR-2016-04-002", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "Moderate"}]}, {"shortName": "Generic Regsvr32", "name": "CAR-2019-04-002", "fields": ["process/create/exe", "process/create/parent_exe", "process/create/command_line", "process/create/image", "process/create/parent_image"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "Low"}]}, {"shortName": "MSBuild and msxsl", "name": "CAR-2020-11-008", "fields": ["process/create/exe", "process/create/image_path"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1127", "coverage": "High"}]}, {"shortName": "Execution with AT", "name": "CAR-2013-05-004", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Execution", "Persistence", "Privilege Escalation"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "DLL Injection via Load Library", "name": "CAR-2013-10-002", "fields": ["thread/remote_create/src_pid", "thread/remote_create/start_function"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1055", "coverage": "Moderate"}, {"tactics": ["Privilege Escalation"], "technique": "Technique/T1548", "coverage": "Moderate"}]}, {"shortName": "CertUtil Download With URLCache and Split Arguments", "name": "CAR-2021-05-006", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Command and Control"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "Disable UAC", "name": "CAR-2021-01-008", "fields": ["process/create/image_path", "process/create/command_line"], "attack": [{"tactics": ["Privilege Escalation"], "technique": "Technique/T1548", "coverage": "Medium"}]}, {"shortName": "Processes Started From Irregular Parent", "name": "CAR-2020-11-004", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1055", "coverage": "Low"}]}, {"shortName": "Successful Local Account Login", "name": "CAR-2016-04-004", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1550", "coverage": "Moderate"}]}, {"shortName": "SMB Copy and Execution", "name": "CAR-2013-05-005", "fields": ["process/create/image_path", "process/create/proto_info", "process/create/hostname"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1078", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1570", "coverage": "Moderate"}]}, {"shortName": "Registry Edit with Creation of SafeDllSearchMode Key Set to 0", "name": "CAR-2021-11-001", "fields": ["process/create/command_line", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation", "Defense Evasion"], "technique": "Technique/T1574", "coverage": "Medium"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Medium"}]}, {"shortName": "Get System Elevation", "name": "CAR-2021-02-002", "fields": ["process/create/exe", "process/create/parent_exe", "process/create/command_line", "service/create/command_line"], "attack": [{"tactics": ["Privilege Escalation", "Defense Evasion"], "technique": "Technique/T1548", "coverage": "Moderate"}]}, {"shortName": "Indicator Blocking - Driver Unloaded", "name": "CAR-2020-09-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Low"}]}, {"shortName": "Create Remote Thread into LSASS", "name": "CAR-2021-05-011", "fields": ["thread/remote_create"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Moderate"}]}, {"shortName": "Lsass Process Dump via Procdump", "name": "CAR-2019-07-002", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Batch File Write to System32", "name": "CAR-2021-05-002", "fields": ["file/create/extension", "file/create/file_path"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1204", "coverage": "Moderate"}]}, {"shortName": "Host Discovery Commands", "name": "CAR-2016-03-001", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1087", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1069", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1016", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1082", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1033", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1057", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1007", "coverage": "Moderate"}]}, {"shortName": "SMB Session Setups", "name": "CAR-2013-09-003", "fields": ["flow/message/dest_port", "flow/message/proto_info", "flow/message/protocol"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1187", "coverage": "Low"}]}, {"shortName": "Credential Dumping via Mimikatz", "name": "CAR-2019-04-004", "fields": [], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Identifying Port Scanning Activity", "name": "CAR-2021-01-001", "fields": ["flow/start/dest_ip"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1046", "coverage": "Moderate"}]}, {"shortName": "Unusually Long Command Line Strings", "name": "CAR-2021-01-002", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Low"}]}, {"shortName": "Rare LolBAS Command Lines", "name": "CAR-2020-05-003", "fields": [], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1012", "coverage": "Low"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Low"}, {"tactics": ["Persistence"], "technique": "Technique/T1547", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Low"}]}, {"shortName": "User Login Activity Monitoring", "name": "CAR-2013-10-001", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1078", "coverage": "Moderate"}]}, {"shortName": "Detecting Tampering of Windows Defender Command Prompt", "name": "CAR-2021-01-007", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Medium"}]}, {"shortName": "RPC Activity", "name": "CAR-2014-05-001", "fields": ["flow/start/dest_port", "flow/start/src_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}]} \ No newline at end of file +{"analytics": [{"shortName": "Create local admin accounts using net exe", "name": "CAR-2021-05-010", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1136", "coverage": "Moderate"}]}, {"shortName": "Unusual Child Process spawned using DDE exploit", "name": "CAR-2021-01-006", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1559", "coverage": "Low"}]}, {"shortName": "Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths", "name": "CAR-2021-12-001", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Execution", "Persistence", "Privilege Escalation"], "technique": "Technique/T1053", "coverage": "Medium"}]}, {"shortName": "Create Remote Process via WMIC", "name": "CAR-2016-03-002", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1047", "coverage": "Low"}]}, {"shortName": "Network Share Connection Removal", "name": "CAR-2020-11-007", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "High"}]}, {"shortName": "CertUtil