diff --git a/docs/analytics/CAR-2021-05-010/index.md b/docs/analytics/CAR-2021-05-010/index.md index 0563fc99..4e72c842 100644 --- a/docs/analytics/CAR-2021-05-010/index.md +++ b/docs/analytics/CAR-2021-05-010/index.md @@ -47,7 +47,7 @@ Pseudocode implementation of the Splunk search below ``` processes = search Process:Create certutil_downloads = filter processes where ( - (exe = C:\Windows\System32\net.exe OR exe = C:\Windows\System32\net1.exe ) AND command_line = * -exportPFX * ) + (exe = C:\Windows\System32\net.exe OR exe = C:\Windows\System32\net1.exe ) AND (command_line = *localgroup* OR command_line = */add* OR command_line = *user* )) output certutil_downloads ``` diff --git a/docs/analytics/by_technique/index.md b/docs/analytics/by_technique/index.md index c4db61a6..f8de1098 100644 --- a/docs/analytics/by_technique/index.md +++ b/docs/analytics/by_technique/index.md @@ -16,14 +16,14 @@ permalink: /analytics/by_technique T1003: OS Credential Dumping - - T1003.001: LSASS Memory - - T1003.003: NTDS + + T1003.001: LSASS Memory + + T1003.002: Security Account Manager @@ -59,20 +59,20 @@ permalink: /analytics/by_technique - T1021.002: SMB/Windows Admin Shares - + T1021.001: Remote Desktop Protocol + - T1021.003: Distributed Component Object Model - + T1021.002: SMB/Windows Admin Shares + T1021.006: Windows Remote Management - T1021.001: Remote Desktop Protocol - + T1021.003: Distributed Component Object Model + T1029: Scheduled Transfer @@ -89,14 +89,14 @@ permalink: /analytics/by_technique (N/A - technique only) - - T1036.003: Rename System Utilities - - T1036.005: Match Legitimate Name or Location + + T1036.003: Rename System Utilities + + T1037: Boot or Logon Initialization Scripts T1037.001: Logon Script (Windows) @@ -130,14 +130,14 @@ permalink: /analytics/by_technique T1053: Scheduled Task/Job - - T1053.005: Scheduled Task - - T1053.002: At + + T1053.005: Scheduled Task + + T1055: Process Injection @@ -277,14 +277,14 @@ permalink: /analytics/by_technique T1218: System Binary Proxy Execution - - T1218.011: Rundll32 - - T1218.010: Regsvr32 + + T1218.011: Rundll32 + + T1218.001: Compiled HTML File @@ -328,40 +328,40 @@ permalink: /analytics/by_technique T1546: Event Triggered Execution - T1546.015: Component Object Model Hijacking - - - - T1546.002: Screensaver - + T1546.001: Change Default File Association + - T1546.010: AppInit DLLs - + T1546.003: Windows Management Instrumentation Event Subscription + T1546.008: Accessibility Features - T1546.001: Change Default File Association - + T1546.010: AppInit DLLs + - T1546.003: Windows Management Instrumentation Event Subscription - + T1546.002: Screensaver + - T1547: Boot or Logon Autostart Execution + T1546.015: Component Object Model Hijacking + - T1547.001: Registry Run Keys / Startup Folder - + T1547: Boot or Logon Autostart Execution T1547.004: Winlogon Helper DLL + + T1547.001: Registry Run Keys / Startup Folder + + T1547.010: Port Monitors @@ -410,16 +410,16 @@ permalink: /analytics/by_technique T1562: Impair Defenses - T1562.006: Indicator Blocking - + T1562.001: Disable or Modify Tools + T1562.002: Disable Windows Event Logging - T1562.001: Disable or Modify Tools - + T1562.006: Indicator Blocking + T1564: Hide Artifacts @@ -446,28 +446,28 @@ permalink: /analytics/by_technique T1574: Hijack Execution Flow - T1574.001: DLL Search Order Hijacking - + T1574.007: Path Interception by PATH Environment Variable + - T1574.009: Path Interception by Unquoted Path - + T1574.008: Path Interception by Search Order Hijacking + - T1574.011: Services Registry Permissions Weakness - + T1574.009: Path Interception by Unquoted Path + T1574.010: Services File Permissions Weakness - T1574.007: Path Interception by PATH Environment Variable - + T1574.011: Services Registry Permissions Weakness + - T1574.008: Path Interception by Search Order Hijacking - + T1574.001: DLL Search Order Hijacking + T1606: Forge Web Credentials diff --git a/docs/car_attack/car_attack.json b/docs/car_attack/car_attack.json index 907e155f..25ea6ebd 100644 --- a/docs/car_attack/car_attack.json +++ b/docs/car_attack/car_attack.json @@ -1,97 +1,122 @@ { - "version": "3.0", + "versions": { + "layer": "4.5", + "attack": "14", + "navigator": "4.9.4" + }, "name": "CAR ATT&CK", "description": "CAR Analytics ATT&CK Coverage", "domain": "mitre-enterprise", "techniques": [ { - "techniqueID": "T1548", + "techniqueID": "T1036", "color": "#c6dbef", - "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2019-04-001: UAC Bypass | CAR-2021-01-008: Disable UAC | CAR-2021-02-002: Get System Elevation", + "comment": "CAR-2013-05-002: Suspicious Run Locations | CAR-2013-05-009: Running executables with same hash and different names | CAR-2021-04-001: Common Windows Process Masquerading", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1548.002", + "techniqueID": "T1559", "color": "#c6dbef", - "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2019-04-001: UAC Bypass | CAR-2021-01-008: Disable UAC", + "comment": "CAR-2021-01-006: Unusual Child Process spawned using DDE exploit", + "enabled": true, + "showSubtechniques": true + }, + { + "techniqueID": "T1559.002", + "color": "#c6dbef", + "comment": "CAR-2021-01-006: Unusual Child Process spawned using DDE exploit", "enabled": true }, { - "techniqueID": "T1021", + "techniqueID": "T1547", "color": "#c6dbef", - "comment": "CAR-2013-01-003: SMB Events Monitoring | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2013-07-001: Suspicious Arguments | CAR-2013-07-002: RDP Connection Detection | CAR-2013-10-001: User Login Activity Monitoring | CAR-2014-05-001: RPC Activity | CAR-2014-11-004: Remote PowerShell Sessions | CAR-2014-11-006: Windows Remote Management (WinRM) | CAR-2016-04-005: Remote Desktop Logon", + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2020-05-003: Rare LolBAS Command Lines | CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify | CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key 'Common Startup'", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1021.002", + "techniqueID": "T1547.004", "color": "#c6dbef", - "comment": "CAR-2013-01-003: SMB Events Monitoring | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2014-05-001: RPC Activity", + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify", "enabled": true }, { - "techniqueID": "T1021.003", + "techniqueID": "T1112", "color": "#c6dbef", - "comment": "CAR-2014-05-001: RPC Activity", - "enabled": true + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-11-005: Remote Registry | CAR-2020-05-003: Rare LolBAS Command Lines | CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0 | CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify | CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key 'Common Startup'", + "enabled": true, + "showSubtechniques": true }, { - "techniqueID": "T1021.006", + "techniqueID": "T1543", "color": "#c6dbef", - "comment": "CAR-2014-05-001: RPC Activity | CAR-2014-11-004: Remote PowerShell Sessions | CAR-2014-11-006: Windows Remote Management (WinRM)", + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-09-005: Service Outlier Executables | CAR-2014-02-001: Service Binary Modifications | CAR-2014-03-005: Remotely Launched Executables via Services | CAR-2014-05-002: Services launching Cmd", + "enabled": true, + "showSubtechniques": true + }, + { + "techniqueID": "T1543.003", + "color": "#c6dbef", + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-09-005: Service Outlier Executables | CAR-2014-02-001: Service Binary Modifications | CAR-2014-03-005: Remotely Launched Executables via Services | CAR-2014-05-002: Services launching Cmd", "enabled": true }, { - "techniqueID": "T1070", + "techniqueID": "T1047", "color": "#c6dbef", - "comment": "CAR-2016-04-002: User Activity from Clearing Event Logs | CAR-2020-11-005: Clear Powershell Console Command History | CAR-2020-11-007: Network Share Connection Removal | CAR-2021-01-003: Clearing Windows Logs with Wevtutil", + "comment": "CAR-2014-11-007: Remote Windows Management Instrumentation (WMI) over RPC | CAR-2014-12-001: Remotely Launched Executables via WMI | CAR-2016-03-002: Create Remote Process via WMIC", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1070.003", + "techniqueID": "T1222", "color": "#c6dbef", - "comment": "CAR-2020-11-005: Clear Powershell Console Command History", - "enabled": true + "comment": "CAR-2019-07-001: Access Permission Modification", + "enabled": true, + "showSubtechniques": true }, { - "techniqueID": "T1053", + "techniqueID": "T1222.001", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-05-004: Execution with AT | CAR-2013-08-001: Execution with schtasks | CAR-2015-04-001: Remotely Scheduled Tasks via AT | CAR-2015-04-002: Remotely Scheduled Tasks via Schtasks | CAR-2020-09-001: Scheduled Task - FileAccess | CAR-2021-12-001: Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths", - "enabled": true, - "showSubtechniques": true + "comment": "CAR-2019-07-001: Access Permission Modification", + "enabled": true }, { - "techniqueID": "T1053.005", + "techniqueID": "T1222.002", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-08-001: Execution with schtasks | CAR-2015-04-002: Remotely Scheduled Tasks via Schtasks | CAR-2020-09-001: Scheduled Task - FileAccess | CAR-2021-12-001: Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths", + "comment": "CAR-2019-07-001: Access Permission Modification", "enabled": true }, { - "techniqueID": "T1553", + "techniqueID": "T1078", "color": "#c6dbef", - "comment": "CAR-2021-05-001: Attempt To Add Certificate To Untrusted Store", + "comment": "CAR-2013-02-008: Simultaneous Logins on a Host | CAR-2013-02-012: User Logged in to Multiple Hosts | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2013-10-001: User Login Activity Monitoring", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1553.004", + "techniqueID": "T1078.002", "color": "#c6dbef", - "comment": "CAR-2021-05-001: Attempt To Add Certificate To Untrusted Store", + "comment": "CAR-2013-02-008: Simultaneous Logins on a Host | CAR-2013-02-012: User Logged in to Multiple Hosts | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2013-10-001: User Login Activity Monitoring", "enabled": true }, { - "techniqueID": "T1003", + "techniqueID": "T1078.003", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-07-001: Suspicious Arguments | CAR-2019-04-004: Credential Dumping via Mimikatz | CAR-2019-07-002: Lsass Process Dump via Procdump | CAR-2019-08-001: Credential Dumping via Windows Task Manager | CAR-2019-08-002: Active Directory Dumping via NTDSUtil | CAR-2020-05-001: MiniDump of LSASS | CAR-2021-05-011: Create Remote Thread into LSASS", + "comment": "CAR-2013-02-008: Simultaneous Logins on a Host | CAR-2013-02-012: User Logged in to Multiple Hosts | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2013-10-001: User Login Activity Monitoring", + "enabled": true + }, + { + "techniqueID": "T1218", + "color": "#c6dbef", + "comment": "CAR-2014-03-006: RunDLL32.exe monitoring | CAR-2019-04-002: Generic Regsvr32 | CAR-2019-04-003: Squiblydoo | CAR-2020-11-009: Compiled HTML Access | CAR-2020-11-010: CMSTP", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1003.001", + "techniqueID": "T1218.010", "color": "#c6dbef", - "comment": "CAR-2013-07-001: Suspicious Arguments | CAR-2019-04-004: Credential Dumping via Mimikatz | CAR-2019-07-002: Lsass Process Dump via Procdump | CAR-2019-08-001: Credential Dumping via Windows Task Manager | CAR-2021-05-011: Create Remote Thread into LSASS", + "comment": "CAR-2019-04-002: Generic Regsvr32 | CAR-2019-04-003: Squiblydoo", "enabled": true }, { @@ -108,295 +133,273 @@ "enabled": true }, { - "techniqueID": "T1562", + "techniqueID": "T1197", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-04-003: User Activity from Stopping Windows Defensive Services | CAR-2020-09-003: Indicator Blocking - Driver Unloaded | CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt | CAR-2022-03-001: Disable Windows Event Logging", + "comment": "CAR-2021-05-004: BITS Job Persistence | CAR-2021-05-005: BITSAdmin Download File", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1562.006", - "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2020-09-003: Indicator Blocking - Driver Unloaded", - "enabled": true - }, - { - "techniqueID": "T1570", + "techniqueID": "T1105", "color": "#c6dbef", - "comment": "CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2014-03-001: SMB Write Request - NamedPipes", + "comment": "CAR-2013-07-001: Suspicious Arguments | CAR-2021-05-005: BITSAdmin Download File | CAR-2021-05-006: CertUtil Download With URLCache and Split Arguments | CAR-2021-05-007: CertUtil Download With VerifyCtl and Split Arguments", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1574", + "techniqueID": "T1053", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-02-001: Service Binary Modifications | CAR-2014-07-001: Service Search Path Interception | CAR-2020-05-003: Rare LolBAS Command Lines | CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0", + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-05-004: Execution with AT | CAR-2013-08-001: Execution with schtasks | CAR-2015-04-001: Remotely Scheduled Tasks via AT | CAR-2015-04-002: Remotely Scheduled Tasks via Schtasks | CAR-2020-09-001: Scheduled Task - FileAccess | CAR-2021-12-001: Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1574.001", + "techniqueID": "T1053.002", "color": "#c6dbef", - "comment": "CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-05-004: Execution with AT | CAR-2015-04-001: Remotely Scheduled Tasks via AT", "enabled": true }, { - "techniqueID": "T1112", - "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-11-005: Remote Registry | CAR-2020-05-003: Rare LolBAS Command Lines | CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0 | CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify | CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key 