Analytic List (sortable)

ID Name Submission Date ATT&CK Techniques Implementations Applicable Platforms
CAR-2013-01-002 Autorun Differences January 25 2013 Windows
CAR-2013-01-003 SMB Events Monitoring January 25 2013 Pseudocode N/A
CAR-2013-02-003 Processes Spawning cmd.exe February 05 2013 Dnif, Logpoint, Pseudocode Windows
CAR-2013-02-008 Simultaneous Logins on a Host February 18 2013 Pseudocode Windows, Linux, macOS
CAR-2013-02-012 User Logged in to Multiple Hosts February 27 2013 Windows, Linux, macOS
CAR-2013-03-001 Reg.exe called from Command Shell March 28 2013 Dnif, Pseudocode Windows
CAR-2013-04-002 Quick execution of a series of suspicious commands April 11 2013 Dnif, Logpoint, Pseudocode, Sigma Windows, Linux, macOS
CAR-2013-05-002 Suspicious Run Locations May 07 2013 Dnif, Logpoint, Pseudocode, Sigma Windows
CAR-2013-05-003 SMB Write Request May 13 2013 Pseudocode Windows, Linux, macOS
CAR-2013-05-004 Execution with AT May 13 2013 Dnif, Eql, Logpoint, Pseudocode, Splunk Windows
CAR-2013-05-005 SMB Copy and Execution May 13 2013 Pseudocode Windows, Linux, macOS
CAR-2013-05-009 Running executables with same hash and different names May 23 2013 Dnif, Logpoint, Sigma, Splunk Windows, Linux, macOS
CAR-2013-07-001 Suspicious Arguments July 05 2013 Dnif, Eql, Logpoint, Pseudocode, Splunk Windows, Linux, macOS
CAR-2013-07-002 RDP Connection Detection July 24 2013 Pseudocode, Sigma N/A
CAR-2013-07-005 Command Line Usage of Archiving Software July 31 2013 Dnif, Logpoint, Pseudocode Windows, Linux, macOS
CAR-2013-08-001 Execution with schtasks August 07 2013 Dnif, Logpoint, Pseudocode Windows
CAR-2013-09-003 SMB Session Setups September 12 2013 Pseudocode N/A
CAR-2013-09-005 Service Outlier Executables September 23 2013 Logpoint, Pseudocode, Sigma Windows
CAR-2013-10-001 User Login Activity Monitoring October 03 2013 Dnif, Pseudocode, Splunk Windows, Linux, macOS
CAR-2013-10-002 DLL Injection via Load Library October 07 2013 Logpoint, Pseudocode Windows
CAR-2014-02-001 Service Binary Modifications February 14 2014 Pseudocode Windows
CAR-2014-03-001 SMB Write Request - NamedPipes March 03 2014 Pseudocode Windows, Linux, macOS
CAR-2014-03-005 Remotely Launched Executables via Services March 18 2014 Pseudocode Windows
CAR-2014-03-006 RunDLL32.exe monitoring March 28 2014 Dnif, Logpoint, Pseudocode Windows
CAR-2014-04-003 Powershell Execution April 11 2014 Dnif, Eql, Logpoint, Pseudocode, Splunk Windows
CAR-2014-05-001 RPC Activity May 01 2014 Pseudocode Windows
CAR-2014-05-002 Services launching Cmd May 05 2014 Dnif, Eql, Logpoint, Pseudocode, Splunk Windows
CAR-2014-07-001 Service Search Path Interception July 17 2014 Pseudocode Windows
CAR-2014-11-002 Outlier Parents of Cmd November 06 2014 Pseudocode Windows
CAR-2014-11-003 Debuggers for Accessibility Applications November 21 2014 Logpoint, Pseudocode Windows
CAR-2014-11-004 Remote PowerShell Sessions November 19 2014 Eql, Logpoint, Pseudocode Windows
CAR-2014-11-005 Remote Registry November 19 2014 Pseudocode Windows
CAR-2014-11-006 Windows Remote Management (WinRM) November 19 2014 Pseudocode Windows
CAR-2014-11-007 Remote Windows Management Instrumentation (WMI) over RPC November 19 2014 Pseudocode Windows
CAR-2014-11-008 Command Launched from WinLogon November 19 2014 Eql, Logpoint, Pseudocode, Splunk Windows