Download With VerifyCtl and Split Arguments", "name": "CAR-2021-05-007", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Command and Control"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "Remote Windows Management Instrumentation (WMI) over RPC", "name": "CAR-2014-11-007", "fields": ["flow/message/proto_info"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1047", "coverage": "Moderate"}]}, {"shortName": "Get System Elevation", "name": "CAR-2021-02-002", "fields": ["process/create/exe", "process/create/parent_exe", "process/create/command_line", "service/create/command_line"], "attack": [{"tactics": ["Privilege Escalation", "Defense Evasion"], "technique": "Technique/T1548", "coverage": "Moderate"}]}, {"shortName": "Registry Edit with Creation of SafeDllSearchMode Key Set to 0", "name": "CAR-2021-11-001", "fields": ["process/create/command_line", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation", "Defense Evasion"], "technique": "Technique/T1574", "coverage": "Medium"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Medium"}]}, {"shortName": "Remotely Scheduled Tasks via AT", "name": "CAR-2015-04-001", "fields": ["flow/message/proto_info"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "Shadow Copy Deletion", "name": "CAR-2020-04-001", "fields": [], "attack": []}, {"shortName": "Successful Local Account Login", "name": "CAR-2016-04-004", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1550", "coverage": "Moderate"}]}, {"shortName": "Outlier Parents of Cmd", "name": "CAR-2014-11-002", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}]}, {"shortName": "Unusual Child Process for Spoolsv.Exe or Connhost.Exe", "name": "CAR-2021-01-004", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Privilege Escalation"], "technique": "Technique/T1068", "coverage": "Low"}]}, {"shortName": "Remote Registry", "name": "CAR-2014-11-005", "fields": ["flow/message/dest_port", "flow/message/proto_info"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Moderate"}]}, {"shortName": "Detecting Tampering of Windows Defender Command Prompt", "name": "CAR-2021-01-007", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Medium"}]}, {"shortName": "MiniDump of LSASS", "name": "CAR-2020-05-001", "fields": [], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Debuggers for Accessibility Applications", "name": "CAR-2014-11-003", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "Quick execution of a series of suspicious commands", "name": "CAR-2013-04-002", "fields": ["process/create/hostname", "process/create/ppid", "process/create/exe"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1087", "coverage": "Low"}, {"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1069", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1057", "coverage": "Low"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1543", "coverage": "Low"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1018", "coverage": "Low"}, {"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation", "Execution"], "technique": "Technique/T1053", "coverage": "Low"}, {"tactics": ["Exfiltration"], "technique": "Technique/T1029", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1033", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1007", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1082", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1049", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1016", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1010", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1518", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1046", "coverage": "Low"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Low"}, {"tactics": ["Credential Access"], "technique": "Technique/T1098", "coverage": "Low"}, {"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1012", "coverage": "Low"}]}, {"shortName": "CertUtil Download With URLCache and Split Arguments", "name": "CAR-2021-05-006", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Command and Control"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "User Activity from Clearing Event Logs", "name": "CAR-2016-04-002", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "Moderate"}]}, {"shortName": "Certutil exe certificate extraction", "name": "CAR-2021-05-008", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1606", "coverage": "Moderate"}]}, {"shortName": "CMSTP", "name": "CAR-2020-11-010", "fields": ["process/create/exe", "process/create/src_ip"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "High"}]}, {"shortName": "Detecting Shadow Copy Deletion or Resize", "name": "CAR-2021-01-009", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Impact"], "technique": "Technique/T1490", "coverage": "Low"}]}, {"shortName": "SMB Events Monitoring", "name": "CAR-2013-01-003", "fields": ["flow/message/dest_port", "flow/message/proto_info"], "attack": [{"tactics": ["Collection"], "technique": "Technique/T1039", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "Simultaneous Logins on a Host", "name": "CAR-2013-02-008", "fields": ["user_session/login/user", "user_session/login/hostname"], "attack": [{"tactics": ["Initial Access"], "technique": "Technique/T1078", "coverage": "Low"}]}, {"shortName": "Credentials in Files & Registry", "name": "CAR-2020-09-004", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1552", "coverage": "Low"}]}, {"shortName": "User Activity from Stopping Windows Defensive Services", "name": "CAR-2016-04-003", "fields": [], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Low"}]}, {"shortName": "Scheduled Task - FileAccess", "name": "CAR-2020-09-001", "fields": ["file/create/file_path", "file/create/image_path"], "attack": [{"tactics": ["Execution", "Persistence", "Privilege Escalation"], "technique": "Technique/T1053", "coverage": "Low"}]}, {"shortName": "NTFS Alternate Data Stream Execution - System Utilities", "name": "CAR-2020-08-001", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1564", "coverage": "Low"}]}, {"shortName": "Command Launched from WinLogon", "name": "CAR-2014-11-008", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "SMB Session Setups", "name": "CAR-2013-09-003", "fields": ["flow/message/dest_port", "flow/message/proto_info", "flow/message/protocol"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1187", "coverage": "Low"}]}, {"shortName": "Remotely