'Common Startup'", - "enabled": true, - "showSubtechniques": true - }, - { - "techniqueID": "T1218", + "techniqueID": "T1003", "color": "#c6dbef", - "comment": "CAR-2014-03-006: RunDLL32.exe monitoring | CAR-2019-04-002: Generic Regsvr32 | CAR-2019-04-003: Squiblydoo | CAR-2020-11-009: Compiled HTML Access | CAR-2020-11-010: CMSTP", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-07-001: Suspicious Arguments | CAR-2019-04-004: Credential Dumping via Mimikatz | CAR-2019-07-002: Lsass Process Dump via Procdump | CAR-2019-08-001: Credential Dumping via Windows Task Manager | CAR-2019-08-002: Active Directory Dumping via NTDSUtil | CAR-2020-05-001: MiniDump of LSASS | CAR-2021-05-011: Create Remote Thread into LSASS", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1218.011", + "techniqueID": "T1003.003", "color": "#c6dbef", - "comment": "CAR-2014-03-006: RunDLL32.exe monitoring", + "comment": "CAR-2019-08-002: Active Directory Dumping via NTDSUtil | CAR-2020-05-001: MiniDump of LSASS", "enabled": true }, { - "techniqueID": "T1546", + "techniqueID": "T1569", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences | CAR-2014-11-003: Debuggers for Accessibility Applications | CAR-2014-11-008: Command Launched from WinLogon | CAR-2020-09-002: Component Object Model Hijacking | CAR-2020-09-005: AppInit DLLs | CAR-2020-11-011: Registry Edit from Screensaver", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-02-001: Service Binary Modifications | CAR-2014-03-005: Remotely Launched Executables via Services | CAR-2021-05-012: Create Service In Suspicious File Path", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1546.015", + "techniqueID": "T1569.002", "color": "#c6dbef", - "comment": "CAR-2020-09-002: Component Object Model Hijacking", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-02-001: Service Binary Modifications | CAR-2014-03-005: Remotely Launched Executables via Services | CAR-2021-05-012: Create Service In Suspicious File Path", "enabled": true }, { - "techniqueID": "T1046", + "techniqueID": "T1068", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2021-01-001: Identifying Port Scanning Activity", + "comment": "CAR-2021-01-004: Unusual Child Process for Spoolsv.Exe or Connhost.Exe", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1218.010", + "techniqueID": "T1553", "color": "#c6dbef", - "comment": "CAR-2019-04-002: Generic Regsvr32 | CAR-2019-04-003: Squiblydoo", - "enabled": true + "comment": "CAR-2021-05-001: Attempt To Add Certificate To Untrusted Store", + "enabled": true, + "showSubtechniques": true }, { - "techniqueID": "T1070.001", + "techniqueID": "T1553.004", "color": "#c6dbef", - "comment": "CAR-2016-04-002: User Activity from Clearing Event Logs | CAR-2021-01-003: Clearing Windows Logs with Wevtutil", + "comment": "CAR-2021-05-001: Attempt To Add Certificate To Untrusted Store", "enabled": true }, { - "techniqueID": "T1543", + "techniqueID": "T1606", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-09-005: Service Outlier Executables | CAR-2014-02-001: Service Binary Modifications | CAR-2014-03-005: Remotely Launched Executables via Services | CAR-2014-05-002: Services launching Cmd", + "comment": "CAR-2021-05-008: Certutil exe certificate extraction", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1543.003", - "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-09-005: Service Outlier Executables | CAR-2014-02-001: Service Binary Modifications | CAR-2014-03-005: Remotely Launched Executables via Services | CAR-2014-05-002: Services launching Cmd", - "enabled": true - }, - { - "techniqueID": "T1574.009", + "techniqueID": "T1606.002", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences | CAR-2014-07-001: Service Search Path Interception", + "comment": "CAR-2021-05-008: Certutil exe certificate extraction", "enabled": true }, { - "techniqueID": "T1012", + "techniqueID": "T1055", "color": "#c6dbef", - "comment": "CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2020-05-003: Rare LolBAS Command Lines", + "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2020-11-003: DLL Injection with Mavinject | CAR-2020-11-004: Processes Started From Irregular Parent", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1547", + "techniqueID": "T1055.001", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2020-05-003: Rare LolBAS Command Lines | CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify | CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key 'Common Startup'", - "enabled": true, - "showSubtechniques": true + "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2020-11-003: DLL Injection with Mavinject", + "enabled": true }, { - "techniqueID": "T1547.001", + "techniqueID": "T1059", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2020-05-003: Rare LolBAS Command Lines | CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key 'Common Startup'", - "enabled": true + "comment": "CAR-2013-02-003: Processes Spawning cmd.exe | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-04-003: Powershell Execution | CAR-2014-11-002: Outlier Parents of Cmd | CAR-2014-11-004: Remote PowerShell Sessions | CAR-2021-01-002: Unusually Long Command Line Strings", + "enabled": true, + "showSubtechniques": true }, { - "techniqueID": "T1574.011", + "techniqueID": "T1059.003", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2020-05-003: Rare LolBAS Command Lines", + "comment": "CAR-2013-02-003: Processes Spawning cmd.exe | CAR-2014-11-002: Outlier Parents of Cmd", "enabled": true }, { - "techniqueID": "T1550", + "techniqueID": "T1562", "color": "#c6dbef", - "comment": "CAR-2016-04-004: Successful Local Account Login", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-04-003: User Activity from Stopping Windows Defensive Services | CAR-2020-09-003: Indicator Blocking - Driver Unloaded | CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt | CAR-2022-03-001: Disable Windows Event Logging", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1550.002", + "techniqueID": "T1562.001", "color": "#c6dbef", - "comment": "CAR-2016-04-004: Successful Local Account Login", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-04-003: User Activity from Stopping Windows Defensive Services | CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt", "enabled": true }, { - "techniqueID": "T1547.004", + "techniqueID": "T1059.001", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences | CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify", + "comment": "CAR-2014-04-003: Powershell Execution | CAR-2014-11-004: Remote PowerShell Sessions", "enabled": true }, { - "techniqueID": "T1552", + "techniqueID": "T1069", "color": "#c6dbef", - "comment": "CAR-2020-09-004: Credentials in Files & Registry", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands | CAR-2020-11-006: Local Permission Group Discovery", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1552.001", + "techniqueID": "T1069.001", "color": "#c6dbef", - "comment": "CAR-2020-09-004: Credentials in Files & Registry", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands | CAR-2020-11-006: Local Permission Group Discovery", "enabled": true }, { - "techniqueID": "T1552.002", + "techniqueID": "T1069.002", "color": "#c6dbef", - "comment": "CAR-2020-09-004: Credentials in Files & Registry", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands | CAR-2020-11-006: Local Permission Group Discovery", "enabled": true }, { - "techniqueID": "T1055", + "techniqueID": "T1560", "color": "#c6dbef", - "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2020-11-003: DLL Injection with Mavinject | CAR-2020-11-004: Processes Started From Irregular Parent", + "comment": "CAR-2013-07-005: Command Line Usage of Archiving Software", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1055.001", + "techniqueID": "T1560.001", "color": "#c6dbef", - "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2020-11-003: DLL Injection with Mavinject", + "comment": "CAR-2013-07-005: Command Line Usage of Archiving Software", "enabled": true }, { - "techniqueID": "T1036", + "techniqueID": "T1505", "color": "#c6dbef", - "comment": "CAR-2013-05-002: Suspicious Run Locations | CAR-2013-05-009: Running executables with same hash and different names | CAR-2021-04-001: Common Windows Process Masquerading", + "comment": "CAR-2021-02-001: Webshell-Indicative Process Tree", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1036.003", + "techniqueID": "T1505.003", "color": "#c6dbef", - "comment": "CAR-2013-05-009: Running executables with same hash and different names", + "comment": "CAR-2021-02-001: Webshell-Indicative Process Tree", "enabled": true }, { - "techniqueID": "T1218.001", + "techniqueID": "T1053.005", "color": "#c6dbef", - "comment": "CAR-2020-11-009: Compiled HTML Access", + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-08-001: Execution with schtasks | CAR-2015-04-002: Remotely Scheduled Tasks via Schtasks | CAR-2020-09-001: Scheduled Task - FileAccess | CAR-2021-12-001: Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths", "enabled": true }, { - "techniqueID": "T1140", - "color": "#c6dbef", - "comment": "CAR-2021-05-009: CertUtil With Decode Argument", - "enabled": true, - "showSubtechniques": true - }, - { - "techniqueID": "T1127", + "techniqueID": "T1547.001", "color": "#c6dbef", - "comment": "CAR-2020-11-008: MSBuild and msxsl", - "enabled": true, - "showSubtechniques": true + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2020-05-003: Rare LolBAS Command Lines | CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key 'Common Startup'", + "enabled": true }, { - "techniqueID": "T1127.001", + "techniqueID": "T1547.010", "color": "#c6dbef", - "comment": "CAR-2020-11-008: MSBuild and msxsl", + "comment": "CAR-2013-01-002: Autorun Differences", "enabled": true }, { - "techniqueID": "T1047", + "techniqueID": "T1574", "color": "#c6dbef", - "comment": "CAR-2014-11-007: Remote Windows Management Instrumentation (WMI) over RPC | CAR-2014-12-001: Remotely Launched Executables via WMI | CAR-2016-03-002: Create Remote Process via WMIC", + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-02-001: Service Binary Modifications | CAR-2014-07-001: Service Search Path Interception | CAR-2020-05-003: Rare LolBAS Command Lines | CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1136", + "techniqueID": "T1574.007", "color": "#c6dbef", - "comment": "CAR-2021-05-010: Create local admin accounts using net exe", - "enabled": true, - "showSubtechniques": true + "comment": "CAR-2013-01-002: Autorun Differences", + "enabled": true }, { - "techniqueID": "T1136.001", + "techniqueID": "T1574.008", "color": "#c6dbef", - "comment": "CAR-2021-05-010: Create local admin accounts using net exe", + "comment": "CAR-2013-01-002: Autorun Differences", "enabled": true }, { - "techniqueID": "T1059", + "techniqueID": "T1574.009", "color": "#c6dbef", - "comment": "CAR-2013-02-003: Processes Spawning cmd.exe | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-04-003: Powershell Execution | CAR-2014-11-002: Outlier Parents of Cmd | CAR-2014-11-004: Remote PowerShell Sessions | CAR-2021-01-002: Unusually Long Command Line Strings", - "enabled": true, - "showSubtechniques": true + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2014-07-001: Service Search Path Interception", + "enabled": true }, { - "techniqueID": "T1059.003", + "techniqueID": "T1574.010", "color": "#c6dbef", - "comment": "CAR-2013-02-003: Processes Spawning cmd.exe | CAR-2014-11-002: Outlier Parents of Cmd", + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2014-02-001: Service Binary Modifications", "enabled": true }, { - "techniqueID": "T1559", + "techniqueID": "T1574.011", "color": "#c6dbef", - "comment": "CAR-2021-01-006: Unusual Child Process spawned using DDE exploit", + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2020-05-003: Rare LolBAS Command Lines", + "enabled": true + }, + { + "techniqueID": "T1546", + "color": "#c6dbef", + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2014-11-003: Debuggers for Accessibility Applications | CAR-2014-11-008: Command Launched from WinLogon | CAR-2020-09-002: Component Object Model Hijacking | CAR-2020-09-005: AppInit DLLs | CAR-2020-11-011: Registry Edit from Screensaver", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1559.002", + "techniqueID": "T1546.001", "color": "#c6dbef", - "comment": "CAR-2021-01-006: Unusual Child Process spawned using DDE exploit", + "comment": "CAR-2013-01-002: Autorun Differences", "enabled": true }, { - "techniqueID": "T1574.010", + "techniqueID": "T1546.003", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences | CAR-2014-02-001: Service Binary Modifications", + "comment": "CAR-2013-01-002: Autorun Differences", "enabled": true }, { - "techniqueID": "T1569", + "techniqueID": "T1546.008", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-02-001: Service Binary Modifications | CAR-2014-03-005: Remotely Launched Executables via Services | CAR-2021-05-012: Create Service In Suspicious File Path", - "enabled": true, - "showSubtechniques": true + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2014-11-003: Debuggers for Accessibility Applications | CAR-2014-11-008: Command Launched from WinLogon", + "enabled": true }, { - "techniqueID": "T1569.002", + "techniqueID": "T1546.010", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-02-001: Service Binary Modifications | CAR-2014-03-005: Remotely Launched Executables via Services | CAR-2021-05-012: Create Service In Suspicious File Path", + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2020-09-005: AppInit DLLs", "enabled": true }, { - "techniqueID": "T1036.005", + "techniqueID": "T1490", "color": "#c6dbef", - "comment": "CAR-2021-04-001: Common Windows Process Masquerading", - "enabled": true + "comment": "CAR-2021-01-009: Detecting Shadow Copy Deletion or Resize | CAR-2021-05-003: