Analytic ATT&CK Techniques
CAR-2013-01-002: Autorun Differences Modify Existing Service, New Service, Scheduled Task, Port Monitors, Registry Run Keys / Startup Folder, Path Interception, Accessibility Features, Modify Registry, Service Registry Permissions Weakness, Windows Management Instrumentation Event Subscription, File System Permissions Weakness, Change Default File Association, Logon Scripts, Winlogon Helper DLL, AppInit DLLs
CAR-2013-01-003: SMB Events Monitoring Data from Network Shared Drive, Windows Admin Shares
CAR-2013-02-003: Processes Spawning cmd.exe Command-Line Interface
CAR-2013-02-008: Simultaneous Logins on a Host Valid Accounts
CAR-2013-02-012: User Logged in to Multiple Hosts Valid Accounts
CAR-2013-03-001: Reg.exe called from Command Shell Query Registry, Modify Registry, Registry Run Keys / Startup Folder, Service Registry Permissions Weakness
CAR-2013-04-002: Quick execution of a series of suspicious commands Account Discovery, Credential Dumping, Permission Groups Discovery, Process Discovery, Windows Admin Shares, New Service, Modify Existing Service, Modify Registry, Service Registry Permissions Weakness, Remote System Discovery, Service Execution, Scheduled Task, Scheduled Transfer, System Owner/User Discovery, System Service Discovery, System Information Discovery, System Network Connections Discovery, System Network Configuration Discovery, Application Window Discovery, Security Software Discovery, Network Service Scanning, Disabling Security Tools, Account Manipulation, Indicator Blocking, Command-Line Interface, Query Registry
CAR-2013-05-002: Suspicious Run Locations Masquerading
CAR-2013-05-003: SMB Write Request Remote File Copy, Windows Admin Shares, Valid Accounts
CAR-2013-05-004: Execution with AT Scheduled Task
CAR-2013-05-005: SMB Copy and Execution Windows Admin Shares, Valid Accounts, Remote File Copy
CAR-2013-05-009: Running executables with same hash and different names Masquerading
CAR-2013-07-001: Suspicious Arguments Credential Dumping, Masquerading, Remote Services, Remote File Copy
CAR-2013-07-002: RDP Connection Detection Remote Desktop Protocol
CAR-2013-07-005: Command Line Usage of Archiving Software Data Compressed
CAR-2013-08-001: Execution with schtasks Scheduled Task
CAR-2013-09-003: SMB Session Setups Forced Authentication
CAR-2013-09-005: Service Outlier Executables Modify Existing Service, New Service
CAR-2013-10-001: User Login Activity Monitoring Remote Desktop Protocol, Valid Accounts
CAR-2013-10-002: DLL Injection via Load Library Process Injection, Bypass User Account Control
CAR-2014-02-001: Service Binary Modifications New Service, Modify Existing Service, File System Permissions Weakness, Service Execution
CAR-2014-03-001: SMB Write Request - NamedPipes Remote File Copy
CAR-2014-03-005: Remotely Launched Executables via Services New Service, Modify Existing Service, Service Execution
CAR-2014-03-006: RunDLL32.exe monitoring Rundll32
CAR-2014-04-003: Powershell Execution PowerShell, Scripting
CAR-2014-05-001: RPC Activity Remote Services
CAR-2014-05-002: Services launching Cmd New Service
CAR-2014-07-001: Service Search Path Interception Path Interception
CAR-2014-11-002: Outlier Parents of Cmd Command-Line Interface
CAR-2014-11-003: Debuggers for Accessibility Applications Accessibility Features
CAR-2014-11-004: Remote PowerShell Sessions PowerShell, Windows Remote Management
CAR-2014-11-005: Remote Registry Modify Registry
CAR-2014-11-006: Windows Remote Management (WinRM) Windows Remote Management
CAR-2014-11-007: Remote Windows Management Instrumentation (WMI) over RPC Windows Management Instrumentation
CAR-2014-11-008: Command Launched from WinLogon Accessibility Features
CAR-2014-12-001: Remotely Launched Executables via WMI Windows Management Instrumentation
CAR-2015-04-001: Remotely Scheduled Tasks via AT Scheduled Task
CAR-2015-04-002: Remotely Scheduled Tasks via Schtasks Scheduled Task
CAR-2015-07-001: All Logins Since Last Boot  
CAR-2016-03-001: Host Discovery Commands Account Discovery, Permission Groups Discovery, System Network Configuration Discovery, System Information Discovery, System Owner/User Discovery, Process Discovery, System Service Discovery
CAR-2016-03-002: Create Remote Process via WMIC Windows Management Instrumentation
CAR-2016-04-002: User Activity from Clearing Event Logs Indicator Blocking
CAR-2016-04-003: User Activity from Stopping Windows Defensive Services Indicator Blocking
CAR-2016-04-004: Successful Local Account Login Pass the Hash
CAR-2016-04-005: Remote Desktop Logon Remote Desktop Protocol
CAR-2019-04-001: UAC Bypass Bypass User Account Control
CAR-2019-04-002: Generic Regsvr32 Regsvr32
CAR-2019-04-003: Squiblydoo Regsvr32
CAR-2019-04-004: Credential Dumping via Mimikatz Credential Dumping