Analytic List (sortable)

ID Name Submission Date ATT&CK Techniques Implementations Applicable Platforms
CAR-2013-01-002 Autorun Differences January 25 2013 Windows
CAR-2013-01-003 SMB Events Monitoring January 25 2013 Pseudocode N/A
CAR-2013-02-003 Processes Spawning cmd.exe February 05 2013 Dnif, Logpoint, Pseudocode Windows
CAR-2013-02-008 Simultaneous Logins on a Host February 18 2013 Pseudocode Windows, Linux, macOS
CAR-2013-02-012 User Logged in to Multiple Hosts February 27 2013 Windows, Linux, macOS
CAR-2013-03-001 Reg.exe called from Command Shell March 28 2013 Dnif, Pseudocode Windows
CAR-2013-04-002 Quick execution of a series of suspicious commands April 11 2013 Dnif, Logpoint, Pseudocode, Sigma Windows, Linux, macOS
CAR-2013-05-002 Suspicious Run Locations May 07 2013 Dnif, Logpoint, Pseudocode, Sigma Windows
CAR-2013-05-003 SMB Write Request May 13 2013 Pseudocode Windows, Linux, macOS
CAR-2013-05-004 Execution with AT May 13 2013 Dnif, Eql, Logpoint, Pseudocode, Splunk Windows
CAR-2013-05-005 SMB Copy and Execution May 13 2013 Pseudocode Windows, Linux, macOS
CAR-2013-05-009 Running executables with same hash and different names May 23 2013 Dnif, Logpoint, Sigma, Splunk Windows, Linux, macOS
CAR-2013-07-001 Suspicious Arguments July 05 2013 Dnif, Eql, Logpoint, Pseudocode, Splunk Windows, Linux, macOS
CAR-2013-07-002 RDP Connection Detection July 24 2013 Pseudocode, Sigma N/A
CAR-2013-07-005 Command Line Usage of Archiving Software July 31 2013 Dnif, Logpoint, Pseudocode Windows, Linux, macOS
CAR-2013-08-001 Execution with schtasks August 07 2013 Dnif, Logpoint, Pseudocode Windows
CAR-2013-09-003 SMB Session Setups September 12 2013 Pseudocode N/A
CAR-2013-09-005 Service Outlier Executables September 23 2013 Logpoint, Pseudocode, Sigma Windows
CAR-2013-10-001 User Login Activity Monitoring October 03 2013 Dnif, Pseudocode, Splunk Windows, Linux, macOS
CAR-2013-10-002 DLL Injection via Load Library October 07 2013 Logpoint, Pseudocode Windows
CAR-2014-02-001 Service Binary Modifications February 14 2014 Pseudocode Windows
CAR-2014-03-001 SMB Write Request - NamedPipes March 03 2014 Pseudocode Windows, Linux, macOS
CAR-2014-03-005 Remotely Launched Executables via Services March 18 2014 Pseudocode Windows
CAR-2014-03-006 RunDLL32.exe monitoring March 28 2014 Dnif, Logpoint, Pseudocode Windows
CAR-2014-04-003 Powershell Execution April 11 2014 Dnif, Eql, Logpoint, Pseudocode, Splunk Windows
CAR-2014-05-001 RPC Activity May 01 2014 Pseudocode Windows
CAR-2014-05-002 Services launching Cmd May 05 2014 Dnif, Eql, Logpoint, Pseudocode, Splunk Windows
CAR-2014-07-001 Service Search Path Interception July 17 2014 Pseudocode Windows
CAR-2014-11-002 Outlier Parents of Cmd November 06 2014 Pseudocode Windows
CAR-2014-11-003 Debuggers for Accessibility Applications November 21 2014 Logpoint, Pseudocode Windows
CAR-2014-11-004 Remote PowerShell Sessions November 19 2014 Eql, Logpoint, Pseudocode Windows
CAR-2014-11-005 Remote Registry November 19 2014 Pseudocode Windows
CAR-2014-11-006 Windows Remote Management (WinRM) November 19 2014 Pseudocode Windows
CAR-2014-11-007 Remote Windows Management Instrumentation (WMI) over RPC November 19 2014 Pseudocode Windows
CAR-2014-11-008 Command Launched from WinLogon November 19 2014 Eql, Logpoint, Pseudocode, Splunk Windows
CAR-2014-12-001 Remotely Launched Executables via WMI December 02 2014 Pseudocode Windows
CAR-2015-04-001 Remotely Scheduled Tasks via AT April 29 2015 Pseudocode Windows
CAR-2015-04-002 Remotely Scheduled Tasks via Schtasks April 29 2015 Pseudocode Windows
CAR-2015-07-001 All Logins Since Last Boot July 17 2015 Pseudocode Windows, Linux, macOS
CAR-2016-03-001 Host Discovery Commands March 24 2016 Eql, Logpoint, Pseudocode, Splunk Windows, Linux, macOS
CAR-2016-03-002 Create Remote Process via WMIC March 28 2016 Eql, Logpoint, Pseudocode, Splunk Windows
CAR-2016-04-002 User Activity from Clearing Event Logs April 14 2016 Logpoint, Pseudocode, Sigma Windows, Linux, macOS