BCDEdit Failure Recovery Modification", + "enabled": true, + "showSubtechniques": true }, { "techniqueID": "T1562.002", @@ -405,17 +408,17 @@ "enabled": true }, { - "techniqueID": "T1569.001", + "techniqueID": "T1070", "color": "#c6dbef", - "comment": "CAR-2021-05-012: Create Service In Suspicious File Path", - "enabled": true + "comment": "CAR-2016-04-002: User Activity from Clearing Event Logs | CAR-2020-11-005: Clear Powershell Console Command History | CAR-2020-11-007: Network Share Connection Removal | CAR-2021-01-003: Clearing Windows Logs with Wevtutil", + "enabled": true, + "showSubtechniques": true }, { - "techniqueID": "T1187", + "techniqueID": "T1070.003", "color": "#c6dbef", - "comment": "CAR-2013-09-003: SMB Session Setups", - "enabled": true, - "showSubtechniques": true + "comment": "CAR-2020-11-005: Clear Powershell Console Command History", + "enabled": true }, { "techniqueID": "T1546.002", @@ -424,211 +427,201 @@ "enabled": true }, { - "techniqueID": "T1068", + "techniqueID": "T1218.011", "color": "#c6dbef", - "comment": "CAR-2021-01-004: Unusual Child Process for Spoolsv.Exe or Connhost.Exe", - "enabled": true, - "showSubtechniques": true + "comment": "CAR-2014-03-006: RunDLL32.exe monitoring", + "enabled": true }, { - "techniqueID": "T1105", - "color": "#c6dbef", - "comment": "CAR-2013-07-001: Suspicious Arguments | CAR-2021-05-005: BITSAdmin Download File | CAR-2021-05-006: CertUtil Download With URLCache and Split Arguments | CAR-2021-05-007: CertUtil Download With VerifyCtl and Split Arguments", - "enabled": true, - "showSubtechniques": true + "techniqueID": "T1036.005", + "color": "#c6dbef", + "comment": "CAR-2021-04-001: Common Windows Process Masquerading", + "enabled": true }, { - "techniqueID": "T1078", + "techniqueID": "T1552", "color": "#c6dbef", - "comment": "CAR-2013-02-008: Simultaneous Logins on a Host | CAR-2013-02-012: User Logged in to Multiple Hosts | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2013-10-001: User Login Activity Monitoring", + "comment": "CAR-2020-09-004: Credentials in Files & Registry", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1078.002", + "techniqueID": "T1552.001", "color": "#c6dbef", - "comment": "CAR-2013-02-008: Simultaneous Logins on a Host | CAR-2013-02-012: User Logged in to Multiple Hosts | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2013-10-001: User Login Activity Monitoring", + "comment": "CAR-2020-09-004: Credentials in Files & Registry", "enabled": true }, { - "techniqueID": "T1078.003", + "techniqueID": "T1552.002", "color": "#c6dbef", - "comment": "CAR-2013-02-008: Simultaneous Logins on a Host | CAR-2013-02-012: User Logged in to Multiple Hosts | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2013-10-001: User Login Activity Monitoring", + "comment": "CAR-2020-09-004: Credentials in Files & Registry", "enabled": true }, { - "techniqueID": "T1562.001", + "techniqueID": "T1003.001", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-04-003: User Activity from Stopping Windows Defensive Services | CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt", + "comment": "CAR-2013-07-001: Suspicious Arguments | CAR-2019-04-004: Credential Dumping via Mimikatz | CAR-2019-07-002: Lsass Process Dump via Procdump | CAR-2019-08-001: Credential Dumping via Windows Task Manager | CAR-2021-05-011: Create Remote Thread into LSASS", "enabled": true }, { - "techniqueID": "T1087", + "techniqueID": "T1548", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", + "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2019-04-001: UAC Bypass | CAR-2021-01-008: Disable UAC | CAR-2021-02-002: Get System Elevation", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1087.001", - "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", - "enabled": true - }, - { - "techniqueID": "T1087.002", + "techniqueID": "T1548.002", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", + "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2019-04-001: UAC Bypass | CAR-2021-01-008: Disable UAC", "enabled": true }, { - "techniqueID": "T1069", + "techniqueID": "T1136", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands | CAR-2020-11-006: Local Permission Group Discovery", + "comment": "CAR-2021-05-010: Create local admin accounts using net exe", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1069.001", + "techniqueID": "T1136.001", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands | CAR-2020-11-006: Local Permission Group Discovery", + "comment": "CAR-2021-05-010: Create local admin accounts using net exe", "enabled": true }, { - "techniqueID": "T1069.002", + "techniqueID": "T1021", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands | CAR-2020-11-006: Local Permission Group Discovery", - "enabled": true + "comment": "CAR-2013-01-003: SMB Events Monitoring | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2013-07-001: Suspicious Arguments | CAR-2013-07-002: RDP Connection Detection | CAR-2013-10-001: User Login Activity Monitoring | CAR-2014-05-001: RPC Activity | CAR-2014-11-004: Remote PowerShell Sessions | CAR-2014-11-006: Windows Remote Management (WinRM) | CAR-2016-04-005: Remote Desktop Logon", + "enabled": true, + "showSubtechniques": true }, { - "techniqueID": "T1016", + "techniqueID": "T1021.001", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", - "enabled": true, - "showSubtechniques": true + "comment": "CAR-2013-07-002: RDP Connection Detection | CAR-2013-10-001: User Login Activity Monitoring | CAR-2016-04-005: Remote Desktop Logon", + "enabled": true }, { - "techniqueID": "T1082", + "techniqueID": "T1570", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", + "comment": "CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2014-03-001: SMB Write Request - NamedPipes", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1033", + "techniqueID": "T1070.001", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", - "enabled": true, - "showSubtechniques": true + "comment": "CAR-2016-04-002: User Activity from Clearing Event Logs | CAR-2021-01-003: Clearing Windows Logs with Wevtutil", + "enabled": true }, { - "techniqueID": "T1057", + "techniqueID": "T1012", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", + "comment": "CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2020-05-003: Rare LolBAS Command Lines", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1007", + "techniqueID": "T1040", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", + "comment": "CAR-2020-11-002: Local Network Sniffing", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1204", + "techniqueID": "T1564", "color": "#c6dbef", - "comment": "CAR-2021-05-002: Batch File Write to System32", + "comment": "CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities | CAR-2020-08-002: NTFS Alternate Data Stream Execution - LOLBAS", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1204.002", + "techniqueID": "T1564.004", "color": "#c6dbef", - "comment": "CAR-2021-05-002: Batch File Write to System32", + "comment": "CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities | CAR-2020-08-002: NTFS Alternate Data Stream Execution - LOLBAS", "enabled": true }, { - "techniqueID": "T1218.003", + "techniqueID": "T1070.005", "color": "#c6dbef", - "comment": "CAR-2020-11-010: CMSTP", + "comment": "CAR-2020-11-007: Network Share Connection Removal", "enabled": true }, { - "techniqueID": "T1490", + "techniqueID": "T1218.001", "color": "#c6dbef", - "comment": "CAR-2021-01-009: Detecting Shadow Copy Deletion or Resize | CAR-2021-05-003: BCDEdit Failure Recovery Modification", - "enabled": true, - "showSubtechniques": true + "comment": "CAR-2020-11-009: Compiled HTML Access", + "enabled": true }, { - "techniqueID": "T1003.003", + "techniqueID": "T1036.003", "color": "#c6dbef", - "comment": "CAR-2019-08-002: Active Directory Dumping via NTDSUtil | CAR-2020-05-001: MiniDump of LSASS", + "comment": "CAR-2013-05-009: Running executables with same hash and different names", "enabled": true }, { - "techniqueID": "T1059.001", + "techniqueID": "T1021.002", "color": "#c6dbef", - "comment": "CAR-2014-04-003: Powershell Execution | CAR-2014-11-004: Remote PowerShell Sessions", + "comment": "CAR-2013-01-003: SMB Events Monitoring | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2014-05-001: RPC Activity", "enabled": true }, { - "techniqueID": "T1546.010", + "techniqueID": "T1021.006", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences | CAR-2020-09-005: AppInit DLLs", + "comment": "CAR-2014-05-001: RPC Activity | CAR-2014-11-004: Remote PowerShell Sessions | CAR-2014-11-006: Windows Remote Management (WinRM)", "enabled": true }, { - "techniqueID": "T1070.005", + "techniqueID": "T1140", "color": "#c6dbef", - "comment": "CAR-2020-11-007: Network Share Connection Removal", - "enabled": true + "comment": "CAR-2021-05-009: CertUtil With Decode Argument", + "enabled": true, + "showSubtechniques": true }, { - "techniqueID": "T1546.008", + "techniqueID": "T1569.001", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences | CAR-2014-11-003: Debuggers for Accessibility Applications | CAR-2014-11-008: Command Launched from WinLogon", + "comment": "CAR-2021-05-012: Create Service In Suspicious File Path", "enabled": true }, { - "techniqueID": "T1564", + "techniqueID": "T1218.003", "color": "#c6dbef", - "comment": "CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities | CAR-2020-08-002: NTFS Alternate Data Stream Execution - LOLBAS", - "enabled": true, - "showSubtechniques": true + "comment": "CAR-2020-11-010: CMSTP", + "enabled": true }, { - "techniqueID": "T1564.004", + "techniqueID": "T1039", "color": "#c6dbef", - "comment": "CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities | CAR-2020-08-002: NTFS Alternate Data Stream Execution - LOLBAS", - "enabled": true + "comment": "CAR-2013-01-003: SMB Events Monitoring", + "enabled": true, + "showSubtechniques": true }, { - "techniqueID": "T1021.001", + "techniqueID": "T1546.015", "color": "#c6dbef", - "comment": "CAR-2013-07-002: RDP Connection Detection | CAR-2013-10-001: User Login Activity Monitoring | CAR-2016-04-005: Remote Desktop Logon", + "comment": "CAR-2020-09-002: Component Object Model Hijacking", "enabled": true }, { - "techniqueID": "T1560", + "techniqueID": "T1087", "color": "#c6dbef", - "comment": "CAR-2013-07-005: Command Line Usage of Archiving Software", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1560.001", + "techniqueID": "T1087.001", "color": "#c6dbef", - "comment": "CAR-2013-07-005: Command Line Usage of Archiving Software", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", "enabled": true }, { - "techniqueID": "T1197", + "techniqueID": "T1087.002", "color": "#c6dbef", - "comment": "CAR-2021-05-004: BITS Job Persistence | CAR-2021-05-005: BITSAdmin Download File", - "enabled": true, - "showSubtechniques": true + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", + "enabled": true }, { "techniqueID": "T1003.002", @@ -637,17 +630,18 @@ "enabled": true }, { - "techniqueID": "T1018", + "techniqueID": "T1057", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1053.002", + "techniqueID": "T1018", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-05-004: Execution with AT | CAR-2015-04-001: Remotely Scheduled Tasks via AT", - "enabled": true + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands", + "enabled": true, + "showSubtechniques": true }, { "techniqueID": "T1029", @@ -657,86 +651,97 @@ "showSubtechniques": true }, { - "techniqueID": "T1049", + "techniqueID": "T1033", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1010", + "techniqueID": "T1007", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1518", + "techniqueID": "T1082", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1518.001", + "techniqueID": "T1049", "color": "#c6dbef", "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands", - "enabled": true + "enabled": true, + "showSubtechniques": true }, { - "techniqueID": "T1098", + "techniqueID": "T1016", + "color": "#c6dbef", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", + "enabled": true, + "showSubtechniques": true + }, + { + "techniqueID": "T1010", "color": "#c6dbef", "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1059.005", + "techniqueID": "T1518", "color": "#c6dbef", "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands", - "enabled": true + "enabled": true, + "showSubtechniques": true }, { - "techniqueID": "T1547.010", + "techniqueID": "T1518.001", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands", "enabled": true }, { - "techniqueID": "T1574.007", + "techniqueID": "T1046", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences", - "enabled": true + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2021-01-001: Identifying Port Scanning Activity", + "enabled": true, + "showSubtechniques": true }, { - "techniqueID": "T1574.008", + "techniqueID": "T1562.006", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2020-09-003: Indicator Blocking - Driver Unloaded", "enabled": true }, { - "techniqueID": "T1546.001", + "techniqueID": "T1098", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences", - "enabled": true + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands", + "enabled": true, + "showSubtechniques": true }, { - "techniqueID": "T1546.003", + "techniqueID": "T1059.005", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands", "enabled": true }, { - "techniqueID": "T1606", + "techniqueID": "T1127", "color": "#c6dbef", - "comment": "CAR-2021-05-008: Certutil exe certificate extraction", + "comment": "CAR-2020-11-008: MSBuild and msxsl", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1606.002", + "techniqueID": "T1127.001", "color": "#c6dbef", - "comment": "CAR-2021-05-008: Certutil exe certificate extraction", + "comment": "CAR-2020-11-008: MSBuild and msxsl", "enabled": true }, { @@ -746,49 +751,48 @@ "enabled": true }, { - "techniqueID": "T1222", + "techniqueID": "T1550", "color": "#c6dbef", - "comment": "CAR-2019-07-001: Access Permission Modification", + "comment": "CAR-2016-04-004: Successful Local Account Login", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1222.001", + "techniqueID": "T1550.002", "color": "#c6dbef", - "comment": "CAR-2019-07-001: Access Permission Modification", + "comment": "CAR-2016-04-004: Successful Local Account Login", "enabled": true }, { - "techniqueID": "T1222.002", + "techniqueID": "T1574.001", "color": "#c6dbef", - "comment": "CAR-2019-07-001: Access Permission Modification", + "comment": "CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0", "enabled": true }, { - "techniqueID": "T1040", + "techniqueID": "T1204", "color": "#c6dbef", - "comment": "CAR-2020-11-002: Local Network Sniffing", + "comment": "CAR-2021-05-002: Batch File Write to System32", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1039", + "techniqueID": "T1204.002", "color": "#c6dbef", - "comment": "CAR-2013-01-003: SMB Events Monitoring", - "enabled": true, - "showSubtechniques": true + "comment": "CAR-2021-05-002: Batch File Write to System32", + "enabled": true }, { - "techniqueID": "T1505", + "techniqueID": "T1187", "color": "#c6dbef", - "comment": "CAR-2021-02-001: Webshell-Indicative Process Tree", + "comment": "CAR-2013-09-003: SMB Session Setups", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1505.003", + "techniqueID": "T1021.003", "color": "#c6dbef", - "comment": "CAR-2021-02-001: Webshell-Indicative Process Tree", + "comment": "CAR-2014-05-001: RPC Activity", "enabled": true } ] diff --git a/docs/data/analytics.json b/docs/data/analytics.json index b50ff824..4efe5bfe 100644 --- a/docs/data/analytics.json +++ b/docs/data/analytics.json @@ -1 +1 @@ -{"analytics": [{"shortName": "Disable UAC", "name": "CAR-2021-01-008", "fields": ["process/create/image_path", "process/create/command_line"], "attack": [{"tactics": ["Privilege Escalation"], "technique": "Technique/T1548", "coverage": "Medium"}]}, {"shortName": "RPC Activity", "name": "CAR-2014-05-001", "fields": ["flow/start/dest_port", "flow/start/src_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "Clear Powershell Console Command History", "name": "CAR-2020-11-005", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "Low"}]}, {"shortName": "Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths", "name": "CAR-2021-12-001", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Execution", "Persistence", "Privilege Escalation"], "technique": "Technique/T1053", "coverage": "Medium"}]}, {"shortName": "Attempt To Add Certificate To Untrusted Store", "name": "CAR-2021-05-001", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1553", "coverage": "Moderate"}]}, {"shortName": "Get System Elevation", "name": "CAR-2021-02-002", "fields": ["process/create/exe", "process/create/parent_exe", "process/create/command_line", "service/create/command_line"], "attack": [{"tactics": ["Privilege Escalation", "Defense Evasion"], "technique": "Technique/T1548", "coverage": "Moderate"}]}, {"shortName": "Credential Dumping via Mimikatz", "name": "CAR-2019-04-004", "fields": [], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Boot or Logon Initialization Scripts", "name": "CAR-2020-11-001", "fields": ["process/create/command_line", "process/create/exe", "registry/add/key", "registry/edit/key"], "attack": [{"tactics": ["Persistence", "Lateral Movement"], "technique": "Technique/T1037", "coverage": "Moderate"}]}, {"shortName": "Indicator Blocking - Driver Unloaded", "name": "CAR-2020-09-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Low"}]}, {"shortName": "SMB Write Request - NamedPipes", "name": "CAR-2014-03-001", "fields": ["flow/message/proto_info", "flow/start/dest_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1570", "coverage": "Low"}]}, {"shortName": "Credential Dumping via Windows Task Manager", "name": "CAR-2019-08-001", "fields": ["file/create/file_name", "file/create/image_path"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Registry Edit with Creation of SafeDllSearchMode Key Set to 0", "name": "CAR-2021-11-001", "fields": ["process/create/command_line", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation", "Defense Evasion"], "technique": "Technique/T1574", "coverage": "Medium"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Medium"}]}, {"shortName": "RunDLL32.exe monitoring", "name": "CAR-2014-03-006", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "Moderate"}]}, {"shortName": "Component Object Model Hijacking", "name": "CAR-2020-09-002", "fields": ["registry/add/key", "registry/remove/key", "registry/edit/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "Identifying Port Scanning Activity", "name": "CAR-2021-01-001", "fields": ["flow/start/dest_ip"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1046", "coverage": "Moderate"}]}, {"shortName": "Lsass Process Dump via Procdump", "name": "CAR-2019-07-002", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Squiblydoo", "name": "CAR-2019-04-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "Moderate"}]}, {"shortName": "Clearing Windows Logs with Wevtutil", "name": "CAR-2021-01-003", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "Low"}]}, {"shortName": "Services launching Cmd", "name": "CAR-2014-05-002", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1543", "coverage": "Moderate"}]}, {"shortName": "Service Search Path Interception", "name": "CAR-2014-07-001", "fields": ["process/create/command_line", "process/create/image_path", "process/create/parent_exe"], "attack": [{"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1574", "coverage": "High"}]}, {"shortName": "Reg.exe called from Command Shell", "name": "CAR-2013-03-001", "fields": ["process/create/command_line", "process/create/hostname", "process/create/exe", "process/create/parent_exe", "process/create/pid", "process/create/ppid"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1012", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1547", "coverage": "Moderate"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Moderate"}]}, {"shortName": "Remotely Scheduled Tasks via Schtasks", "name": "CAR-2015-04-002", "fields": ["flow/message/dest_port", "flow/message/src_port", "flow/message/proto_info"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "Successful Local Account Login", "name": "CAR-2016-04-004", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1550", "coverage": "Moderate"}]}, {"shortName": "Registry Edit with Modification of Userinit, Shell or Notify", "name": "CAR-2021-11-002", "fields": ["process/create/command_line", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1547", "coverage": "Medium"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Medium"}]}, {"shortName": "Credentials in Files & Registry", "name": "CAR-2020-09-004", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1552", "coverage": "Low"}]}, {"shortName": "DLL Injection via Load Library", "name": "CAR-2013-10-002", "fields": ["thread/remote_create/src_pid", "thread/remote_create/start_function"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1055", "coverage": "Moderate"}, {"tactics": ["Privilege Escalation"], "technique": "Technique/T1548", "coverage": "Moderate"}]}, {"shortName": "Running executables with same hash and different names", "name": "CAR-2013-05-009", "fields": ["process/create/exe", "process/create/md5_hash"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1036", "coverage": "Moderate"}]}, {"shortName": "Compiled HTML Access", "name": "CAR-2020-11-009", "fields": ["process/create/exe"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "High"}]}, {"shortName": "CertUtil With Decode Argument", "name": "CAR-2021-05-009", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1140", "coverage": "Moderate"}]}, {"shortName": "MSBuild and msxsl", "name": "CAR-2020-11-008", "fields": ["process/create/exe", "process/create/image_path"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1127", "coverage": "High"}]}, {"shortName": "Remote Registry", "name": "CAR-2014-11-005", "fields": ["flow/message/dest_port", "flow/message/proto_info"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Moderate"}]}, {"shortName": "Remotely Launched Executables via WMI", "name": "CAR-2014-12-001", "fields": ["flow/message/dest_port", "flow/message/proto_info", "flow/message/src_port", "process/create/command_line", "process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1047", "coverage": "High"}]}, {"shortName": "Create local admin accounts using net exe", "name": "CAR-2021-05-010", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1136", "coverage": "Moderate"}]}, {"shortName": "Outlier Parents of Cmd", "name": "CAR-2014-11-002", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}]}, {"shortName": "Unusual Child Process spawned using DDE exploit", "name": "CAR-2021-01-006", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1559", "coverage": "Low"}]}, {"shortName": "Service Binary Modifications", "name": "CAR-2014-02-001", "fields": ["file/create/file_path", "file/create/image_path", "process/create/image_path", "process/create/parent_exe"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1543", "coverage": "Moderate"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Moderate"}, {"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Moderate"}]}, {"shortName": "Common Windows Process Masquerading", "name": "CAR-2021-04-001", "fields": ["process/create/exe", "process/create/image_path", "process/access/exe", "process/access/image_path", "process/terminate/exe", "process/terminate/image_path"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1036", "coverage": "Moderate"}]}, {"shortName": "Disable Windows Event Logging", "name": "CAR-2022-03-001", "fields": ["registry/value_edit/value", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Moderate"}]}, {"shortName": "Create Service In Suspicious File Path", "name": "CAR-2021-05-012", "fields": ["service/create/image_path"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Moderate"}]}, {"shortName": "SMB Session Setups", "name": "CAR-2013-09-003", "fields": ["flow/message/dest_port", "flow/message/proto_info", "flow/message/protocol"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1187", "coverage": "Low"}]}, {"shortName": "Processes Spawning cmd.exe", "name": "CAR-2013-02-003", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}]}, {"shortName": "Registry Edit from Screensaver", "name": "CAR-2020-11-011", "fields": ["registry/edit/key", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1546", "coverage": "High"}]}, {"shortName": "Unusual Child Process for Spoolsv.Exe or Connhost.Exe", "name": "CAR-2021-01-004", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Privilege Escalation"], "technique": "Technique/T1068", "coverage": "Low"}]}, {"shortName": "Execution with schtasks", "name": "CAR-2013-08-001", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "CertUtil Download With URLCache and Split Arguments", "name": "CAR-2021-05-006", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Command and Control"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "UAC Bypass", "name": "CAR-2019-04-001", "fields": ["process/create/image_path", "process/create/parent_image_path", "process/create/integrity_level", "process/create/user", "process/create/parent_command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1548", "coverage": "Low"}]}, {"shortName": "SMB Copy and Execution", "name": "CAR-2013-05-005", "fields": ["process/create/image_path", "process/create/proto_info", "process/create/hostname"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1078", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1570", "coverage": "Moderate"}]}, {"shortName": "Service Outlier Executables", "name": "CAR-2013-09-005", "fields": ["process/create/parent_image_path"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1543", "coverage": "Moderate"}]}, {"shortName": "SMB Write Request", "name": "CAR-2013-05-003", "fields": ["flow/message/proto_info", "flow/message/dest_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1570", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1078", "coverage": "Moderate"}]}, {"shortName": "Suspicious Arguments", "name": "CAR-2013-07-001", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Command and Control", "Lateral Movement"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "Generic Regsvr32", "name": "CAR-2019-04-002", "fields": ["process/create/exe", "process/create/parent_exe", "process/create/command_line", "process/create/image", "process/create/parent_image"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "Low"}]}, {"shortName": "User Activity from Stopping Windows Defensive Services", "name": "CAR-2016-04-003", "fields": [], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Low"}]}, {"shortName": "Host Discovery Commands", "name": "CAR-2016-03-001", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1087", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1069", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1016", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1082", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1033", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1057", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1007", "coverage": "Moderate"}]}, {"shortName": "Suspicious Run Locations", "name": "CAR-2013-05-002", "fields": ["process/create/image_path"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1036", "coverage": "Low"}]}, {"shortName": "CertUtil Download With VerifyCtl and Split Arguments", "name": "CAR-2021-05-007", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Command and Control"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "User Activity from Clearing Event Logs", "name": "CAR-2016-04-002", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "Moderate"}]}, {"shortName": "Batch