Analytics

Analytic List (sortable)

ID	Name	Submission Date	ATT&CK Techniques	Implementations	Applicable Platforms
CAR-2013-01-002	Autorun Differences	January 25 2013	Create or Modify System Process Scheduled Task/Job		Windows
CAR-2013-01-003	SMB Events Monitoring	January 25 2013	Data from Network Shared Drive Remote Services	Pseudocode	N/A
CAR-2013-02-003	Processes Spawning cmd.exe	February 05 2013	Command and Scripting Interpreter	Dnif, Logpoint, Pseudocode	Windows
CAR-2013-02-008	Simultaneous Logins on a Host	February 18 2013	Valid Accounts	Pseudocode	Windows, Linux, macOS
CAR-2013-02-012	User Logged in to Multiple Hosts	February 27 2013	Valid Accounts		Windows, Linux, macOS
CAR-2013-03-001	Reg.exe called from Command Shell	March 28 2013	Query Registry Modify Registry	Dnif, Pseudocode	Windows
CAR-2013-04-002	Quick execution of a series of suspicious commands	April 11 2013	Account Discovery OS Credential Dumping	Dnif, Logpoint, Pseudocode, Sigma	Windows, Linux, macOS
CAR-2013-05-002	Suspicious Run Locations	May 07 2013	Masquerading	Dnif, Logpoint, Pseudocode, Sigma	Windows
CAR-2013-05-003	SMB Write Request	May 13 2013	Lateral Tool Transfer Remote Services	Pseudocode	Windows, Linux, macOS
CAR-2013-05-004	Execution with AT	May 13 2013	Scheduled Task/Job	Dnif, Eql, Logpoint, Pseudocode, Splunk	Windows
CAR-2013-05-005	SMB Copy and Execution	May 13 2013	Remote Services Valid Accounts	Pseudocode	Windows, Linux, macOS
CAR-2013-05-009	Running executables with same hash and different names	May 23 2013	Masquerading	Dnif, Logpoint, Sigma, Splunk	Windows, Linux, macOS
CAR-2013-07-001	Suspicious Arguments	July 05 2013	OS Credential Dumping Remote Services	Dnif, Eql, Logpoint, Pseudocode, Splunk	Windows, Linux, macOS
CAR-2013-07-002	RDP Connection Detection	July 24 2013	Remote Services	Pseudocode, Sigma	N/A
CAR-2013-07-005	Command Line Usage of Archiving Software	July 31 2013	Archive Collected Data	Dnif, Logpoint, Pseudocode	Windows, Linux, macOS
CAR-2013-08-001	Execution with schtasks	August 07 2013	Scheduled Task/Job	Dnif, Logpoint, Pseudocode	Windows
CAR-2013-09-003	SMB Session Setups	September 12 2013	Forced Authentication	Pseudocode	N/A
CAR-2013-09-005	Service Outlier Executables	September 23 2013	Create or Modify System Process	Logpoint, Pseudocode, Sigma	Windows
CAR-2013-10-001	User Login Activity Monitoring	October 03 2013	Remote Services Valid Accounts	Dnif, Pseudocode, Splunk	Windows, Linux, macOS
CAR-2013-10-002	DLL Injection via Load Library	October 07 2013	Process Injection Abuse Elevation Control Mechanism	Logpoint, Pseudocode	Windows
CAR-2014-02-001	Service Binary Modifications	February 14 2014	Create or Modify System Process Hijack Execution Flow	Pseudocode	Windows
CAR-2014-03-001	SMB Write Request - NamedPipes	March 03 2014	Lateral Tool Transfer	Pseudocode	Windows, Linux, macOS
CAR-2014-03-005	Remotely Launched Executables via Services	March 18 2014	Create or Modify System Process System Services	Pseudocode	Windows
CAR-2014-03-006	RunDLL32.exe monitoring	March 28 2014	System Binary Proxy Execution	Dnif, Logpoint, Pseudocode	Windows