CAR-2016-04-003 User Activity from Stopping Windows Defensive Services April 15 2016 Logpoint, Pseudocode Windows
CAR-2016-04-004 Successful Local Account Login April 18 2016 Pseudocode Windows
CAR-2016-04-005 Remote Desktop Logon April 19 2016 Logpoint, Pseudocode, Sigma Windows
CAR-2019-04-001 UAC Bypass April 19 2019 Logpoint, Pseudocode, Sigma, Splunk Windows
CAR-2019-04-002 Generic Regsvr32 April 24 2019 Pseudocode, Splunk Windows
CAR-2019-04-003 Squiblydoo April 24 2019 Eql, Logpoint, Psuedocode, Splunk Windows
CAR-2019-04-004 Credential Dumping via Mimikatz April 29 2019 Logpoint, Splunk Windows
CAR-2019-07-001 Access Permission Modification July 08 2019 Logpoint, Pseudocode, Splunk Windows, Linux, macOS
CAR-2019-07-002 Lsass Process Dump via Procdump July 29 2019 Eql, Logpoint, Pseudocode, Sigma, Splunk Windows
CAR-2019-08-001 Credential Dumping via Windows Task Manager August 05 2019 Eql, Logpoint, Pseudocode, Splunk Windows
CAR-2019-08-002 Active Directory Dumping via NTDSUtil August 13 2019 Eql, Logpoint, Pseudocode, Splunk Windows
CAR-2020-04-001 Shadow Copy Deletion April 10 2020 Eql, Logpoint, Pseudocode, Sigma, Splunk Windows
CAR-2020-05-001 MiniDump of LSASS May 04 2020 Logpoint, Splunk Windows
CAR-2020-05-003 Rare LolBAS Command Lines May 04 2020 Pseudocode, Splunk Windows
CAR-2020-08-001 NTFS Alternate Data Stream Execution - System Utilities August 03 2020 Pseudocode, Splunk Windows
CAR-2020-08-002 NTFS Alternate Data Stream Execution - LOLBAS August 03 2020 Pseudocode, Splunk Windows
CAR-2020-09-001 Scheduled Task - FileAccess September 10 2020 Logpoint, Pseudocode, Splunk Windows
CAR-2020-09-002 Component Object Model Hijacking September 10 2020 Logpoint, Pseudocode, Splunk Windows
CAR-2020-09-003 Indicator Blocking - Driver Unloaded September 10 2020 Logpoint, Pseudocode, Splunk Windows
CAR-2020-09-004 Credentials in Files & Registry September 10 2020 Logpoint, Pseudocode, Splunk Windows
CAR-2020-09-005 AppInit DLLs September 10 2020 Logpoint, Pseudocode, Splunk Windows
CAR-2020-11-001 Boot or Logon Initialization Scripts November 30 2020 Logpoint, Pseudocode, Splunk Windows
CAR-2020-11-002 Local Network Sniffing November 30 2020 Logpoint, Pseudocode, Splunk Windows
CAR-2020-11-003 DLL Injection with Mavinject November 30 2020 Logpoint, Pseudocode, Splunk Windows
CAR-2020-11-004 Processes Started From Irregular Parent November 30 2020 Logpoint, Pseudocode, Splunk Windows
CAR-2020-11-005 Clear Powershell Console Command History November 30 2020 Logpoint, Pseudocode, Splunk Windows
CAR-2020-11-006 Local Permission Group Discovery November 30 2020 Logpoint, Pseudocode, Splunk Windows
CAR-2020-11-007 Network Share Connection Removal November 30 2020 Logpoint, Pseudocode, Splunk Windows
CAR-2020-11-008 MSBuild and msxsl November 30 2020 Logpoint, Pseudocode, Splunk Windows
CAR-2020-11-009 Compiled HTML Access November 30 2020 Logpoint, Pseudocode, Splunk Windows
CAR-2020-11-010 CMSTP November 30 2020 Logpoint, Pseudocode, Splunk Windows
CAR-2020-11-011 Registry Edit from Screensaver November 30 2020 Logpoint, Pseudocode, Splunk Windows
CAR-2021-01-001 Identifying Port Scanning Activity October 23 2020 Splunk Windows, Linux
CAR-2021-01-002 Unusually Long Command Line Strings November 27 2020 Splunk Windows
CAR-2021-01-003 Clearing Windows Logs with Wevtutil December 02 2020 Splunk Windows
CAR-2021-01-004 Unusual Child Process for Spoolsv.Exe or Connhost.Exe December 03 2020 Splunk Windows
CAR-2021-01-006 Unusual Child Process spawned using DDE exploit December 03 2020 Pseudocode, Splunk Windows
CAR-2021-01-007 Detecting Tampering of Windows Defender Command Prompt December 11 2020 Pseudocode, Splunk Windows
CAR-2021-01-008 Disable UAC December 11 2020 Pseudocode, Splunk Windows
CAR-2021-01-009 Detecting Shadow Copy Deletion via Vssadmin.exe December 11 2020 Splunk Windows
CAR-2021-02-001 Webshell-Indicative Process Tree November 29 2020 Pseudocode, Splunk Windows
CAR-2021-02-002 Get System Elevation January 15 2021 Pseudocode, Splunk Windows
CAR-2021-04-001 Common Windows Process Masquerading February 12 2021 Pseudocode, Splunk Windows