File Write to System32", "name": "CAR-2021-05-002", "fields": ["file/create/extension", "file/create/file_path"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1204", "coverage": "Moderate"}]}, {"shortName": "CMSTP", "name": "CAR-2020-11-010", "fields": ["process/create/exe", "process/create/src_ip"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "High"}]}, {"shortName": "Detecting Tampering of Windows Defender Command Prompt", "name": "CAR-2021-01-007", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Medium"}]}, {"shortName": "BCDEdit Failure Recovery Modification", "name": "CAR-2021-05-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Impact"], "technique": "Technique/T1490", "coverage": "Moderate"}]}, {"shortName": "Active Directory Dumping via NTDSUtil", "name": "CAR-2019-08-002", "fields": ["file/create/file_name", "file/create/image_path"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "All Logins Since Last Boot", "name": "CAR-2015-07-001", "fields": ["user_session/login/user"], "attack": []}, {"shortName": "Powershell Execution", "name": "CAR-2014-04-003", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "High"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1059", "coverage": "Moderate"}]}, {"shortName": "User Logged in to Multiple Hosts", "name": "CAR-2013-02-012", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1078", "coverage": "Moderate"}]}, {"shortName": "AppInit DLLs", "name": "CAR-2020-09-005", "fields": ["registry/add/key", "registry/remove/key", "registry/edit/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "Network Share Connection Removal", "name": "CAR-2020-11-007", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "High"}]}, {"shortName": "Command Launched from WinLogon", "name": "CAR-2014-11-008", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "NTFS Alternate Data Stream Execution - System Utilities", "name": "CAR-2020-08-001", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1564", "coverage": "Low"}]}, {"shortName": "Simultaneous Logins on a Host", "name": "CAR-2013-02-008", "fields": ["user_session/login/user", "user_session/login/hostname"], "attack": [{"tactics": ["Initial Access"], "technique": "Technique/T1078", "coverage": "Low"}]}, {"shortName": "MiniDump of LSASS", "name": "CAR-2020-05-001", "fields": [], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Scheduled Task - FileAccess", "name": "CAR-2020-09-001", "fields": ["file/create/file_path", "file/create/image_path"], "attack": [{"tactics": ["Execution", "Persistence", "Privilege Escalation"], "technique": "Technique/T1053", "coverage": "Low"}]}, {"shortName": "Modification of Default Startup Folder in the Registry Key 'Common Startup'", "name": "CAR-2021-12-002", "fields": ["process/create/command_line", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1547", "coverage": "Medium"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Medium"}]}, {"shortName": "Remote Desktop Logon", "name": "CAR-2016-04-005", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "Windows Remote Management (WinRM)", "name": "CAR-2014-11-006", "fields": ["flow/start/dest_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "Create Remote Thread into LSASS", "name": "CAR-2021-05-011", "fields": ["thread/remote_create"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Moderate"}]}, {"shortName": "Command Line Usage of Archiving Software", "name": "CAR-2013-07-005", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Exfiltration"], "technique": "Technique/T1560", "coverage": "Moderate"}]}, {"shortName": "Debuggers for Accessibility Applications", "name": "CAR-2014-11-003", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "RDP Connection Detection", "name": "CAR-2013-07-002", "fields": ["flow/end/dest_port", "flow/start/dest_ip", "flow/start/dest_port", "flow/start/src_ip"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Medium"}]}, {"shortName": "BITS Job Persistence", "name": "CAR-2021-05-004", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion", "Persistence"], "technique": "Technique/T1197", "coverage": "Moderate"}]}, {"shortName": "Detecting Shadow Copy Deletion or Resize", "name": "CAR-2021-01-009", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Impact"], "technique": "Technique/T1490", "coverage": "Low"}]}, {"shortName": "NTFS Alternate Data Stream Execution - LOLBAS", "name": "CAR-2020-08-002", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1564", "coverage": "Low"}]}, {"shortName": "Quick execution of a series of suspicious commands", "name": "CAR-2013-04-002", "fields": ["process/create/hostname", "process/create/ppid", "process/create/exe"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1087", "coverage": "Low"}, {"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1069", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1057", "coverage": "Low"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1543", "coverage": "Low"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1018", "coverage": "Low"}, {"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation", "Execution"], "technique": "Technique/T1053", "coverage": "Low"}, {"tactics": ["Exfiltration"], "technique": "Technique/T1029", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1033", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1007", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1082", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1049", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1016", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1010", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1518", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1046", "coverage": "Low"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Low"}, {"tactics": ["Credential Access"], "technique": "Technique/T1098", "coverage": "Low"}, {"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1012", "coverage": "Low"}]}, {"shortName": "Remote Windows Management Instrumentation (WMI) over RPC", "name": "CAR-2014-11-007", "fields": ["flow/message/proto_info"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1047", "coverage": "Moderate"}]}, {"shortName": "Autorun Differences", "name": "CAR-2013-01-002", "fields": [], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1543", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1053", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1547", "coverage": "Moderate"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Moderate"}, {"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1546", "coverage": "Moderate"}, {"tactics": ["Persistence", "Execution"], "technique": "Technique/T1112", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1037", "coverage": "Moderate"}]}, {"shortName": "Local Permission Group Discovery", "name": "CAR-2020-11-006", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1069", "coverage": "Moderate"}]}, {"shortName": "Certutil exe certificate extraction", "name": "CAR-2021-05-008", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1606", "coverage": "Moderate"}]}, {"shortName": "Remotely Launched Executables via Services", "name": "CAR-2014-03-005", "fields": ["flow/start/pid", "process/create/parent_exe", "process/create/pid"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1543", "coverage": "Moderate"}, {"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Moderate"}]}, {"shortName": "Processes Started From Irregular Parent", "name": "CAR-2020-11-004", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1055", "coverage": "Low"}]}, {"shortName": "User Login Activity Monitoring", "name": "CAR-2013-10-001", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1078", "coverage": "Moderate"}]}, {"shortName": "Rare LolBAS Command Lines", "name": "CAR-2020-05-003", "fields": [], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1012", "coverage": "Low"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Low"}, {"tactics": ["Persistence"], "technique": "Technique/T1547", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Low"}]}, {"shortName": "Access Permission Modification", "name": "CAR-2019-07-001", "fields": [], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1222", "coverage": "Moderate"}]}, {"shortName": "BITSAdmin Download File", "name": "CAR-2021-05-005", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion", "Persistence"], "technique": "Technique/T1197", "coverage": "Moderate"}, {"tactics": ["Command and Control"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "Local Network Sniffing", "name": "CAR-2020-11-002", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Credential Access", "Discovery"], "technique": "Technique/T1040", "coverage": "Moderate"}]}, {"shortName": "Unusually Long Command Line Strings", "name": "CAR-2021-01-002", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Low"}]}, {"shortName": "Create Remote Process via WMIC", "name": "CAR-2016-03-002", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1047", "coverage": "Low"}]}, {"shortName": "Shadow Copy Deletion", "name": "CAR-2020-04-001", "fields": [], "attack": []}, {"shortName": "SMB Events Monitoring", "name": "CAR-2013-01-003", "fields": ["flow/message/dest_port", "flow/message/proto_info"], "attack": [{"tactics": ["Collection"], "technique": "Technique/T1039", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "Remotely Scheduled Tasks via AT", "name": "CAR-2015-04-001", "fields": ["flow/message/proto_info"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "Webshell-Indicative Process Tree", "name": "CAR-2021-02-001", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1505", "coverage": "Moderate"}]}, {"shortName": "DLL Injection with Mavinject", "name": "CAR-2020-11-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Privilege Escalation", "Defense Evasion"], "technique": "Technique/T1055", "coverage": "Low"}]}, {"shortName": "Execution with AT", "name": "CAR-2013-05-004", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Execution", "Persistence", "Privilege Escalation"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "Remote PowerShell Sessions", "name": "CAR-2014-11-004", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}]} \ No newline at end of file +{"analytics": [{"shortName": "Suspicious Run Locations", "name": "CAR-2013-05-002", "fields": ["process/create/image_path"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1036", "coverage": "Low"}]}, {"shortName": "Unusual Child Process spawned using DDE exploit", "name": "CAR-2021-01-006", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1559", "coverage": "Low"}]}, {"shortName": "Registry Edit with Modification of Userinit, Shell or Notify", "name": "CAR-2021-11-002", "fields": ["process/create/command_line", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1547", "coverage": "Medium"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Medium"}]}, {"shortName": "Service Outlier Executables", "name": "CAR-2013-09-005", "fields": ["process/create/parent_image_path"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1543", "coverage": "Moderate"}]}, {"shortName": "Remote Windows Management Instrumentation (WMI) over RPC", "name": "CAR-2014-11-007", "fields": ["flow/message/proto_info"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1047", "coverage": "Moderate"}]}, {"shortName": "Access Permission Modification", "name": "CAR-2019-07-001", "fields": [], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1222", "coverage": "Moderate"}]}, {"shortName": "User Logged in to Multiple Hosts", "name": "CAR-2013-02-012", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1078", "coverage": "Moderate"}]}, {"shortName": "Squiblydoo", "name": "CAR-2019-04-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "Moderate"}]}, {"shortName": "All Logins Since Last Boot", "name": "CAR-2015-07-001", "fields": ["user_session/login/user"], "attack": []}, {"shortName": "Boot or Logon Initialization Scripts", "name": "CAR-2020-11-001", "fields": ["process/create/command_line", "process/create/exe", "registry/add/key", "registry/edit/key"], "attack": [{"tactics": ["Persistence", "Lateral Movement"], "technique": "Technique/T1037", "coverage": "Moderate"}]}, {"shortName": "BITSAdmin Download File", "name": "CAR-2021-05-005", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion", "Persistence"], "technique": "Technique/T1197", "coverage": "Moderate"}, {"tactics": ["Command and Control"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "Remotely Scheduled Tasks via AT", "name": "CAR-2015-04-001", "fields": ["flow/message/proto_info"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "Active Directory Dumping via NTDSUtil", "name": "CAR-2019-08-002", "fields": ["file/create/file_name", "file/create/image_path"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Remotely Launched Executables via Services", "name": "CAR-2014-03-005", "fields": ["flow/start/pid", "process/create/parent_exe", "process/create/pid"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1543", "coverage": "Moderate"}, {"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Moderate"}]}, {"shortName": "Unusual Child Process for Spoolsv.Exe or Connhost.Exe", "name": "CAR-2021-01-004", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Privilege Escalation"], "technique": "Technique/T1068", "coverage": "Low"}]}, {"shortName": "Attempt To Add Certificate To Untrusted Store", "name": "CAR-2021-05-001", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1553", "coverage": "Moderate"}]}, {"shortName": "Services launching Cmd", "name": "CAR-2014-05-002", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1543", "coverage": "Moderate"}]}, {"shortName": "Certutil exe certificate extraction", "name": "CAR-2021-05-008", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1606", "coverage": "Moderate"}]}, {"shortName": "CertUtil Download With VerifyCtl and Split