CAR-2014-04-003	Powershell Execution	April 11 2014	Command and Scripting Interpreter Command and Scripting Interpreter	Dnif, Eql, Logpoint, Pseudocode, Splunk	Windows
CAR-2014-05-001	RPC Activity	May 01 2014	Remote Services	Pseudocode	Windows
CAR-2014-05-002	Services launching Cmd	May 05 2014	Create or Modify System Process	Dnif, Eql, Logpoint, Pseudocode, Splunk	Windows
CAR-2014-07-001	Service Search Path Interception	July 17 2014	Hijack Execution Flow	Pseudocode	Windows
CAR-2014-11-002	Outlier Parents of Cmd	November 06 2014	Command and Scripting Interpreter	Pseudocode	Windows
CAR-2014-11-003	Debuggers for Accessibility Applications	November 21 2014	Event Triggered Execution	Logpoint, Pseudocode	Windows
CAR-2014-11-004	Remote PowerShell Sessions	November 19 2014	Command and Scripting Interpreter Remote Services	Eql, Logpoint, Pseudocode	Windows
CAR-2014-11-005	Remote Registry	November 19 2014	Modify Registry	Pseudocode	Windows
CAR-2014-11-006	Windows Remote Management (WinRM)	November 19 2014	Remote Services	Pseudocode	Windows
CAR-2014-11-007	Remote Windows Management Instrumentation (WMI) over RPC	November 19 2014	Windows Management Instrumentation	Pseudocode	Windows
CAR-2014-11-008	Command Launched from WinLogon	November 19 2014	Event Triggered Execution	Eql, Logpoint, Pseudocode, Splunk	Windows
CAR-2014-12-001	Remotely Launched Executables via WMI	December 02 2014	Windows Management Instrumentation	Pseudocode	Windows
CAR-2015-04-001	Remotely Scheduled Tasks via AT	April 29 2015	Scheduled Task/Job	Pseudocode	Windows
CAR-2015-04-002	Remotely Scheduled Tasks via Schtasks	April 29 2015	Scheduled Task/Job	Pseudocode	Windows
CAR-2015-07-001	All Logins Since Last Boot	July 17 2015		Pseudocode	Windows, Linux, macOS
CAR-2016-03-001	Host Discovery Commands	March 24 2016	Account Discovery Permission Groups Discovery	Eql, Logpoint, Pseudocode, Splunk	Windows, Linux, macOS
CAR-2016-03-002	Create Remote Process via WMIC	March 28 2016	Windows Management Instrumentation	Eql, Logpoint, Pseudocode, Splunk	Windows
CAR-2016-04-002	User Activity from Clearing Event Logs	April 14 2016	Indicator Removal	Logpoint, Pseudocode, Sigma, Splunk	Windows, Linux, macOS
CAR-2016-04-003	User Activity from Stopping Windows Defensive Services	April 15 2016	Impair Defenses	Logpoint, Pseudocode	Windows
CAR-2016-04-004	Successful Local Account Login	April 18 2016	Use Alternate Authentication Material	Pseudocode	Windows
CAR-2016-04-005	Remote Desktop Logon	April 19 2016	Remote Services	Logpoint, Pseudocode, Sigma	Windows
CAR-2019-04-001	UAC Bypass	April 19 2019	Abuse Elevation Control Mechanism	Logpoint, Pseudocode, Sigma, Splunk	Windows
CAR-2019-04-002	Generic Regsvr32	April 24 2019	System Binary Proxy Execution	Pseudocode, Splunk	Windows
CAR-2019-04-003	Squiblydoo	April 24 2019	System Binary Proxy Execution	Eql, Logpoint, Psuedocode, Splunk	Windows
CAR-2019-04-004	Credential Dumping via Mimikatz	April 29 2019	OS Credential Dumping	Logpoint, Splunk	Windows
CAR-2019-07-001	Access Permission Modification	July 08 2019	File and Directory Permissions Modification	Logpoint, Pseudocode, Splunk	Windows, Linux, macOS
CAR-2019-07-002	Lsass Process Dump via Procdump	July 29 2019	OS Credential Dumping	Eql, Logpoint, Pseudocode, Sigma, Splunk	Windows