Scheduled Tasks via Schtasks", "name": "CAR-2015-04-002", "fields": ["flow/message/dest_port", "flow/message/src_port", "flow/message/proto_info"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "Command Line Usage of Archiving Software", "name": "CAR-2013-07-005", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Exfiltration"], "technique": "Technique/T1560", "coverage": "Moderate"}]}, {"shortName": "Batch File Write to System32", "name": "CAR-2021-05-002", "fields": ["file/create/extension", "file/create/file_path"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1204", "coverage": "Moderate"}]}, {"shortName": "Webshell-Indicative Process Tree", "name": "CAR-2021-02-001", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1505", "coverage": "Moderate"}]}, {"shortName": "Active Directory Dumping via NTDSUtil", "name": "CAR-2019-08-002", "fields": ["file/create/file_name", "file/create/image_path"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Execution with schtasks", "name": "CAR-2013-08-001", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "DLL Injection via Load Library", "name": "CAR-2013-10-002", "fields": ["thread/remote_create/src_pid", "thread/remote_create/start_function"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1055", "coverage": "Moderate"}, {"tactics": ["Privilege Escalation"], "technique": "Technique/T1548", "coverage": "Moderate"}]}, {"shortName": "RunDLL32.exe monitoring", "name": "CAR-2014-03-006", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "Moderate"}]}, {"shortName": "Unusually Long Command Line Strings", "name": "CAR-2021-01-002", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Low"}]}, {"shortName": "Access Permission Modification", "name": "CAR-2019-07-001", "fields": [], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1222", "coverage": "Moderate"}]}, {"shortName": "User Login Activity Monitoring", "name": "CAR-2013-10-001", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1078", "coverage": "Moderate"}]}, {"shortName": "Create Service In Suspicious File Path", "name": "CAR-2021-05-012", "fields": ["service/create/image_path"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Moderate"}]}, {"shortName": "Processes Started From Irregular Parent", "name": "CAR-2020-11-004", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1055", "coverage": "Low"}]}, {"shortName": "Service Search Path Interception", "name": "CAR-2014-07-001", "fields": ["process/create/command_line", "process/create/image_path", "process/create/parent_exe"], "attack": [{"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1574", "coverage": "High"}]}, {"shortName": "Remote Desktop Logon", "name": "CAR-2016-04-005", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "Disable UAC", "name": "CAR-2021-01-008", "fields": ["process/create/image_path", "process/create/command_line"], "attack": [{"tactics": ["Privilege Escalation"], "technique": "Technique/T1548", "coverage": "Medium"}]}, {"shortName": "Host Discovery Commands", "name": "CAR-2016-03-001", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1087", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1069", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1016", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1082", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1033", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1057", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1007", "coverage": "Moderate"}]}, {"shortName": "Common Windows Process Masquerading", "name": "CAR-2021-04-001", "fields": ["process/create/exe", "process/create/image_path", "process/access/exe", "process/access/image_path", "process/terminate/exe", "process/terminate/image_path"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1036", "coverage": "Moderate"}]}, {"shortName": "All Logins Since Last Boot", "name": "CAR-2015-07-001", "fields": ["user_session/login/user"], "attack": []}, {"shortName": "Indicator Blocking - Driver Unloaded", "name": "CAR-2020-09-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Low"}]}, {"shortName": "Registry Edit with Modification of Userinit, Shell or Notify", "name": "CAR-2021-11-002", "fields": ["process/create/command_line", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1547", "coverage": "Medium"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Medium"}]}, {"shortName": "Autorun Differences", "name": "CAR-2013-01-002", "fields": [], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1543", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1053", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1547", "coverage": "Moderate"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Moderate"}, {"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1546", "coverage": "Moderate"}, {"tactics": ["Persistence", "Execution"], "technique": "Technique/T1112", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1037", "coverage": "Moderate"}]}, {"shortName": "Rare LolBAS Command Lines", "name": "CAR-2020-05-003", "fields": [], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1012", "coverage": "Low"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Low"}, {"tactics": ["Persistence"], "technique": "Technique/T1547", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Low"}]}, {"shortName": "Squiblydoo", "name": "CAR-2019-04-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "Moderate"}]}, {"shortName": "Local Network Sniffing", "name": "CAR-2020-11-002", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Credential Access", "Discovery"], "technique": "Technique/T1040", "coverage": "Moderate"}]}, {"shortName": "Disable Windows Event Logging", "name": "CAR-2022-03-001", "fields": ["registry/value_edit/value", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Moderate"}]}, {"shortName": "MSBuild and msxsl", "name": "CAR-2020-11-008", "fields": ["process/create/exe", "process/create/image_path"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1127", "coverage": "High"}]}, {"shortName": "Credential Dumping via Windows Task Manager", "name": "CAR-2019-08-001", "fields": ["file/create/file_name", "file/create/image_path"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Attempt To Add Certificate To Untrusted Store", "name": "CAR-2021-05-001", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1553", "coverage": "Moderate"}]}, {"shortName": "Services launching