CAR-2014-12-001 Remotely Launched Executables via WMI December 02 2014 Pseudocode Windows
CAR-2015-04-001 Remotely Scheduled Tasks via AT April 29 2015 Pseudocode Windows
CAR-2015-04-002 Remotely Scheduled Tasks via Schtasks April 29 2015 Pseudocode Windows
CAR-2015-07-001 All Logins Since Last Boot July 17 2015 Pseudocode Windows, Linux, macOS
CAR-2016-03-001 Host Discovery Commands March 24 2016 Eql, Logpoint, Pseudocode, Splunk Windows, Linux, macOS
CAR-2016-03-002 Create Remote Process via WMIC March 28 2016 Eql, Logpoint, Pseudocode, Splunk Windows
CAR-2016-04-002 User Activity from Clearing Event Logs April 14 2016 Logpoint, Pseudocode, Sigma, Splunk Windows, Linux, macOS
CAR-2016-04-003 User Activity from Stopping Windows Defensive Services April 15 2016 Logpoint, Pseudocode Windows
CAR-2016-04-004 Successful Local Account Login April 18 2016 Pseudocode Windows
CAR-2016-04-005 Remote Desktop Logon April 19 2016 Logpoint, Pseudocode, Sigma Windows
CAR-2019-04-001 UAC Bypass April 19 2019 Logpoint, Pseudocode, Sigma, Splunk Windows
CAR-2019-04-002 Generic Regsvr32 April 24 2019 Pseudocode, Splunk Windows
CAR-2019-04-003 Squiblydoo April 24 2019 Eql, Logpoint, Psuedocode, Splunk Windows
CAR-2019-04-004 Credential Dumping via Mimikatz April 29 2019 Logpoint, Splunk Windows
CAR-2019-07-001 Access Permission Modification July 08 2019 Logpoint, Pseudocode, Splunk Windows, Linux, macOS
CAR-2019-07-002 Lsass Process Dump via Procdump July 29 2019 Eql, Logpoint, Pseudocode, Sigma, Splunk Windows
CAR-2019-08-001 Credential Dumping via Windows Task Manager August 05 2019 Eql, Logpoint, Pseudocode, Splunk Windows
CAR-2019-08-002 Active Directory Dumping via NTDSUtil August 13 2019 Eql, Logpoint, Pseudocode, Splunk Windows
CAR-2020-04-001 Shadow Copy Deletion April 10 2020 Windows
CAR-2020-05-001 MiniDump of LSASS May 04 2020 Logpoint, Splunk Windows
CAR-2020-05-003 Rare LolBAS Command Lines May 04 2020 Pseudocode, Splunk Windows
CAR-2020-08-001 NTFS Alternate Data Stream Execution - System Utilities August 03 2020 Pseudocode, Splunk Windows
CAR-2020-08-002 NTFS Alternate Data Stream Execution - LOLBAS August 03 2020 Pseudocode, Splunk Windows
CAR-2020-09-001 Scheduled Task - FileAccess September 10 2020 Logpoint, Pseudocode, Splunk Windows
CAR-2020-09-002 Component Object Model Hijacking September 10 2020 Logpoint, Pseudocode, Splunk Windows
CAR-2020-09-003 Indicator Blocking - Driver Unloaded September 10 2020 Logpoint, Pseudocode, Splunk Windows
CAR-2020-09-004 Credentials in Files & Registry September 10 2020 Logpoint, Pseudocode, Splunk Windows
CAR-2020-09-005 AppInit DLLs September 10 2020 Logpoint, Pseudocode, Splunk Windows
CAR-2020-11-001 Boot or Logon Initialization Scripts November 30 2020 Logpoint, Pseudocode, Splunk Windows
CAR-2020-11-002 Local Network Sniffing November 30 2020 Logpoint, Pseudocode, Splunk Windows
CAR-2020-11-003 DLL Injection with Mavinject November 30 2020 Logpoint, Pseudocode, Splunk Windows
CAR-2020-11-004 Processes Started From Irregular Parent November 30 2020 Logpoint, Pseudocode, Splunk Windows
CAR-2020-11-005 Clear Powershell Console Command History November 30 2020 Logpoint, Pseudocode, Splunk Windows
CAR-2020-11-006 Local Permission Group Discovery November 30 2020 Logpoint, Pseudocode, Splunk Windows
