Analytic ATT&CK Techniques Implementations
CAR-2013-01-002: Autorun Differences Modify Existing Service, New Service, Scheduled Task, Port Monitors, Registry Run Keys / Startup Folder, Path Interception, Accessibility Features, Modify Registry, Service Registry Permissions Weakness, Windows Management Instrumentation Event Subscription, File System Permissions Weakness, Change Default File Association, Logon Scripts, Winlogon Helper DLL, AppInit DLLs  
CAR-2013-01-003: SMB Events Monitoring Data from Network Shared Drive, Windows Admin Shares Pseudocode
CAR-2013-02-003: Processes Spawning cmd.exe Command-Line Interface Dnif, Pseudocode
CAR-2013-02-008: Simultaneous Logins on a Host Valid Accounts Pseudocode
CAR-2013-02-012: User Logged in to Multiple Hosts Valid Accounts  
CAR-2013-03-001: Reg.exe called from Command Shell Query Registry, Modify Registry, Registry Run Keys / Startup Folder, Service Registry Permissions Weakness Dnif, Pseudocode
CAR-2013-04-002: Quick execution of a series of suspicious commands Account Discovery, Credential Dumping, Permission Groups Discovery, Process Discovery, Windows Admin Shares, New Service, Modify Existing Service, Modify Registry, Service Registry Permissions Weakness, Remote System Discovery, Service Execution, Scheduled Task, Scheduled Transfer, System Owner/User Discovery, System Service Discovery, System Information Discovery, System Network Connections Discovery, System Network Configuration Discovery, Application Window Discovery, Security Software Discovery, Network Service Scanning, Disabling Security Tools, Account Manipulation, Indicator Blocking, Command-Line Interface, Query Registry Dnif, Pseudocode, Sigma
CAR-2013-05-002: Suspicious Run Locations Masquerading Dnif, Pseudocode, Sigma
CAR-2013-05-003: SMB Write Request Remote File Copy, Windows Admin Shares, Valid Accounts Pseudocode
CAR-2013-05-004: Execution with AT Scheduled Task Dnif, Eql, Pseudocode, Splunk
CAR-2013-05-005: SMB Copy and Execution Windows Admin Shares, Valid Accounts, Remote File Copy Pseudocode
CAR-2013-05-009: Running executables with same hash and different names Masquerading Dnif, Sigma, Splunk
CAR-2013-07-001: Suspicious Arguments Credential Dumping, Masquerading, Remote Services, Remote File Copy Dnif, Eql, Pseudocode, Splunk
CAR-2013-07-002: RDP Connection Detection Remote Desktop Protocol Pseudocode, Sigma
CAR-2013-07-005: Command Line Usage of Archiving Software Data Compressed Dnif, Pseudocode
CAR-2013-08-001: Execution with schtasks Scheduled Task Dnif, Pseudocode
CAR-2013-09-003: SMB Session Setups Forced Authentication Pseudocode
CAR-2013-09-005: Service Outlier Executables Modify Existing Service, New Service Pseudocode, Sigma
CAR-2013-10-001: User Login Activity Monitoring Remote Desktop Protocol, Valid Accounts Dnif, Pseudocode, Splunk
CAR-2013-10-002: DLL Injection via Load Library Process Injection, Bypass User Account Control Pseudocode
CAR-2014-02-001: Service Binary Modifications New Service, Modify Existing Service, File System Permissions Weakness, Service Execution Pseudocode
CAR-2014-03-001: SMB Write Request - NamedPipes Remote File Copy Pseudocode
CAR-2014-03-005: Remotely Launched Executables via Services New Service, Modify Existing Service, Service Execution Pseudocode
CAR-2014-03-006: RunDLL32.exe monitoring Rundll32 Dnif, Pseudocode
CAR-2014-04-003: Powershell Execution PowerShell, Scripting Dnif, Eql, Pseudocode, Splunk
CAR-2014-05-001: RPC Activity Remote Services Pseudocode
CAR-2014-05-002: Services launching Cmd New Service Dnif, Eql, Pseudocode, Splunk
CAR-2014-07-001: Service Search Path Interception Path Interception Pseudocode
CAR-2014-11-002: Outlier Parents of Cmd Command-Line Interface Pseudocode
CAR-2014-11-003: Debuggers for Accessibility Applications Accessibility Features Pseudocode
CAR-2014-11-004: Remote PowerShell Sessions PowerShell, Windows Remote Management Eql, Pseudocode
CAR-2014-11-005: Remote Registry Modify Registry Pseudocode
CAR-2014-11-006: Windows Remote Management (WinRM) Windows Remote Management Pseudocode
CAR-2014-11-007: Remote Windows Management Instrumentation (WMI) over RPC Windows Management Instrumentation Pseudocode
CAR-2014-11-008: Command Launched from WinLogon Accessibility Features Eql, Pseudocode, Splunk
CAR-2014-12-001: Remotely Launched Executables via WMI Windows Management Instrumentation Pseudocode
CAR-2015-04-001: Remotely Scheduled Tasks via AT Scheduled Task Pseudocode
CAR-2015-04-002: Remotely Scheduled Tasks via Schtasks Scheduled Task Pseudocode
CAR-2015-07-001: All Logins Since Last Boot   Pseudocode
CAR-2016-03-001: Host Discovery Commands Account Discovery, Permission Groups Discovery, System Network Configuration Discovery, System Information Discovery, System Owner/User Discovery, Process Discovery, System Service Discovery Eql, Pseudocode, Splunk
CAR-2016-03-002: Create Remote Process via WMIC Windows Management Instrumentation Eql, Pseudocode, Splunk
CAR-2016-04-002: User Activity from Clearing Event Logs Indicator Removal on Host Pseudocode, Sigma
CAR-2016-04-003: User Activity from Stopping Windows Defensive Services Disabling Security Tools Pseudocode
CAR-2016-04-004: Successful Local Account Login Pass the Hash Pseudocode
CAR-2016-04-005: Remote Desktop Logon Remote Desktop Protocol Pseudocode, Sigma
CAR-2019-04-001: UAC Bypass Bypass User Account Control Pseudocode, Sigma, Splunk
CAR-2019-04-002: Generic Regsvr32 Regsvr32 Pseudocode, Splunk
CAR-2019-04-003: Squiblydoo Regsvr32 Eql, Psuedocode, Splunk
CAR-2019-04-004: Credential Dumping via Mimikatz Credential Dumping Splunk
CAR-2019-07-001: Access Permission Modification File and Directory Permissions Modification Pseudocode, Splunk
CAR-2019-07-002: Lsass Process Dump via Procdump Credential Dumping Eql, Pseudocode, Sigma, Splunk
CAR-2019-08-001: Credential Dumping via Windows Task Manager Credential Dumping Eql, Pseudocode, Splunk
CAR-2019-08-002: Active Directory Dumping via NTDSUtil Credential Dumping Eql, Pseudocode, Splunk