CAR-2019-08-001	Credential Dumping via Windows Task Manager	August 05 2019	OS Credential Dumping	Eql, Logpoint, Pseudocode, Splunk	Windows
CAR-2019-08-002	Active Directory Dumping via NTDSUtil	August 13 2019	OS Credential Dumping	Eql, Logpoint, Pseudocode, Splunk	Windows
CAR-2020-04-001	Shadow Copy Deletion	April 10 2020			Windows
CAR-2020-05-001	MiniDump of LSASS	May 04 2020	OS Credential Dumping	Logpoint, Splunk	Windows
CAR-2020-05-003	Rare LolBAS Command Lines	May 04 2020	Query Registry Modify Registry	Pseudocode, Splunk	Windows
CAR-2020-08-001	NTFS Alternate Data Stream Execution - System Utilities	August 03 2020	Hide Artifacts	Pseudocode, Splunk	Windows
CAR-2020-08-002	NTFS Alternate Data Stream Execution - LOLBAS	August 03 2020	Hide Artifacts	Pseudocode, Splunk	Windows
CAR-2020-09-001	Scheduled Task - FileAccess	September 10 2020	Scheduled Task/Job	Logpoint, Pseudocode, Splunk	Windows
CAR-2020-09-002	Component Object Model Hijacking	September 10 2020	Event Triggered Execution	Logpoint, Pseudocode, Splunk	Windows
CAR-2020-09-003	Indicator Blocking - Driver Unloaded	September 10 2020	Impair Defenses	Logpoint, Pseudocode, Splunk	Windows
CAR-2020-09-004	Credentials in Files & Registry	September 10 2020	Unsecured Credentials	Logpoint, Pseudocode, Splunk	Windows
CAR-2020-09-005	AppInit DLLs	September 10 2020	Event Triggered Execution	Logpoint, Pseudocode, Splunk	Windows
CAR-2020-11-001	Boot or Logon Initialization Scripts	November 30 2020	Boot or Logon Initialization Scripts	Logpoint, Pseudocode, Splunk	Windows
CAR-2020-11-002	Local Network Sniffing	November 30 2020	Network Sniffing	Logpoint, Pseudocode, Splunk	Windows
CAR-2020-11-003	DLL Injection with Mavinject	November 30 2020	Process Injection	Logpoint, Pseudocode, Splunk	Windows
CAR-2020-11-004	Processes Started From Irregular Parent	November 30 2020	Process Injection	Logpoint, Pseudocode, Splunk	Windows
CAR-2020-11-005	Clear Powershell Console Command History	November 30 2020	Indicator Removal	Logpoint, Pseudocode, Splunk	Windows
CAR-2020-11-006	Local Permission Group Discovery	November 30 2020	Permission Groups Discovery	Logpoint, Pseudocode, Splunk	Windows
CAR-2020-11-007	Network Share Connection Removal	November 30 2020	Indicator Removal	Logpoint, Pseudocode, Splunk	Windows
CAR-2020-11-008	MSBuild and msxsl	November 30 2020	Trusted Developer Utilities Proxy Execution	Logpoint, Pseudocode, Splunk	Windows
CAR-2020-11-009	Compiled HTML Access	November 30 2020	System Binary Proxy Execution	Logpoint, Pseudocode, Splunk	Windows
CAR-2020-11-010	CMSTP	November 30 2020	System Binary Proxy Execution	Logpoint, Pseudocode, Splunk	Windows
CAR-2020-11-011	Registry Edit from Screensaver	November 30 2020	Event Triggered Execution	Logpoint, Pseudocode, Splunk	Windows
CAR-2021-01-001	Identifying Port Scanning Activity	October 23 2020	Network Service Discovery	Splunk	Windows, Linux
CAR-2021-01-002	Unusually Long Command Line Strings	November 27 2020	Command and Scripting Interpreter	Splunk	Windows
CAR-2021-01-003	Clearing Windows Logs with Wevtutil	December 02 2020	Indicator Removal	Splunk	Windows