Cmd", "name": "CAR-2014-05-002", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1543", "coverage": "Moderate"}]}, {"shortName": "Windows Remote Management (WinRM)", "name": "CAR-2014-11-006", "fields": ["flow/start/dest_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "Processes Spawning cmd.exe", "name": "CAR-2013-02-003", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}]}, {"shortName": "SMB Copy and Execution", "name": "CAR-2013-05-005", "fields": ["process/create/image_path", "process/create/proto_info", "process/create/hostname"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1078", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1570", "coverage": "Moderate"}]}, {"shortName": "User Logged in to Multiple Hosts", "name": "CAR-2013-02-012", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1078", "coverage": "Moderate"}]}, {"shortName": "RPC Activity", "name": "CAR-2014-05-001", "fields": ["flow/start/dest_port", "flow/start/src_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "Remotely Launched Executables via WMI", "name": "CAR-2014-12-001", "fields": ["flow/message/dest_port", "flow/message/proto_info", "flow/message/src_port", "process/create/command_line", "process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1047", "coverage": "High"}]}, {"shortName": "Execution with AT", "name": "CAR-2013-05-004", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Execution", "Persistence", "Privilege Escalation"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "Compiled HTML Access", "name": "CAR-2020-11-009", "fields": ["process/create/exe"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "High"}]}, {"shortName": "SMB Write Request", "name": "CAR-2013-05-003", "fields": ["flow/message/proto_info", "flow/message/dest_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1570", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1078", "coverage": "Moderate"}]}, {"shortName": "UAC Bypass", "name": "CAR-2019-04-001", "fields": ["process/create/image_path", "process/create/parent_image_path", "process/create/integrity_level", "process/create/user", "process/create/parent_command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1548", "coverage": "Low"}]}, {"shortName": "Create Remote Thread into LSASS", "name": "CAR-2021-05-011", "fields": ["thread/remote_create"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Moderate"}]}, {"shortName": "Registry Edit from Screensaver", "name": "CAR-2020-11-011", "fields": ["registry/edit/key", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1546", "coverage": "High"}]}, {"shortName": "Component Object Model Hijacking", "name": "CAR-2020-09-002", "fields": ["registry/add/key", "registry/remove/key", "registry/edit/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "Local Permission Group Discovery", "name": "CAR-2020-11-006", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1069", "coverage": "Moderate"}]}, {"shortName": "Identifying Port Scanning Activity", "name": "CAR-2021-01-001", "fields": ["flow/start/dest_ip"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1046", "coverage": "Moderate"}]}, {"shortName": "Boot or Logon Initialization Scripts", "name": "CAR-2020-11-001", "fields": ["process/create/command_line", "process/create/exe", "registry/add/key", "registry/edit/key"], "attack": [{"tactics": ["Persistence", "Lateral Movement"], "technique": "Technique/T1037", "coverage": "Moderate"}]}, {"shortName": "CertUtil With Decode Argument", "name": "CAR-2021-05-009", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1140", "coverage": "Moderate"}]}, {"shortName": "Service Outlier Executables", "name": "CAR-2013-09-005", "fields": ["process/create/parent_image_path"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1543", "coverage": "Moderate"}]}, {"shortName": "AppInit DLLs", "name": "CAR-2020-09-005", "fields": ["registry/add/key", "registry/remove/key", "registry/edit/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "DLL Injection with Mavinject", "name": "CAR-2020-11-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Privilege Escalation", "Defense Evasion"], "technique": "Technique/T1055", "coverage": "Low"}]}, {"shortName": "BITSAdmin Download File", "name": "CAR-2021-05-005", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion", "Persistence"], "technique": "Technique/T1197", "coverage": "Moderate"}, {"tactics": ["Command and Control"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "Suspicious Arguments", "name": "CAR-2013-07-001", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Command and Control", "Lateral Movement"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "SMB Write Request - NamedPipes", "name": "CAR-2014-03-001", "fields": ["flow/message/proto_info", "flow/start/dest_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1570", "coverage": "Low"}]}, {"shortName": "Modification of Default Startup Folder in the Registry Key 'Common Startup'", "name": "CAR-2021-12-002", "fields": ["process/create/command_line", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1547", "coverage": "Medium"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Medium"}]}, {"shortName": "Service Binary Modifications", "name": "CAR-2014-02-001", "fields": ["file/create/file_path", "file/create/image_path", "process/create/image_path", "process/create/parent_exe"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1543", "coverage": "Moderate"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Moderate"}, {"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Moderate"}]}, {"shortName": "Generic Regsvr32", "name": "CAR-2019-04-002", "fields": ["process/create/exe", "process/create/parent_exe", "process/create/command_line", "process/create/image", "process/create/parent_image"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "Low"}]}, {"shortName": "BITS Job Persistence", "name": "CAR-2021-05-004", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion", "Persistence"], "technique": "Technique/T1197", "coverage": "Moderate"}]}, {"shortName": "Reg.exe called from Command Shell", "name": "CAR-2013-03-001", "fields": ["process/create/command_line", "process/create/hostname", "process/create/exe", "process/create/parent_exe", "process/create/pid", "process/create/ppid"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1012", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1547", "coverage": "Moderate"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Moderate"}]}, {"shortName": "Credential