CAR-2020-11-007 Network Share Connection Removal November 30 2020 Logpoint, Pseudocode, Splunk Windows
CAR-2020-11-008 MSBuild and msxsl November 30 2020 Logpoint, Pseudocode, Splunk Windows
CAR-2020-11-009 Compiled HTML Access November 30 2020 Logpoint, Pseudocode, Splunk Windows
CAR-2020-11-010 CMSTP November 30 2020 Logpoint, Pseudocode, Splunk Windows
CAR-2020-11-011 Registry Edit from Screensaver November 30 2020 Logpoint, Pseudocode, Splunk Windows
CAR-2021-01-001 Identifying Port Scanning Activity October 23 2020 Splunk Windows, Linux
CAR-2021-01-002 Unusually Long Command Line Strings November 27 2020 Splunk Windows
CAR-2021-01-003 Clearing Windows Logs with Wevtutil December 02 2020 Splunk Windows
CAR-2021-01-004 Unusual Child Process for Spoolsv.Exe or Connhost.Exe December 03 2020 Splunk Windows
CAR-2021-01-006 Unusual Child Process spawned using DDE exploit December 03 2020 Pseudocode, Splunk Windows
CAR-2021-01-007 Detecting Tampering of Windows Defender Command Prompt December 11 2020 Pseudocode, Splunk Windows
CAR-2021-01-008 Disable UAC December 11 2020 Pseudocode, Splunk Windows
CAR-2021-01-009 Detecting Shadow Copy Deletion or Resize December 11 2020 Elastic, Logpoint, Splunk Windows
CAR-2021-02-001 Webshell-Indicative Process Tree November 29 2020 Pseudocode, Splunk Windows
CAR-2021-02-002 Get System Elevation January 15 2021 Pseudocode, Splunk Windows
CAR-2021-04-001 Common Windows Process Masquerading February 12 2021 Pseudocode, Splunk Windows
CAR-2021-05-001 Attempt To Add Certificate To Untrusted Store May 11 2021 Pseudocode, Splunk Windows
CAR-2021-05-002 Batch File Write to System32 May 11 2021 Pseudocode, Splunk Windows
CAR-2021-05-003 BCDEdit Failure Recovery Modification May 11 2021 Pseudocode, Splunk Windows
CAR-2021-05-004 BITS Job Persistence May 11 2021 Pseudocode, Splunk Windows
CAR-2021-05-005 BITSAdmin Download File May 11 2021 Pseudocode, Splunk Windows
CAR-2021-05-006 CertUtil Download With URLCache and Split Arguments May 11 2021 Pseudocode, Splunk Windows
CAR-2021-05-007 CertUtil Download With VerifyCtl and Split Arguments May 11 2021 Pseudocode, Splunk Windows
CAR-2021-05-008 Certutil exe certificate extraction May 11 2021 Pseudocode, Splunk Windows
CAR-2021-05-009 CertUtil With Decode Argument May 11 2021 Pseudocode, Splunk Windows
CAR-2021-05-010 Create local admin accounts using net exe May 11 2021 Pseudocode, Splunk Windows
CAR-2021-05-011 Create Remote Thread into LSASS May 11 2021 Pseudocode, Splunk Windows
CAR-2021-05-012 Create Service In Suspicious File Path May 11 2021 Pseudocode, Splunk Windows
CAR-2021-11-001 Registry Edit with Creation of SafeDllSearchMode Key Set to 0 November 24 2021 Elastic, Logpoint, Pseudocode, Splunk Windows
CAR-2021-11-002 Registry Edit with Modification of Userinit, Shell or Notify November 28 2021 Elastic, Logpoint, Pseudocode, Splunk Windows
CAR-2021-12-001 Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths December 04 2021 Elastic, Logpoint, Pseudocode, Splunk Windows
CAR-2021-12-002 Modification of Default Startup Folder in the Registry Key 'Common Startup' December 06 2021 Elastic, Logpoint, Pseudocode, Splunk Windows
CAR-2022-03-001 Disable Windows Event Logging March 14 2022 Logpoint, Pseudocode, Splunk Windows