Arguments", "name": "CAR-2021-05-007", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Command and Control"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "DLL Injection with Mavinject", "name": "CAR-2020-11-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Privilege Escalation", "Defense Evasion"], "technique": "Technique/T1055", "coverage": "Low"}]}, {"shortName": "Outlier Parents of Cmd", "name": "CAR-2014-11-002", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}]}, {"shortName": "User Activity from Stopping Windows Defensive Services", "name": "CAR-2016-04-003", "fields": [], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Low"}]}, {"shortName": "Powershell Execution", "name": "CAR-2014-04-003", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "High"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1059", "coverage": "Moderate"}]}, {"shortName": "Local Permission Group Discovery", "name": "CAR-2020-11-006", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1069", "coverage": "Moderate"}]}, {"shortName": "Command Line Usage of Archiving Software", "name": "CAR-2013-07-005", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Exfiltration"], "technique": "Technique/T1560", "coverage": "Moderate"}]}, {"shortName": "Webshell-Indicative Process Tree", "name": "CAR-2021-02-001", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1505", "coverage": "Moderate"}]}, {"shortName": "Autorun Differences", "name": "CAR-2013-01-002", "fields": [], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1543", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1053", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1547", "coverage": "Moderate"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Moderate"}, {"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1546", "coverage": "Moderate"}, {"tactics": ["Persistence", "Execution"], "technique": "Technique/T1112", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1037", "coverage": "Moderate"}]}, {"shortName": "Detecting Shadow Copy Deletion or Resize", "name": "CAR-2021-01-009", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Impact"], "technique": "Technique/T1490", "coverage": "Low"}]}, {"shortName": "Disable Windows Event Logging", "name": "CAR-2022-03-001", "fields": ["registry/value_edit/value", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Moderate"}]}, {"shortName": "Clear Powershell Console Command History", "name": "CAR-2020-11-005", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "Low"}]}, {"shortName": "Registry Edit from Screensaver", "name": "CAR-2020-11-011", "fields": ["registry/edit/key", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1546", "coverage": "High"}]}, {"shortName": "RunDLL32.exe monitoring", "name": "CAR-2014-03-006", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "Moderate"}]}, {"shortName": "Remotely Scheduled Tasks via Schtasks", "name": "CAR-2015-04-002", "fields": ["flow/message/dest_port", "flow/message/src_port", "flow/message/proto_info"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "Command Launched from WinLogon", "name": "CAR-2014-11-008", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "Processes Spawning cmd.exe", "name": "CAR-2013-02-003", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}]}, {"shortName": "Common Windows Process Masquerading", "name": "CAR-2021-04-001", "fields": ["process/create/exe", "process/create/image_path", "process/access/exe", "process/access/image_path", "process/terminate/exe", "process/terminate/image_path"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1036", "coverage": "Moderate"}]}, {"shortName": "Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths", "name": "CAR-2021-12-001", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Execution", "Persistence", "Privilege Escalation"], "technique": "Technique/T1053", "coverage": "Medium"}]}, {"shortName": "Credentials in Files & Registry", "name": "CAR-2020-09-004", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1552", "coverage": "Low"}]}, {"shortName": "Credential Dumping via Windows Task Manager", "name": "CAR-2019-08-001", "fields": ["file/create/file_name", "file/create/image_path"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "UAC Bypass", "name": "CAR-2019-04-001", "fields": ["process/create/image_path", "process/create/parent_image_path", "process/create/integrity_level", "process/create/user", "process/create/parent_command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1548", "coverage": "Low"}]}, {"shortName": "Create local admin accounts using net exe", "name": "CAR-2021-05-010", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1136", "coverage": "Moderate"}]}, {"shortName": "Remote Desktop Logon", "name": "CAR-2016-04-005", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "SMB Write Request - NamedPipes", "name": "CAR-2014-03-001", "fields": ["flow/message/proto_info", "flow/start/dest_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1570", "coverage": "Low"}]}, {"shortName": "Remotely Launched Executables via WMI", "name": "CAR-2014-12-001", "fields": ["flow/message/dest_port", "flow/message/proto_info", "flow/message/src_port", "process/create/command_line", "process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1047", "coverage": "High"}]}, {"shortName": "Clearing Windows Logs with Wevtutil", "name": "CAR-2021-01-003", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "Low"}]}, {"shortName": "MiniDump of LSASS", "name": "CAR-2020-05-001", "fields": [], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Modification of Default Startup Folder in the Registry Key 'Common Startup'", "name": "CAR-2021-12-002", "fields": ["process/create/command_line", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1547", "coverage": "Medium"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Medium"}]}, {"shortName": "Reg.exe called from Command Shell", "name": "CAR-2013-03-001", "fields": ["process/create/command_line", "process/create/hostname", "process/create/exe", "process/create/parent_exe", "process/create/pid", "process/create/ppid"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1012", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1547", "coverage": "Moderate"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Moderate"}]}, {"shortName": "Execution with schtasks", "name": "CAR-2013-08-001", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "Service Binary Modifications", "name": "CAR-2014-02-001", "fields": ["file/create/file_path", "file/create/image_path", "process/create/image_path", "process/create/parent_exe"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1543", "coverage": "Moderate"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Moderate"}, {"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Moderate"}]}, {"shortName": "Scheduled Task - FileAccess", "name": "CAR-2020-09-001", "fields": ["file/create/file_path", "file/create/image_path"], "attack": [{"tactics": ["Execution", "Persistence", "Privilege Escalation"], "technique": "Technique/T1053", "coverage": "Low"}]}, {"shortName": "Local Network Sniffing", "name": "CAR-2020-11-002", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Credential Access", "Discovery"], "technique": "Technique/T1040", "coverage": "Moderate"}]}, {"shortName": "Service Search Path Interception", "name": "CAR-2014-07-001", "fields": ["process/create/command_line", "process/create/image_path", "process/create/parent_exe"], "attack": [{"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1574", "coverage": "High"}]}, {"shortName": "NTFS Alternate Data Stream Execution - LOLBAS", "name": "CAR-2020-08-002", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1564", "coverage": "Low"}]}, {"shortName": "Network Share Connection Removal", "name": "CAR-2020-11-007", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "High"}]}, {"shortName": "Compiled HTML Access", "name": "CAR-2020-11-009", "fields": ["process/create/exe"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "High"}]}, {"shortName": "BCDEdit Failure Recovery Modification", "name": "CAR-2021-05-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Impact"], "technique": "Technique/T1490", "coverage": "Moderate"}]}, {"shortName": "RDP Connection Detection", "name": "CAR-2013-07-002", "fields": ["flow/end/dest_port", "flow/start/dest_ip", "flow/start/dest_port", "flow/start/src_ip"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Medium"}]}, {"shortName": "Running executables with same hash and different names", "name": "CAR-2013-05-009", "fields": ["process/create/exe", "process/create/md5_hash"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1036", "coverage": "Moderate"}]}, {"shortName": "SMB Write Request", "name": "CAR-2013-05-003", "fields": ["flow/message/proto_info", "flow/message/dest_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1570", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1078", "coverage": "Moderate"}]}, {"shortName": "Simultaneous Logins on a Host", "name": "CAR-2013-02-008", "fields": ["user_session/login/user", "user_session/login/hostname"], "attack": [{"tactics": ["Initial Access"], "technique": "Technique/T1078", "coverage": "Low"}]}, {"shortName": "Windows Remote Management (WinRM)", "name": "CAR-2014-11-006", "fields": ["flow/start/dest_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "CertUtil With Decode Argument", "name": "CAR-2021-05-009", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1140", "coverage": "Moderate"}]}, {"shortName": "Create Service In Suspicious File Path", "name": "CAR-2021-05-012", "fields": ["service/create/image_path"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Moderate"}]}, {"shortName": "Create Remote Process via WMIC", "name": "CAR-2016-03-002", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1047", "coverage": "Low"}]}, {"shortName": "Remote Registry", "name": "CAR-2014-11-005", "fields": ["flow/message/dest_port", "flow/message/proto_info"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Moderate"}]}, {"shortName": "BITS Job Persistence", "name": "CAR-2021-05-004", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion", "Persistence"], "technique": "Technique/T1197", "coverage": "Moderate"}]}, {"shortName": "CMSTP", "name": "CAR-2020-11-010", "fields": ["process/create/exe", "process/create/src_ip"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "High"}]}, {"shortName": "SMB Events Monitoring", "name": "CAR-2013-01-003", "fields": ["flow/message/dest_port", "flow/message/proto_info"], "attack": [{"tactics": ["Collection"], "technique": "Technique/T1039", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "AppInit DLLs", "name": "CAR-2020-09-005", "fields": ["registry/add/key", "registry/remove/key", "registry/edit/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "Component Object Model Hijacking", "name": "CAR-2020-09-002", "fields": ["registry/add/key", "registry/remove/key", "registry/edit/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "Suspicious Arguments", "name": "CAR-2013-07-001", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Command and Control", "Lateral Movement"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "Debuggers for Accessibility Applications", "name": "CAR-2014-11-003", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "Remote PowerShell Sessions", "name": "CAR-2014-11-004", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "NTFS Alternate Data Stream Execution - System Utilities", "name": "CAR-2020-08-001", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1564", "coverage": "Low"}]}, {"shortName": "Quick execution of a series of suspicious commands", "name": "CAR-2013-04-002", "fields": ["process/create/hostname", "process/create/ppid", "process/create/exe"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1087", "coverage": "Low"}, {"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1069", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1057", "coverage": "Low"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1543", "coverage": "Low"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1018", "coverage": "Low"}, {"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation", "Execution"], "technique": "Technique/T1053", "coverage": "Low"}, {"tactics": ["Exfiltration"], "technique": "Technique/T1029", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1033", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1007", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1082", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1049", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1016", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1010", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1518", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1046", "coverage": "Low"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Low"}, {"tactics": ["Credential Access"], "technique": "Technique/T1098", "coverage": "Low"}, {"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1012", "coverage": "Low"}]}, {"shortName": "Shadow Copy Deletion", "name": "CAR-2020-04-001", "fields": [], "attack": []}, {"shortName": "User Activity from Clearing Event Logs", "name": "CAR-2016-04-002", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "Moderate"}]}, {"shortName": "Generic Regsvr32", "name": "CAR-2019-04-002", "fields": ["process/create/exe", "process/create/parent_exe", "process/create/command_line", "process/create/image", "process/create/parent_image"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "Low"}]}, {"shortName": "MSBuild and msxsl", "name": "CAR-2020-11-008", "fields": ["process/create/exe", "process/create/image_path"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1127", "coverage": "High"}]}, {"shortName": "Execution with AT", "name": "CAR-2013-05-004", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Execution", "Persistence", "Privilege