Dumping via Mimikatz", "name": "CAR-2019-04-004", "fields": [], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Powershell Execution", "name": "CAR-2014-04-003", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "High"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1059", "coverage": "Moderate"}]}, {"shortName": "Running executables with same hash and different names", "name": "CAR-2013-05-009", "fields": ["process/create/exe", "process/create/md5_hash"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1036", "coverage": "Moderate"}]}, {"shortName": "Suspicious Run Locations", "name": "CAR-2013-05-002", "fields": ["process/create/image_path"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1036", "coverage": "Low"}]}, {"shortName": "Clear Powershell Console Command History", "name": "CAR-2020-11-005", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "Low"}]}, {"shortName": "Lsass Process Dump via Procdump", "name": "CAR-2019-07-002", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "BCDEdit Failure Recovery Modification", "name": "CAR-2021-05-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Impact"], "technique": "Technique/T1490", "coverage": "Moderate"}]}, {"shortName": "Remotely Launched Executables via Services", "name": "CAR-2014-03-005", "fields": ["flow/start/pid", "process/create/parent_exe", "process/create/pid"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1543", "coverage": "Moderate"}, {"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Moderate"}]}, {"shortName": "Clearing Windows Logs with Wevtutil", "name": "CAR-2021-01-003", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "Low"}]}, {"shortName": "Remote PowerShell Sessions", "name": "CAR-2014-11-004", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "NTFS Alternate Data Stream Execution - LOLBAS", "name": "CAR-2020-08-002", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1564", "coverage": "Low"}]}, {"shortName": "RDP Connection Detection", "name": "CAR-2013-07-002", "fields": ["flow/end/dest_port", "flow/start/dest_ip", "flow/start/dest_port", "flow/start/src_ip"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Medium"}]}]} \ No newline at end of file diff --git a/docs/sensors/auditd_2.8.md b/docs/sensors/auditd_2.8.md index aa3ef2a0..bfc137d5 100644 --- a/docs/sensors/auditd_2.8.md +++ b/docs/sensors/auditd_2.8.md @@ -15,6 +15,18 @@ auditd is the userspace component to the Linux Auditing System. It's responsible ## Data Model Coverage +### [file](../data_model/file) + +| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` | +|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +| `acl_modify` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `create` | | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓| +| `delete` | | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓| +| `modify` | | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓| +| `read` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `timestomp` | | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓| +| `write` | | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓| + ### [flow](../data_model/flow) | | `application_protocol` | `content` | `dest_fqdn` | `dest_hostname` | `dest_ip` | `dest_port` | `end_time` | `exe` | `fqdn` | `hostname` | `image_path` | `in_bytes` | `network_direction` | `out_bytes` | `packet_count` | `pid` | `ppid` | `proto_info` | `src_fqdn` | `src_hostname` | `src_ip` | `src_port` | `start_time` | `tcp_flags` | `transport_protocol` | `uid` | `user` | @@ -23,13 +35,6 @@ auditd is the userspace component to the Linux Auditing System. It's responsible | `message` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `start` | | | | |✓|✓| | | | |✓| | | | |✓| | | | |✓|✓|✓| | | |✓| -### [driver](../data_model/driver) - -| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | -|---|---|---|---|---|---|---|---|---|---|---| -| `load` | | | |✓|✓|✓| |✓|✓| | | -| `unload` | | | | | | | | | | | | - ### [process](../data_model/process) | | `access_level` | `call_trace` | `command_line` | `current_working_directory` | `env_vars` | `exe` | `fqdn` | `guid` | `hostname` | `image_path` | `integrity_level` | `md5_hash` | `parent_command_line` | `parent_exe` | `parent_guid` | `parent_image_path` | `pid` | `ppid` | `sha1_hash` | `sha256_hash` | `sid` | `signature_valid` | `signer` | `target_address` | `target_guid` | `target_name` | `target_pid` | `uid` | `user` | @@ -38,17 +43,12 @@ auditd is the userspace component to the Linux Auditing System. It's responsible | `create` | | |✓|✓| |✓| | | |✓| |✓| | | | |✓|✓|✓|✓| | | | | | | | |✓| | `terminate` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -### [file](../data_model/file) +### [driver](../data_model/driver) -| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` | -|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| `acl_modify` | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `create` | | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓| -| `delete` | | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓| -| `modify` | | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓| -| `read` | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `timestomp` | | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓| -| `write` | | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓| +| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | +|---|---|---|---|---|---|---|---|---|---|---| +| `load` | | | |✓|✓|✓| |✓|✓| | | +| `unload` | | | | | | | | | | | | diff --git a/docs/sensors/autoruns_13.98.md b/docs/sensors/autoruns_13.98.md index 2cf2b3de..a32f571b 100644 --- a/docs/sensors/autoruns_13.98.md +++ b/docs/sensors/autoruns_13.98.md @@ -14,14 +14,17 @@ Autoruns reports Explorer shell extensions, toolbars, browser helper objects, Wi ## Data Model Coverage -### [registry](../data_model/registry) +### [file](../data_model/file) -| | `data` | `fqdn` | `hive` | `hostname` | `image_path` | `key` | `new_content` | `pid` | `type` | `user` | `value` | -|---|---|---|---|---|---|---|---|---|---|---| -| `add` | ✓|✓|✓|✓| |✓| | |✓| |✓| -| `key_edit` | ✓|✓|✓|✓| |✓|✓| |✓| |✓| -| `remove` | | | | | | | | | | | | -| `value_edit` | ✓|✓|✓|✓| |✓|✓| |✓| |✓| +| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` | +|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +| `acl_modify` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `create` | ✓| |✓| |✓|✓|✓| | |✓|✓| |✓| | | | | | | |✓|✓| |✓| | | +| `delete` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `modify` | ✓| |✓| |✓|✓|✓| | |✓|✓| |✓| | | | | | | |✓|✓| |✓| | | +| `read` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `timestomp` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `write` | | | | | | | | | | | | | | | | | | | | | | | | | | | ### [service](../data_model/service) @@ -33,17 +36,14 @@ Autoruns reports Explorer shell extensions, toolbars, browser helper objects, Wi | `start` | | | | | | | | | | | | `stop` | | | | | | | | | | | -### [file](../data_model/file) +### [registry](../data_model/registry) -| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` | -|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| `acl_modify` | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `create` | ✓| |✓| |✓|✓|✓| | |✓|✓| |✓| | | | | | | |✓|✓| |✓| | | -| `delete` | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `modify` | ✓| |✓| |✓|✓|✓| | |✓|✓| |✓| | | | | | | |✓|✓| |✓| | | -| `read` | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `timestomp` | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `write` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| | `data` | `fqdn` | `hive` | `hostname` | `image_path` | `key` | `new_content` | `pid` | `type` | `user` | `value` | +|---|---|---|---|---|---|---|---|---|---|---| +| `add` | ✓|✓|✓|✓| |✓| | |✓| |✓| +| `key_edit` | ✓|✓|✓|✓| |✓|✓| |✓| |✓| +| `remove` | | | | | | | | | | | | +| `value_edit` | ✓|✓|✓|✓| |✓|✓| |✓| |✓| diff --git a/docs/sensors/osquery_4.1.2.md b/docs/sensors/osquery_4.1.2.md index f484782a..1a1962f2 100644 --- a/docs/sensors/osquery_4.1.2.md +++ b/docs/sensors/osquery_4.1.2.md @@ -14,6 +14,18 @@ osquery exposes an operating system as a high-performance relational database. T ## Data Model Coverage +### [file](../data_model/file) + +| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` | +|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +| `acl_modify` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `create` | | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓| +| `delete` | | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓| +| `modify` | | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓| +| `read` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `timestomp` | | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓| +| `write` | | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓| + ### [flow](../data_model/flow) | | `application_protocol` | `content` | `dest_fqdn` | `dest_hostname` | `dest_ip` | `dest_port` | `end_time` | `exe` | `fqdn` | `hostname` | `image_path` | `in_bytes` | `network_direction` | `out_bytes` | `packet_count` | `pid` | `ppid` | `proto_info` | `src_fqdn` | `src_hostname` | `src_ip` | `src_port` | `start_time` | `tcp_flags` | `transport_protocol` | `uid` | `user` | @@ -22,13 +34,6 @@ osquery exposes an operating system as a high-performance relational database. T | `message` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `start` | | | | |✓|✓| | | | |✓| | | | |✓| | | | |✓|✓|✓| | | |✓| -### [driver](../data_model/driver) - -| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | -|---|---|---|---|---|---|---|---|---|---|---| -| `load` | | | |✓|✓|✓| |✓|✓| | | -| `unload` | | | | | | | | | | | | - ### [process](../data_model/process) | | `access_level` | `call_trace` | `command_line` | `current_working_directory` | `env_vars` | `exe` | `fqdn` | `guid` | `hostname` | `image_path` | `integrity_level` | `md5_hash` | `parent_command_line` | `parent_exe` | `parent_guid` | `parent_image_path` | `pid` | `ppid` | `sha1_hash` | `sha256_hash` | `sid` | `signature_valid` | `signer` | `target_address` | `target_guid` | `target_name` | `target_pid` | `uid` | `user` | @@ -37,17 +42,12 @@ osquery exposes an operating system as a high-performance relational database. T | `create` | | |✓|✓| |✓| | | |✓| |✓| | | | |✓|✓|✓|✓| | | | | | | | |✓| | `terminate` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -### [file](../data_model/file) +### [driver](../data_model/driver) -| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` | -|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| `acl_modify` | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `create` | | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓| -| `delete` | | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓| -| `modify` | | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓| -| `read` | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `timestomp` | | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓| -| `write` | | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓| +| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | +|---|---|---|---|---|---|---|---|---|---|---| +| `load` | | | |✓|✓|✓| |✓|✓| | | +| `unload` | | | | | | | | | | | | diff --git a/docs/sensors/osquery_4.6.0.md b/docs/sensors/osquery_4.6.0.md index 5fce086a..e776d9e8 100644 --- a/docs/sensors/osquery_4.6.0.md +++ b/docs/sensors/osquery_4.6.0.md @@ -14,6 +14,18 @@ osquery exposes an operating system as a high-performance relational database. T ## Data Model Coverage +### [file](../data_model/file) + +| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` | +|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +| `acl_modify` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `create` | | |✓| |✓|✓| | | | |✓| |✓| |✓| | |✓|✓| |✓|✓| | |✓|✓| +| `delete` | | |✓| |✓|✓| | | | |✓| |✓| |✓| | |✓|✓| |✓|✓| | |✓|✓| +| `modify` | | |✓| |✓|✓| | | | |✓| |✓| |✓| | |✓|✓| |✓|✓| | | |✓| +| `read` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `timestomp` | | |✓| |✓|✓| | | | |✓| |✓| |✓| | |✓|✓| |✓|✓| | | |✓| +| `write` | | |✓| |✓|✓| | | | |✓| |✓| |✓| | |✓|✓| |✓|✓| | | |✓| + ### [flow](../data_model/flow) | | `application_protocol` | `content` | `dest_fqdn` | `dest_hostname` | `dest_ip` | `dest_port` | `end_time` | `exe` | `fqdn` | `hostname` | `image_path` | `in_bytes` | `network_direction` | `out_bytes` | `packet_count` | `pid` | `ppid` | `proto_info` | `src_fqdn` | `src_hostname` | `src_ip` | `src_port` | `start_time` | `tcp_flags` | `transport_protocol` | `uid` | `user` | @@ -22,13 +34,6 @@ osquery exposes an operating system as a high-performance relational database. T | `message` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `start` | | | | |✓|✓| | | | |✓| | | | |✓| | | | |✓|✓|✓| | | |✓| -### [driver](../data_model/driver) - -| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | -|---|---|---|---|---|---|---|---|---|---|---| -| `load` | | | |✓|✓|✓| |✓|✓| | | -| `unload` | | | | | | | | | | | | - ### [process](../data_model/process) | | `access_level` | `call_trace` | `command_line` | `current_working_directory` | `env_vars` | `exe` | `fqdn` | `guid` | `hostname` | `image_path` | `integrity_level` | `md5_hash` | `parent_command_line` | `parent_exe` | `parent_guid` | `parent_image_path` | `pid` | `ppid` | `sha1_hash` | `sha256_hash` | `sid` | `signature_valid` | `signer` | `target_address` | `target_guid` | `target_name` | `target_pid` | `uid` | `user` | @@ -37,17 +42,12 @@ osquery exposes an operating system as a high-performance relational database. T | `create` | | |✓|✓|✓|✓| | | |✓| |✓| | | | |✓|✓|✓|✓| | | | | | | |✓| | | `terminate` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -### [file](../data_model/file) +### [driver](../data_model/driver) -| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` | -|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| `acl_modify` | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `create` | | |✓| |✓|✓| | | | |✓| |✓| |✓| | |✓|✓| |✓|✓| | |✓|✓| -| `delete` | | |✓| |✓|✓| | | | |✓| |✓| |✓| | |✓|✓| |✓|✓| | |✓|✓| -| `modify` | | |✓| |✓|✓| | | | |✓| |✓| |✓| | |✓|✓| |✓|✓| | | |✓| -| `read` | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `timestomp` | | |✓| |✓|✓| | | | |✓| |✓| |✓| | |✓|✓| |✓|✓| | | |✓| -| `write` | | |✓| |✓|✓| | | | |✓| |✓| |✓| | |✓|✓| |✓|✓| | | |✓| +| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | +|---|---|---|---|---|---|---|---|---|---|---| +| `load` | | | |✓|✓|✓| |✓|✓| | | +| `unload` | | | | | | | | | | | | diff --git a/docs/sensors/sysmon_10.4.md b/docs/sensors/sysmon_10.4.md index ac500184..2e64c13e 100644 --- a/docs/sensors/sysmon_10.4.md +++ b/docs/sensors/sysmon_10.4.md @@ -14,14 +14,17 @@ Sysmon is a freely available program from Microsoft that is provided as part of ## Data Model Coverage -### [registry](../data_model/registry) +### [file](../data_model/file) -| | `data` | `fqdn` | `hive` | `hostname` | `image_path` | `key` | `new_content` | `pid` | `type` | `user` | `value` | -|---|---|---|---|---|---|---|---|---|---|---| -| `add` | |✓|✓| |✓|✓| |✓| | |✓| -| `key_edit` | | | | | | | | | | | | -| `remove` | |✓|✓| |✓|✓| |✓| | |✓| -| `value_edit` | | | | | | | | | | | | +| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` | +|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +| `acl_modify` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `create` | | |✓| |✓| |✓| | | |✓| | | | | | |✓| | | | | | | | | +| `delete` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `modify` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `read` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `timestomp` | | |✓| |✓| |✓| | | |✓| | | | | | |✓| |✓| | | | | | | +| `write` | | | | | | | | | | | | | | | | | | | | | | | | | | | ### [flow](../data_model/flow) @@ -31,19 +34,14 @@ Sysmon is a freely available program from Microsoft that is provided as part of | `message` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `start` | | | |✓|✓|✓| | | | |✓| | | | |✓| | | |✓|✓|✓|✓| | | |✓| -### [module](../data_model/module) - -| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `module_path` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `tid` | -|---|---|---|---|---|---|---|---|---|---|---|---|---| -| `load` | |✓| |✓|✓| |✓|✓|✓|✓| |✓| | -| `unload` | | | | | | | | | | | | | | - -### [driver](../data_model/driver) +### [registry](../data_model/registry) -| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | +| | `data` | `fqdn` | `hive` | `hostname` | `image_path` | `key` | `new_content` | `pid` | `type` | `user` | `value` | |---|---|---|---|---|---|---|---|---|---|---| -| `load` | |✓| |✓|✓| | |✓|✓| |✓| -| `unload` | | | | | | | | | | | | +| `add` | |✓|✓| |✓|✓| |✓| | |✓| +| `key_edit` | | | | | | | | | | | | +| `remove` | |✓|✓| |✓|✓| |✓| | |✓| +| `value_edit` | | | | | | | | | | | | ### [process](../data_model/process) @@ -62,17 +60,19 @@ Sysmon is a freely available program from Microsoft that is provided as part of | `suspend` | | | | | | | | | | | | | | | | | `terminate` | | | | | | | | | | | | | | | | -### [file](../data_model/file) +### [module](../data_model/module) -| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` | -|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| `acl_modify` | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `create` | | |✓| |✓| |✓| | | |✓| | | | | | |✓| | | | | | | | | -| `delete` | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `modify` | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `read` | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `timestomp` | | |✓| |✓| |✓| | | |✓| | | | | | |✓| |✓| | | | | | | -| `write` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `module_path` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `tid` | +|---|---|---|---|---|---|---|---|---|---|---|---|---| +| `load` | |✓| |✓|✓| |✓|✓|✓|✓| |✓| | +| `unload` | | | | | | | | | | | | | | + +### [driver](../data_model/driver) + +| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | +|---|---|---|---|---|---|---|---|---|---|---| +| `load` | |✓| |✓|✓| | |✓|✓| |✓| +| `unload` | | | | | | | | | | | | diff --git a/docs/sensors/sysmon_11.0.md b/docs/sensors/sysmon_11.0.md index 4d5461d1..e1032d2a 100644 --- a/docs/sensors/sysmon_11.0.md +++ b/docs/sensors/sysmon_11.0.md @@ -14,14 +14,17 @@ Sysmon is a freely available program from Microsoft that is provided as part of ## Data Model Coverage -### [registry](../data_model/registry) +### [file](../data_model/file) -| | `data` | `fqdn` | `hive` | `hostname` | `image_path` | `key` | `new_content` | `pid` | `type` | `user` | `value` | -|---|---|---|---|---|---|---|---|---|---|---| -| `add` | |✓|✓| |✓|✓| |✓| | |✓| -| `key_edit` | | | | | | | | | | | | -| `remove` | |✓|✓| |✓|✓| |✓| | |✓| -| `value_edit` | | | | | | | | | | | | +| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` | +|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +| `acl_modify` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `create` | | |✓| | |✓|✓| | | |✓| | | | | | |✓| | | | | | | | | +| `delete` | | | | | |✓|✓| | | |✓| |✓| | | | |✓| | |✓|✓| | | |✓| +| `modify` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `read` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `timestomp` | | |✓| | |✓|✓| | | |✓| | | | | | |✓| |✓| | | | | | | +| `write` | | | | | | | | | | | | | | | | | | | | | | | | | | | ### [flow](../data_model/flow) @@ -31,19 +34,14 @@ Sysmon is a freely available program from Microsoft that is provided as part of | `message` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `start` | | |✓| |✓|✓| | |✓| |✓| | | | |✓| | |✓| |✓|✓|✓| | | |✓| -### [module](../data_model/module) - -| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `module_path` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `tid` | -|---|---|---|---|---|---|---|---|---|---|---|---|---| -| `load` | |✓| |✓|✓| |✓|✓|✓|✓| |✓| | -| `unload` | | | | | | | | | | | | | | - -### [driver](../data_model/driver) +### [registry](../data_model/registry) -| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | +| | `data` | `fqdn` | `hive` | `hostname` | `image_path` | `key` | `new_content` | `pid` | `type` | `user` | `value` | |---|---|---|---|---|---|---|---|---|---|---| -| `load` | |✓| |✓|✓| | |✓|✓| |✓| -| `unload` | | | | | | | | | | | | +| `add` | |✓|✓| |✓|✓| |✓| | |✓| +| `key_edit` | | | | | | | | | | | | +| `remove` | |✓|✓| |✓|✓| |✓| | |✓| +| `value_edit` | | | | | | | | | | | | ### [process](../data_model/process) @@ -62,17 +60,19 @@ Sysmon is a freely available program from Microsoft that is provided as part of | `suspend` | | | | | | | | | | | | | | | | | `terminate` | | | | | | | | | | | | | | | | -### [file](../data_model/file) +### [module](../data_model/module) -| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` | -|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| `acl_modify` | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `create` | | |✓| | |✓|✓| | | |✓| | | | | | |✓| | | | | | | | | -| `delete` | | | | | |✓|✓| | | |✓| |✓| | | | |✓| | |✓|✓| | | |✓| -| `modify` | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `read` | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `timestomp` | | |✓| | |✓|✓| | | |✓| | | | | | |✓| |✓| | | | | | | -| `write` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `module_path` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `tid` | +|---|---|---|---|---|---|---|---|---|---|---|---|---| +| `load` | |✓| |✓|✓| |✓|✓|✓|✓| |✓| | +| `unload` | | | | | | | | | | | | | | + +### [driver](../data_model/driver) + +| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | +|---|---|---|---|---|---|---|---|---|---|---| +| `load` | |✓| |✓|✓| | |✓|✓| |✓| +| `unload` | | | | | | | | | | | | diff --git a/docs/sensors/sysmon_13.md b/docs/sensors/sysmon_13.md index 8d28e3c5..2a23e83b 100644 --- a/docs/sensors/sysmon_13.md +++ b/docs/sensors/sysmon_13.md @@ -14,14 +14,17 @@ Sysmon is a freely available program from Microsoft that is provided as part of ## Data Model Coverage -### [registry](../data_model/registry) +### [file](../data_model/file) -| | `data` | `fqdn` | `hive` | `hostname` | `image_path` | `key` | `new_content` | `pid` | `type` | `user` | `value` | -|---|---|---|---|---|---|---|---|---|---|---| -| `add` | ✓|✓|✓| |✓|✓| |✓| | |✓| -| `key_edit` | |✓|✓| |✓|✓|✓|✓| | |✓| -| `remove` | |✓|✓| |✓|✓| |✓| | |✓| -| `value_edit` | |✓|✓| |✓|✓|✓|✓| | |✓| +| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` | +|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +| `acl_modify` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `create` | | |✓| | |✓|✓| | | |✓| | | | | | |✓| | | | | | | | | +| `delete` | | | | | |✓|✓| | | |✓| |✓| | | | |✓| | |✓|✓| | |✓|✓| +| `modify` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `read` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `timestomp` | | |✓| | |✓|✓| | | |✓| | | | | | |✓| |✓| | | | | | | +| `write` | | | | | | | | | | | | | | | | | | | | | | | | | | | ### [flow](../data_model/flow) @@ -31,19 +34,14 @@ Sysmon is a freely available program from Microsoft that is provided as part of | `message` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `start` | | |✓| |✓|✓| | |✓| |✓| | | | |✓| | |✓| |✓|✓|✓| | |✓|✓| -### [module](../data_model/module) - -| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `module_path` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `tid` | -|---|---|---|---|---|---|---|---|---|---|---|---|---| -| `load` | |✓| |✓|✓| |✓|✓|✓| |✓|✓|✓| -| `unload` | | | | | | | | | | | | | | - -### [driver](../data_model/driver) +### [registry](../data_model/registry) -| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | +| | `data` | `fqdn` | `hive` | `hostname` | `image_path` | `key` | `new_content` | `pid` | `type` | `user` | `value` | |---|---|---|---|---|---|---|---|---|---|---| -| `load` | |✓| |✓|✓| | |✓|✓|✓|✓| -| `unload` | | | | | | | | | | | | +| `add` | ✓|✓|✓| |✓|✓| |✓| | |✓| +| `key_edit` | |✓|✓| |✓|✓|✓|✓| | |✓| +| `remove` | |✓|✓| |✓|✓| |✓| | |✓| +| `value_edit` | |✓|✓| |✓|✓|✓|✓| | |✓| ### [process](../data_model/process) @@ -62,17 +60,19 @@ Sysmon is a freely available program from Microsoft that is provided as part of | `suspend` | | | | | | | | | | | | | | | | | `terminate` | | | | | | | | | | | | | | | | -### [file](../data_model/file) +### [module](../data_model/module) -| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` | -|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| `acl_modify` | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `create` | | |✓| | |✓|✓| | | |✓| | | | | | |✓| | | | | | | | | -| `delete` | | | | | |✓|✓| | | |✓| |✓| | | | |✓| | |✓|✓| | |✓|✓| -| `modify` | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `read` | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `timestomp` | | |✓| | |✓|✓| | | |✓| | | | | | |✓| |✓| | | | | | | -| `write` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `module_path` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `tid` | +|---|---|---|---|---|---|---|---|---|---|---|---|---| +| `load` | |✓| |✓|✓| |✓|✓|✓| |✓|✓|✓| +| `unload` | | | | | | | | | | | | | | + +### [driver](../data_model/driver) + +| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | +|---|---|---|---|---|---|---|---|---|---|---| +| `load` | |✓| |✓|✓| | |✓|✓|✓|✓| +| `unload` | | | | | | | | | | | | diff --git a/scripts/requirements.txt b/scripts/requirements.txt index 83c4d76e..22b5f04d 100644 --- a/scripts/requirements.txt +++ b/scripts/requirements.txt @@ -5,7 +5,7 @@ idna==2.10 Jinja2==2.11.3 MarkupSafe==1.1.1 pendulum==1.2.5 -Pillow==9.3.0 +Pillow==10.3.0 pyattck==3.0.1 pyfiglet==0.8.post1 python-dateutil==2.8.1