CAR-2021-05-001 Attempt To Add Certificate To Untrusted Store May 11 2021 Pseudocode, Splunk Windows
CAR-2021-05-002 Batch File Write to System32 May 11 2021 Pseudocode, Splunk Windows
CAR-2021-05-003 BCDEdit Failure Recovery Modification May 11 2021 Pseudocode, Splunk Windows
CAR-2021-05-004 BITS Job Persistence May 11 2021 Pseudocode, Splunk Windows
CAR-2021-05-005 BITSAdmin Download File May 11 2021 Pseudocode, Splunk Windows
CAR-2021-05-006 CertUtil Download With URLCache and Split Arguments May 11 2021 Pseudocode, Splunk Windows
CAR-2021-05-007 CertUtil Download With VerifyCtl and Split Arguments May 11 2021 Pseudocode, Splunk Windows
CAR-2021-05-008 Certutil exe certificate extraction May 11 2021 Pseudocode, Splunk Windows
CAR-2021-05-009 CertUtil With Decode Argument May 11 2021 Pseudocode, Splunk Windows
CAR-2021-05-010 Create local admin accounts using net exe May 11 2021 Pseudocode, Splunk Windows
CAR-2021-05-011 Create Remote Thread into LSASS May 11 2021 Pseudocode, Splunk Windows
CAR-2021-05-012 Create Service In Suspicious File Path May 11 2021 Pseudocode, Splunk Windows

Analytic List (by technique/sub-technique coverage)

ATT&CK Technique ATT&CK Sub-technique(s) CAR Analytic(s)
Create or Modify System Process Windows Service
Scheduled Task/Job (N/A - see below) (N/A - see below)
Scheduled Task
At (Windows)
Boot or Logon Autostart Execution (N/A - see below) (N/A - see below)
Registry Run Keys / Startup Folder
Port Monitors
Winlogon Helper DLL
Hijack Execution Flow (N/A - see below) (N/A - see below)
Path Interception by PATH Environment Variable
Path Interception by Search Order Hijacking
Path Interception by Unquoted Path
Services File Permissions Weakness
Services Registry Permissions Weakness
Event Triggered Execution (N/A - see below) (N/A - see below)
Change Default File Association
Windows Management Instrumentation Event Subscription
Accessibility Features
AppInit DLLs
Component Object Model Hijacking
Screensaver
Boot or Logon Initialization Scripts Logon Script (Windows)
Remote Services (N/A - technique only)
SMB/Windows Admin Shares
Remote Desktop Protocol
Distributed Component Object Model
Windows Remote Management
Command and Scripting Interpreter (N/A - technique only)
Windows Command Shell
Visual Basic
PowerShell
Valid Accounts (N/A - see below) (N/A - see below)
Domain Accounts
Local Accounts
Account Discovery (N/A - see below) (N/A - see below)
Local Account
Domain Account
OS Credential Dumping (N/A - see below) (N/A - see below)
Security Account Manager
LSASS Memory
NTDS
Permission Groups Discovery (N/A - see below) (N/A - see below)
Local Groups
Domain Groups
System Services (N/A - see below) (N/A - see below)
Service Execution
Launchctl
Software Discovery Security Software Discovery
Impair Defenses (N/A - see below) (N/A - see below)
Disable or Modify Tools
Indicator Blocking
Masquerading (N/A - technique only)
Rename System Utilities
Match Legitimate Name or Location
Archive Collected Data Archive via Utility
Process Injection (N/A - see below) (N/A - see below)
Dynamic-link Library Injection
Process Hollowing
Bypass User Account Control
Signed Binary Proxy Execution (N/A - see below) (N/A - see below)
Rundll32
Regsvr32
Compiled HTML File
CMSTP
Indicator Removal on Host (N/A - see below) (N/A - see below)
Clear Windows Event Logs
Clear Command History
Network Share Connection Removal
Use Alternate Authentication Material Pass the Hash
File and Directory Permissions Modification (N/A - see below) (N/A - see below)
Windows File and Directory Permissions Modification
Linux and Mac File and Directory Permissions Modification
Hide Artifacts NTFS File Attributes
Unsecured Credentials (N/A - see below) (N/A - see below)
Credentials In Files
Credentials in Registry
Trusted Developer Utilities Proxy Execution MSBuild
Inter-Process Communication Dynamic Data Exchange
Server Software Component Web Shell
Subvert Trust Controls Install Root Certificate
User Execution Malicious File
Forge Web Credentials SAML Tokens
Create Account Local Account