Escalation"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "DLL Injection via Load Library", "name": "CAR-2013-10-002", "fields": ["thread/remote_create/src_pid", "thread/remote_create/start_function"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1055", "coverage": "Moderate"}, {"tactics": ["Privilege Escalation"], "technique": "Technique/T1548", "coverage": "Moderate"}]}, {"shortName": "CertUtil Download With URLCache and Split Arguments", "name": "CAR-2021-05-006", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Command and Control"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "Disable UAC", "name": "CAR-2021-01-008", "fields": ["process/create/image_path", "process/create/command_line"], "attack": [{"tactics": ["Privilege Escalation"], "technique": "Technique/T1548", "coverage": "Medium"}]}, {"shortName": "Processes Started From Irregular Parent", "name": "CAR-2020-11-004", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1055", "coverage": "Low"}]}, {"shortName": "Successful Local Account Login", "name": "CAR-2016-04-004", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1550", "coverage": "Moderate"}]}, {"shortName": "SMB Copy and Execution", "name": "CAR-2013-05-005", "fields": ["process/create/image_path", "process/create/proto_info", "process/create/hostname"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1078", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1570", "coverage": "Moderate"}]}, {"shortName": "Registry Edit with Creation of SafeDllSearchMode Key Set to 0", "name": "CAR-2021-11-001", "fields": ["process/create/command_line", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation", "Defense Evasion"], "technique": "Technique/T1574", "coverage": "Medium"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Medium"}]}, {"shortName": "Get System Elevation", "name": "CAR-2021-02-002", "fields": ["process/create/exe", "process/create/parent_exe", "process/create/command_line", "service/create/command_line"], "attack": [{"tactics": ["Privilege Escalation", "Defense Evasion"], "technique": "Technique/T1548", "coverage": "Moderate"}]}, {"shortName": "Indicator Blocking - Driver Unloaded", "name": "CAR-2020-09-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Low"}]}, {"shortName": "Create Remote Thread into LSASS", "name": "CAR-2021-05-011", "fields": ["thread/remote_create"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Moderate"}]}, {"shortName": "Lsass Process Dump via Procdump", "name": "CAR-2019-07-002", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Batch File Write to System32", "name": "CAR-2021-05-002", "fields": ["file/create/extension", "file/create/file_path"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1204", "coverage": "Moderate"}]}, {"shortName": "Host Discovery Commands", "name": "CAR-2016-03-001", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1087", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1069", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1016", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1082", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1033", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1057", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1007", "coverage": "Moderate"}]}, {"shortName": "SMB Session Setups", "name": "CAR-2013-09-003", "fields": ["flow/message/dest_port", "flow/message/proto_info", "flow/message/protocol"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1187", "coverage": "Low"}]}, {"shortName": "Credential Dumping via Mimikatz", "name": "CAR-2019-04-004", "fields": [], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Identifying Port Scanning Activity", "name": "CAR-2021-01-001", "fields": ["flow/start/dest_ip"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1046", "coverage": "Moderate"}]}, {"shortName": "Unusually Long Command Line Strings", "name": "CAR-2021-01-002", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Low"}]}, {"shortName": "Rare LolBAS Command Lines", "name": "CAR-2020-05-003", "fields": [], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1012", "coverage": "Low"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Low"}, {"tactics": ["Persistence"], "technique": "Technique/T1547", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Low"}]}, {"shortName": "User Login Activity Monitoring", "name": "CAR-2013-10-001", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1078", "coverage": "Moderate"}]}, {"shortName": "Detecting Tampering of Windows Defender Command Prompt", "name": "CAR-2021-01-007", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Medium"}]}, {"shortName": "RPC Activity", "name": "CAR-2014-05-001", "fields": ["flow/start/dest_port", "flow/start/src_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}]} \ No newline at end of file diff --git a/docs/sensors/auditd_2.8.md b/docs/sensors/auditd_2.8.md index 235304ad..aa3ef2a0 100644 --- a/docs/sensors/auditd_2.8.md +++ b/docs/sensors/auditd_2.8.md @@ -23,17 +23,12 @@ auditd is the userspace component to the Linux Auditing System. It's responsible | `message` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `start` | | | | |✓|✓| | | | |✓| | | | |✓| | | | |✓|✓|✓| | | |✓| -### [file](../data_model/file) +### [driver](../data_model/driver) -| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` | -|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| `acl_modify` | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `create` | | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓| -| `delete` | | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓| -| `modify` | | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓| -| `read` | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `timestomp` | | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓| -| `write` | | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓| +| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | +|---|---|---|---|---|---|---|---|---|---|---| +| `load` | | | |✓|✓|✓| |✓|✓| | | +| `unload` | | | | | | | | | | | | ### [process](../data_model/process) @@ -43,12 +38,17 @@ auditd is the userspace component to the Linux Auditing System. It's responsible | `create` | | |✓|✓| |✓| | | |✓| |✓| | | | |✓|✓|✓|✓| | | | | | | | |✓| | `terminate` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -### [driver](../data_model/driver) +### [file](../data_model/file) -| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | -|---|---|---|---|---|---|---|---|---|---|---| -| `load` | | | |✓|✓|✓| |✓|✓| | | -| `unload` | | | | | | | | | | | | +| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` | +|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +| `acl_modify` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `create` | | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓| +| `delete` | | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓| +| `modify` | | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓| +| `read` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `timestomp` | | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓| +| `write` | | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓| diff --git a/docs/sensors/autoruns_13.98.md b/docs/sensors/autoruns_13.98.md index a32f571b..2cf2b3de 100644 --- a/docs/sensors/autoruns_13.98.md +++ b/docs/sensors/autoruns_13.98.md @@ -14,17 +14,14 @@ Autoruns reports Explorer shell extensions, toolbars, browser helper objects, Wi ## Data Model Coverage -### [file](../data_model/file) +### [registry](../data_model/registry) -| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` | -|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| `acl_modify` | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `create` | ✓| |✓| |✓|✓|✓| | |✓|✓| |✓| | | | | | | |✓|✓| |✓| | | -| `delete` | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `modify` | ✓| |✓| |✓|✓|✓| | |✓|✓| |✓| | | | | | | |✓|✓| |✓| | | -| `read` | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `timestomp` | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `write` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| | `data` | `fqdn` | `hive` | `hostname` | `image_path` | `key` | `new_content` | `pid` | `type` | `user` | `value` | +|---|---|---|---|---|---|---|---|---|---|---| +| `add` | ✓|✓|✓|✓| |✓| | |✓| |✓| +| `key_edit` | ✓|✓|✓|✓| |✓|✓| |✓| |✓| +| `remove` | | | | | | | | | | | | +| `value_edit` | ✓|✓|✓|✓| |✓|✓| |✓| |✓| ### [service](../data_model/service) @@ -36,14 +33,17 @@ Autoruns reports Explorer shell extensions, toolbars, browser helper objects, Wi | `start` | | | | | | | | | | | | `stop` | | | | | | | | | | | -### [registry](../data_model/registry) +### [file](../data_model/file) -| | `data` | `fqdn` | `hive` | `hostname` | `image_path` | `key` | `new_content` | `pid` | `type` | `user` | `value` | -|---|---|---|---|---|---|---|---|---|---|---| -| `add` | ✓|✓|✓|✓| |✓| | |✓| |✓| -| `key_edit` | ✓|✓|✓|✓| |✓|✓| |✓| |✓| -| `remove` | | | | | | | | | | | | -| `value_edit` | ✓|✓|✓|✓| |✓|✓| |✓| |✓| +| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` | +|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +| `acl_modify` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `create` | ✓| |✓| |✓|✓|✓| | |✓|✓| |✓| | | | | | | |✓|✓| |✓| | | +| `delete` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `modify` | ✓| |✓| |✓|✓|✓| | |✓|✓| |✓| | | | | | | |✓|✓| |✓| | | +| `read` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `timestomp` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `write` | | | | | | | | | | | | | | | | | | | | | | | | | | | diff --git a/docs/sensors/osquery_4.1.2.md b/docs/sensors/osquery_4.1.2.md index a05ba2c9..f484782a 100644 --- a/docs/sensors/osquery_4.1.2.md +++ b/docs/sensors/osquery_4.1.2.md @@ -22,17 +22,12 @@ osquery exposes an operating system as a high-performance relational database. T | `message` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `start` | | | | |✓|✓| | | | |✓| | | | |✓| | | | |✓|✓|✓| | | |✓| -### [file](../data_model/file) +### [driver](../data_model/driver) -| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` | -|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| `acl_modify` | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `create` | | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓| -| `delete` | | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓| -| `modify` | | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓| -| `read` | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `timestomp` | | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓| -| `write` | | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓| +| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | +|---|---|---|---|---|---|---|---|---|---|---| +| `load` | | | |✓|✓|✓| |✓|✓| | | +| `unload` | | | | | | | | | | | | ### [process](../data_model/process) @@ -42,12 +37,17 @@ osquery exposes an operating system as a high-performance relational database. T | `create` | | |✓|✓| |✓| | | |✓| |✓| | | | |✓|✓|✓|✓| | | | | | | | |✓| | `terminate` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -### [driver](../data_model/driver) +### [file](../data_model/file) -| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | -|---|---|---|---|---|---|---|---|---|---|---| -| `load` | | | |✓|✓|✓| |✓|✓| | | -| `unload` | | | | | | | | | | | | +| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` | +|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +| `acl_modify` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `create` | | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓| +| `delete` | | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓| +| `modify` | | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓| +| `read` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `timestomp` | | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓| +| `write` | | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓| diff --git a/docs/sensors/osquery_4.6.0.md b/docs/sensors/osquery_4.6.0.md index 024c5c8d..5fce086a 100644 --- a/docs/sensors/osquery_4.6.0.md +++ b/docs/sensors/osquery_4.6.0.md @@ -22,17 +22,12 @@ osquery exposes an operating system as a high-performance relational database. T | `message` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `start` | | | | |✓|✓| | | | |✓| | | | |✓| | | | |✓|✓|✓| | | |✓| -### [file](../data_model/file) +### [driver](../data_model/driver) -| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` | -|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| `acl_modify` | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `create` | | |✓| |✓|✓| | | | |✓| |✓| |✓| | |✓|✓| |✓|✓| | |✓|✓| -| `delete` | | |✓| |✓|✓| | | | |✓| |✓| |✓| | |✓|✓| |✓|✓| | |✓|✓| -| `modify` | | |✓| |✓|✓| | | | |✓| |✓| |✓| | |✓|✓| |✓|✓| | | |✓| -| `read` | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `timestomp` | | |✓| |✓|✓| | | | |✓| |✓| |✓| | |✓|✓| |✓|✓| | | |✓| -| `write` | | |✓| |✓|✓| | | | |✓| |✓| |✓| | |✓|✓| |✓|✓| | | |✓| +| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | +|---|---|---|---|---|---|---|---|---|---|---| +| `load` | | | |✓|✓|✓| |✓|✓| | | +| `unload` | | | | | | | | | | | | ### [process](../data_model/process) @@ -42,12 +37,17 @@ osquery exposes an operating system as a high-performance relational database. T | `create` | | |✓|✓|✓|✓| | | |✓| |✓| | | | |✓|✓|✓|✓| | | | | | | |✓| | | `terminate` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -### [driver](../data_model/driver) +### [file](../data_model/file) -| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | -|---|---|---|---|---|---|---|---|---|---|---| -| `load` | | | |✓|✓|✓| |✓|✓| | | -| `unload` | | | | | | | | | | | | +| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` | +|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +| `acl_modify` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `create` | | |✓| |✓|✓| | | | |✓| |✓| |✓| | |✓|✓| |✓|✓| | |✓|✓| +| `delete` | | |✓| |✓|✓| | | | |✓| |✓| |✓| | |✓|✓| |✓|✓| | |✓|✓| +| `modify` | | |✓| |✓|✓| | | | |✓| |✓| |✓| | |✓|✓| |✓|✓| | | |✓| +| `read` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `timestomp` | | |✓| |✓|✓| | | | |✓| |✓| |✓| | |✓|✓| |✓|✓| | | |✓| +| `write` | | |✓| |✓|✓| | | | |✓| |✓| |✓| | |✓|✓| |✓|✓| | | |✓| diff --git a/docs/sensors/sysmon_10.4.md b/docs/sensors/sysmon_10.4.md index 4a474305..ac500184 100644 --- a/docs/sensors/sysmon_10.4.md +++ b/docs/sensors/sysmon_10.4.md @@ -14,26 +14,6 @@ Sysmon is a freely available program from Microsoft that is provided as part of ## Data Model Coverage -### [flow](../data_model/flow) - -| | `application_protocol` | `content` | `dest_fqdn` | `dest_hostname` | `dest_ip` | `dest_port` | `end_time` | `exe` | `fqdn` | `hostname` | `image_path` | `in_bytes` | `network_direction` | `out_bytes` | `packet_count` | `pid` | `ppid` | `proto_info` | `src_fqdn` | `src_hostname` | `src_ip` | `src_port` | `start_time` | `tcp_flags` | `transport_protocol` | `uid` | `user` | -|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| `end` | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `message` | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `start` | | | |✓|✓|✓| | | | |✓| | | | |✓| | | |✓|✓|✓|✓| | | |✓| - -### [file](../data_model/file) - -| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` | -|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| `acl_modify` | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `create` | | |✓| |✓| |✓| | | |✓| | | | | | |✓| | | | | | | | | -| `delete` | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `modify` | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `read` | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `timestomp` | | |✓| |✓| |✓| | | |✓| | | | | | |✓| |✓| | | | | | | -| `write` | | | | | | | | | | | | | | | | | | | | | | | | | | | - ### [registry](../data_model/registry) | | `data` | `fqdn` | `hive` | `hostname` | `image_path` | `key` | `new_content` | `pid` | `type` | `user` | `value` | @@ -43,6 +23,14 @@ Sysmon is a freely available program from Microsoft that is provided as part of | `remove` | |✓|✓| |✓|✓| |✓| | |✓| | `value_edit` | | | | | | | | | | | | +### [flow](../data_model/flow) + +| | `application_protocol` | `content` | `dest_fqdn` | `dest_hostname` | `dest_ip` | `dest_port` | `end_time` | `exe` | `fqdn` | `hostname` | `image_path` | `in_bytes` | `network_direction` | `out_bytes` | `packet_count` | `pid` | `ppid` | `proto_info` | `src_fqdn` | `src_hostname` | `src_ip` | `src_port` | `start_time` | `tcp_flags` | `transport_protocol` | `uid` | `user` | +|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +| `end` | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `message` | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `start` | | | |✓|✓|✓| | | | |✓| | | | |✓| | | |✓|✓|✓|✓| | | |✓| + ### [module](../data_model/module) | | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `module_path` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `tid` | @@ -50,6 +38,13 @@ Sysmon is a freely available program from Microsoft that is provided as part of | `load` | |✓| |✓|✓| |✓|✓|✓|✓| |✓| | | `unload` | | | | | | | | | | | | | | +### [driver](../data_model/driver) + +| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | +|---|---|---|---|---|---|---|---|---|---|---| +| `load` | |✓| |✓|✓| | |✓|✓| |✓| +| `unload` | | | | | | | | | | | | + ### [process](../data_model/process) | | `access_level` | `call_trace` | `command_line` | `current_working_directory` | `env_vars` | `exe` | `fqdn` | `guid` | `hostname` | `image_path` | `integrity_level` | `md5_hash` | `parent_command_line` | `parent_exe` | `parent_guid` | `parent_image_path` | `pid` | `ppid` | `sha1_hash` | `sha256_hash` | `sid` | `signature_valid` | `signer` | `target_address` | `target_guid` | `target_name` | `target_pid` | `uid` | `user` | @@ -67,12 +62,17 @@ Sysmon is a freely available program from Microsoft that is provided as part of | `suspend` | | | | | | | | | | | | | | | | | `terminate` | | | | | | | | | | | | | | | | -### [driver](../data_model/driver) +### [file](../data_model/file) -| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | -|---|---|---|---|---|---|---|---|---|---|---| -| `load` | |✓| |✓|✓| | |✓|✓| |✓| -| `unload` | | | | | | | | | | | | +| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` | +|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +| `acl_modify` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `create` | | |✓| |✓| |✓| | | |✓| | | | | | |✓| | | | | | | | | +| `delete` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `modify` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `read` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `timestomp` | | |✓| |✓| |✓| | | |✓| | | | | | |✓| |✓| | | | | | | +| `write` | | | | | | | | | | | | | | | | | | | | | | | | | | | diff --git a/docs/sensors/sysmon_11.0.md b/docs/sensors/sysmon_11.0.md index 0f919912..4d5461d1 100644 --- a/docs/sensors/sysmon_11.0.md +++ b/docs/sensors/sysmon_11.0.md @@ -14,26 +14,6 @@ Sysmon is a freely available program from Microsoft that is provided as part of ## Data Model Coverage -### [flow](../data_model/flow) - -| | `application_protocol` | `content` | `dest_fqdn` | `dest_hostname` | `dest_ip` | `dest_port` | `end_time` | `exe` | `fqdn` | `hostname` | `image_path` | `in_bytes` | `network_direction` | `out_bytes` | `packet_count` | `pid` | `ppid` | `proto_info` | `src_fqdn` | `src_hostname` | `src_ip` | `src_port` | `start_time` | `tcp_flags` | `transport_protocol` | `uid` | `user` | -|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| `end` | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `message` | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `start` | | |✓| |✓|✓| | |✓| |✓| | | | |✓| | |✓| |✓|✓|✓| | | |✓| - -### [file](../data_model/file) - -| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` | -|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| `acl_modify` | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `create` | | |✓| | |✓|✓| | | |✓| | | | | | |✓| | | | | | | | | -| `delete` | | | | | |✓|✓| | | |✓| |✓| | | | |✓| | |✓|✓| | | |✓| -| `modify` | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `read` | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `timestomp` | | |✓| | |✓|✓| | | |✓| | | | | | |✓| |✓| | | | | | | -| `write` | | | | | | | | | | | | | | | | | | | | | | | | | | | - ### [registry](../data_model/registry) | | `data` | `fqdn` | `hive` | `hostname` | `image_path` | `key` | `new_content` | `pid` | `type` | `user` | `value` | @@ -43,6 +23,14 @@ Sysmon is a freely available program from Microsoft that is provided as part of | `remove` | |✓|✓| |✓|✓| |✓| | |✓| | `value_edit` | | | | | | | | | | | | +### [flow](../data_model/flow) + +| | `application_protocol` | `content` | `dest_fqdn` | `dest_hostname` | `dest_ip` | `dest_port` | `end_time` | `exe` | `fqdn` | `hostname` | `image_path` | `in_bytes` | `network_direction` | `out_bytes` | `packet_count` | `pid` | `ppid` | `proto_info` | `src_fqdn` | `src_hostname` | `src_ip` | `src_port` | `start_time` | `tcp_flags` | `transport_protocol` | `uid` | `user` | +|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +| `end` | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `message` | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `start` | | |✓| |✓|✓| | |✓| |✓| | | | |✓| | |✓| |✓|✓|✓| | | |✓| + ### [module](../data_model/module) | | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `module_path` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `tid` | @@ -50,6 +38,13 @@ Sysmon is a freely available program from Microsoft that is provided as part of | `load` | |✓| |✓|✓| |✓|✓|✓|✓| |✓| | | `unload` | | | | | | | | | | | | | | +### [driver](../data_model/driver) + +| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | +|---|---|---|---|---|---|---|---|---|---|---| +| `load` | |✓| |✓|✓| | |✓|✓| |✓| +| `unload` | | | | | | | | | | | | + ### [process](../data_model/process) | | `access_level` | `call_trace` | `command_line` | `current_working_directory` | `env_vars` | `exe` | `fqdn` | `guid` | `hostname` | `image_path` | `integrity_level` | `md5_hash` | `parent_command_line` | `parent_exe` | `parent_guid` | `parent_image_path` | `pid` | `ppid` | `sha1_hash` | `sha256_hash` | `sid` | `signature_valid` | `signer` | `target_address` | `target_guid` | `target_name` | `target_pid` | `uid` | `user` | @@ -67,12 +62,17 @@ Sysmon is a freely available program from Microsoft that is provided as part of | `suspend` | | | | | | | | | | | | | | | | | `terminate` | | | | | | | | | | | | | | | | -### [driver](../data_model/driver) +### [file](../data_model/file) -| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | -|---|---|---|---|---|---|---|---|---|---|---| -| `load` | |✓| |✓|✓| | |✓|✓| |✓| -| `unload` | | | | | | | | | | | | +| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` | +|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +| `acl_modify` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `create` | | |✓| | |✓|✓| | | |✓| | | | | | |✓| | | | | | | | | +| `delete` | | | | | |✓|✓| | | |✓| |✓| | | | |✓| | |✓|✓| | | |✓| +| `modify` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `read` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `timestomp` | | |✓| | |✓|✓| | | |✓| | | | | | |✓| |✓| | | | | | | +| `write` | | | | | | | | | | | | | | | | | | | | | | | | | | | diff --git a/docs/sensors/sysmon_13.md b/docs/sensors/sysmon_13.md index 8defa72a..8d28e3c5 100644 --- a/docs/sensors/sysmon_13.md +++ b/docs/sensors/sysmon_13.md @@ -14,26 +14,6 @@ Sysmon is a freely available program from Microsoft that is provided as part of ## Data Model Coverage -### [flow](../data_model/flow) - -| | `application_protocol` | `content` | `dest_fqdn` | `dest_hostname` | `dest_ip` | `dest_port` | `end_time` | `exe` | `fqdn` | `hostname` | `image_path` | `in_bytes` | `network_direction` | `out_bytes` | `packet_count` | `pid` | `ppid` | `proto_info` | `src_fqdn` | `src_hostname` | `src_ip` | `src_port` | `start_time` | `tcp_flags` | `transport_protocol` | `uid` | `user` | -|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| `end` | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `message` | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `start` | | |✓| |✓|✓| | |✓| |✓| | | | |✓| | |✓| |✓|✓|✓| | |✓|✓| - -### [file](../data_model/file) - -| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` | -|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| `acl_modify` | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `create` | | |✓| | |✓|✓| | | |✓| | | | | | |✓| | | | | | | | | -| `delete` | | | | | |✓|✓| | | |✓| |✓| | | | |✓| | |✓|✓| | |✓|✓| -| `modify` | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `read` | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `timestomp` | | |✓| | |✓|✓| | | |✓| | | | | | |✓| |✓| | | | | | | -| `write` | | | | | | | | | | | | | | | | | | | | | | | | | | | - ### [registry](../data_model/registry) | | `data` | `fqdn` | `hive` | `hostname` | `image_path` | `key` | `new_content` | `pid` | `type` | `user` | `value` | @@ -43,6 +23,14 @@ Sysmon is a freely available program from Microsoft that is provided as part of | `remove` | |✓|✓| |✓|✓| |✓| | |✓| | `value_edit` | |✓|✓| |✓|✓|✓|✓| | |✓| +### [flow](../data_model/flow) + +| | `application_protocol` | `content` | `dest_fqdn` | `dest_hostname` | `dest_ip` | `dest_port` | `end_time` | `exe` | `fqdn` | `hostname` | `image_path` | `in_bytes` | `network_direction` | `out_bytes` | `packet_count` | `pid` | `ppid` | `proto_info` | `src_fqdn` | `src_hostname` | `src_ip` | `src_port` | `start_time` | `tcp_flags` | `transport_protocol` | `uid` | `user` | +|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +| `end` | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `message` | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `start` | | |✓| |✓|✓| | |✓| |✓| | | | |✓| | |✓| |✓|✓|✓| | |✓|✓| + ### [module](../data_model/module) | | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `module_path` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `tid` | @@ -50,6 +38,13 @@ Sysmon is a freely available program from Microsoft that is provided as part of | `load` | |✓| |✓|✓| |✓|✓|✓| |✓|✓|✓| | `unload` | | | | | | | | | | | | | | +### [driver](../data_model/driver) + +| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | +|---|---|---|---|---|---|---|---|---|---|---| +| `load` | |✓| |✓|✓| | |✓|✓|✓|✓| +| `unload` | | | | | | | | | | | | + ### [process](../data_model/process) | | `access_level` | `call_trace` | `command_line` | `current_working_directory` | `env_vars` | `exe` | `fqdn` | `guid` | `hostname` | `image_path` | `integrity_level` | `md5_hash` | `parent_command_line` | `parent_exe` | `parent_guid` | `parent_image_path` | `pid` | `ppid` | `sha1_hash` | `sha256_hash` | `sid` | `signature_valid` | `signer` | `target_address` | `target_guid` | `target_name` | `target_pid` | `uid` | `user` | @@ -67,12 +62,17 @@ Sysmon is a freely available program from Microsoft that is provided as part of | `suspend` | | | | | | | | | | | | | | | | | `terminate` | | | | | | | | | | | | | | | | -### [driver](../data_model/driver) +### [file](../data_model/file) -| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | -|---|---|---|---|---|---|---|---|---|---|---| -| `load` | |✓| |✓|✓| | |✓|✓|✓|✓| -| `unload` | | | | | | | | | | | | +| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` | +|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +| `acl_modify` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `create` | | |✓| | |✓|✓| | | |✓| | | | | | |✓| | | | | | | | | +| `delete` | | | | | |✓|✓| | | |✓| |✓| | | | |✓| | |✓|✓| | |✓|✓| +| `modify` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `read` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `timestomp` | | |✓| | |✓|✓| | | |✓| | | | | | |✓| |✓| | | | | | | +| `write` | | | | | | | | | | | | | | | | | | | | | | | | | | |