CAR-2021-01-004	Unusual Child Process for Spoolsv.Exe or Connhost.Exe	December 03 2020	Exploitation for Privilege Escalation	Splunk	Windows
CAR-2021-01-006	Unusual Child Process spawned using DDE exploit	December 03 2020	Inter-Process Communication	Pseudocode, Splunk	Windows
CAR-2021-01-007	Detecting Tampering of Windows Defender Command Prompt	December 11 2020	Impair Defenses	Pseudocode, Splunk	Windows
CAR-2021-01-008	Disable UAC	December 11 2020	Abuse Elevation Control Mechanism	Pseudocode, Splunk	Windows
CAR-2021-01-009	Detecting Shadow Copy Deletion or Resize	December 11 2020	Inhibit System Recovery	Elastic, Logpoint, Splunk	Windows
CAR-2021-02-001	Webshell-Indicative Process Tree	November 29 2020	Server Software Component	Pseudocode, Splunk	Windows
CAR-2021-02-002	Get System Elevation	January 15 2021	Abuse Elevation Control Mechanism	Pseudocode, Splunk	Windows
CAR-2021-04-001	Common Windows Process Masquerading	February 12 2021	Masquerading	Pseudocode, Splunk	Windows
CAR-2021-05-001	Attempt To Add Certificate To Untrusted Store	May 11 2021	Subvert Trust Controls	Pseudocode, Splunk	Windows
CAR-2021-05-002	Batch File Write to System32	May 11 2021	User Execution	Pseudocode, Splunk	Windows
CAR-2021-05-003	BCDEdit Failure Recovery Modification	May 11 2021	Inhibit System Recovery	Pseudocode, Splunk	Windows
CAR-2021-05-004	BITS Job Persistence	May 11 2021	BITS Jobs	Pseudocode, Splunk	Windows
CAR-2021-05-005	BITSAdmin Download File	May 11 2021	BITS Jobs Ingress Tool Transfer	Pseudocode, Splunk	Windows
CAR-2021-05-006	CertUtil Download With URLCache and Split Arguments	May 11 2021	Ingress Tool Transfer	Pseudocode, Splunk	Windows
CAR-2021-05-007	CertUtil Download With VerifyCtl and Split Arguments	May 11 2021	Ingress Tool Transfer	Pseudocode, Splunk	Windows
CAR-2021-05-008	Certutil exe certificate extraction	May 11 2021	Forge Web Credentials	Pseudocode, Splunk	Windows
CAR-2021-05-009	CertUtil With Decode Argument	May 11 2021	Deobfuscate/Decode Files or Information	Pseudocode, Splunk	Windows
CAR-2021-05-010	Create local admin accounts using net exe	May 11 2021	Create Account	Pseudocode, Splunk	Windows
CAR-2021-05-011	Create Remote Thread into LSASS	May 11 2021	OS Credential Dumping	Pseudocode, Splunk	Windows
CAR-2021-05-012	Create Service In Suspicious File Path	May 11 2021	System Services	Pseudocode, Splunk	Windows
CAR-2021-11-001	Registry Edit with Creation of SafeDllSearchMode Key Set to 0	November 24 2021	Hijack Execution Flow Modify Registry	Elastic, Logpoint, Pseudocode, Splunk	Windows
CAR-2021-11-002	Registry Edit with Modification of Userinit, Shell or Notify	November 28 2021	Boot or Logon Autostart Execution Modify Registry	Elastic, Logpoint, Pseudocode, Splunk	Windows
CAR-2021-12-001	Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths	December 04 2021	Scheduled Task/Job	Elastic, Logpoint, Pseudocode, Splunk	Windows
CAR-2021-12-002	Modification of Default Startup Folder in the Registry Key 'Common Startup'	December 06 2021	Boot or Logon Autostart Execution Modify Registry	Elastic, Logpoint, Pseudocode, Splunk	Windows
CAR-2022-03-001	Disable Windows Event Logging	March 14 2022	Impair Defenses	Logpoint, Pseudocode, Splunk	Windows