Analytics (by technique)

ATT&CK Technique	ATT&CK Sub-technique(s)	CAR Analytic(s)
T1003: OS Credential Dumping
	T1003.003: NTDS	CAR-2019-08-002: Active Directory Dumping via NTDSUtil CAR-2020-05-001: MiniDump of LSASS
	T1003.001: LSASS Memory	CAR-2013-07-001: Suspicious Arguments CAR-2019-04-004: Credential Dumping via Mimikatz CAR-2019-07-002: Lsass Process Dump via Procdump CAR-2019-08-001: Credential Dumping via Windows Task Manager CAR-2021-05-011: Create Remote Thread into LSASS
	T1003.002: Security Account Manager	CAR-2013-04-002: Quick execution of a series of suspicious commands
T1007: System Service Discovery	(N/A - technique only)	CAR-2013-04-002: Quick execution of a series of suspicious commands CAR-2016-03-001: Host Discovery Commands
T1010: Application Window Discovery	(N/A - technique only)	CAR-2013-04-002: Quick execution of a series of suspicious commands
T1012: Query Registry	(N/A - technique only)	CAR-2013-03-001: Reg.exe called from Command Shell CAR-2013-04-002: Quick execution of a series of suspicious commands CAR-2020-05-003: Rare LolBAS Command Lines
T1016: System Network Configuration Discovery	(N/A - technique only)	CAR-2013-04-002: Quick execution of a series of suspicious commands CAR-2016-03-001: Host Discovery Commands
T1018: Remote System Discovery	(N/A - technique only)	CAR-2013-04-002: Quick execution of a series of suspicious commands
T1021: Remote Services	(N/A - technique only)	CAR-2013-07-001: Suspicious Arguments
	T1021.001: Remote Desktop Protocol	CAR-2013-07-002: RDP Connection Detection CAR-2013-10-001: User Login Activity Monitoring CAR-2016-04-005: Remote Desktop Logon
	T1021.002: SMB/Windows Admin Shares	CAR-2013-01-003: SMB Events Monitoring CAR-2013-04-002: Quick execution of a series of suspicious commands CAR-2013-05-003: SMB Write Request CAR-2013-05-005: SMB Copy and Execution CAR-2014-05-001: RPC Activity
	T1021.006: Windows Remote Management	CAR-2014-05-001: RPC Activity CAR-2014-11-004: Remote PowerShell Sessions CAR-2014-11-006: Windows Remote Management (WinRM)
	T1021.003: Distributed Component Object Model	CAR-2014-05-001: RPC Activity
T1029: Scheduled Transfer	(N/A - technique only)	CAR-2013-04-002: Quick execution of a series of suspicious commands
T1033: System Owner/User Discovery	(N/A - technique only)	CAR-2013-04-002: Quick execution of a series of suspicious commands CAR-2016-03-001: Host Discovery Commands
T1036: Masquerading	(N/A - technique only)	CAR-2013-05-002: Suspicious Run Locations
	T1036.005: Match Legitimate Name or Location	CAR-2021-04-001: Common Windows Process Masquerading
	T1036.003: Rename System Utilities	CAR-2013-05-009: Running executables with same hash and different names
T1037: Boot or Logon Initialization Scripts	T1037.001: Logon Script (Windows)	CAR-2013-01-002: Autorun Differences CAR-2020-11-001: Boot or Logon Initialization Scripts
T1039: Data from Network Shared Drive	(N/A - technique only)	CAR-2013-01-003: SMB Events Monitoring
T1040: Network Sniffing	(N/A - technique only)	CAR-2020-11-002: Local Network Sniffing
T1046: Network Service Discovery	(N/A - technique only)	CAR-2013-04-002: Quick execution of a series of suspicious commands CAR-2021-01-001: Identifying Port Scanning Activity
T1047: Windows Management Instrumentation	(N/A - technique only)	CAR-2014-11-007: Remote Windows Management Instrumentation (WMI) over RPC CAR-2014-12-001: Remotely Launched Executables via WMI CAR-2016-03-002: Create Remote Process via WMIC
T1049: System Network Connections Discovery	(N/A - technique only)	CAR-2013-04-002: Quick execution of a series of suspicious commands
T1053: Scheduled Task/Job
	T1053.002: At	CAR-2013-04-002: Quick execution of a series of suspicious commands CAR-2013-05-004: Execution with AT CAR-2015-04-001: Remotely Scheduled Tasks via AT
	T1053.005: Scheduled Task	CAR-2013-01-002: Autorun Differences CAR-2013-04-002: Quick execution of a series of suspicious commands CAR-2013-08-001: Execution with schtasks CAR-2015-04-002: Remotely Scheduled Tasks via Schtasks CAR-2020-09-001: Scheduled Task - FileAccess CAR-2021-12-001: Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths
T1055: Process Injection
	T1055.001: Dynamic-link Library Injection	CAR-2013-10-002: DLL Injection via Load Library CAR-2020-11-003: DLL Injection with Mavinject
	T1055.012: Process Hollowing	CAR-2020-11-004: Processes Started From Irregular Parent
T1057: Process Discovery	(N/A - technique only)	CAR-2013-04-002: Quick execution of a series of suspicious commands CAR-2016-03-001: Host Discovery Commands
T1059: Command and Scripting Interpreter	(N/A - technique only)	CAR-2021-01-002: Unusually Long Command Line Strings
	T1059.003: Windows Command Shell	CAR-2013-02-003: Processes Spawning cmd.exe CAR-2014-11-002: Outlier Parents of Cmd
	T1059.001: PowerShell	CAR-2014-04-003: Powershell Execution CAR-2014-11-004: Remote PowerShell Sessions
	T1059.005: Visual Basic	CAR-2013-04-002: Quick execution of a series of suspicious commands
T1068: Exploitation for Privilege Escalation	(N/A - technique only)	CAR-2021-01-004: Unusual Child Process for Spoolsv.Exe or Connhost.Exe
T1069: Permission Groups Discovery
	T1069.001: Local Groups	CAR-2013-04-002: Quick execution of a series of suspicious commands CAR-2016-03-001: Host Discovery Commands CAR-2020-11-006: Local Permission Group Discovery
	T1069.002: Domain Groups	CAR-2013-04-002: Quick execution of a series of suspicious commands CAR-2016-03-001: Host Discovery Commands CAR-2020-11-006: Local Permission Group Discovery
T1070: Indicator Removal
	T1070.003: Clear Command History	CAR-2020-11-005: Clear Powershell Console Command History
	T1070.001: Clear Windows Event Logs	CAR-2016-04-002: User Activity from Clearing Event Logs CAR-2021-01-003: Clearing Windows Logs with Wevtutil
	T1070.005: Network Share Connection Removal	CAR-2020-11-007: Network Share Connection Removal
T1078: Valid Accounts
	T1078.002: Domain Accounts	CAR-2013-02-008: Simultaneous Logins on a Host CAR-2013-02-012: User Logged in to Multiple Hosts CAR-2013-05-003: SMB Write Request CAR-2013-05-005: SMB Copy and Execution CAR-2013-10-001: User Login Activity Monitoring
	T1078.003: Local Accounts	CAR-2013-02-008: Simultaneous Logins on a Host CAR-2013-02-012: User Logged in to Multiple Hosts CAR-2013-05-003: SMB Write Request CAR-2013-05-005: SMB Copy and Execution CAR-2013-10-001: User Login Activity Monitoring
T1082: System Information Discovery	(N/A - technique only)	CAR-2013-04-002: Quick execution of a series of suspicious commands CAR-2016-03-001: Host Discovery Commands
T1087: Account Discovery
	T1087.001: Local Account	CAR-2013-04-002: Quick execution of a series of suspicious commands CAR-2016-03-001: Host Discovery Commands
	T1087.002: Domain Account	CAR-2013-04-002: Quick execution of a series of suspicious commands CAR-2016-03-001: Host Discovery Commands
T1098: Account Manipulation	(N/A - technique only)	CAR-2013-04-002: Quick execution of a series of suspicious commands
T1105: Ingress Tool Transfer	(N/A - technique only)	CAR-2013-07-001: Suspicious Arguments CAR-2021-05-005: BITSAdmin Download File CAR-2021-05-006: CertUtil Download With URLCache and Split Arguments CAR-2021-05-007: CertUtil Download With VerifyCtl and Split Arguments
T1112: Modify Registry	(N/A - technique only)	CAR-2013-01-002: Autorun Differences CAR-2013-03-001: Reg.exe called from Command Shell CAR-2013-04-002: Quick execution of a series of suspicious commands CAR-2014-11-005: Remote Registry CAR-2020-05-003: Rare LolBAS Command Lines CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0 CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key 'Common Startup'
T1127: Trusted Developer Utilities Proxy Execution	T1127.001: MSBuild	CAR-2020-11-008: MSBuild and msxsl
T1136: Create Account	T1136.001: Local Account	CAR-2021-05-010: Create local admin accounts using net exe
T1140: Deobfuscate/Decode Files or Information	(N/A - technique only)	CAR-2021-05-009: CertUtil With Decode Argument
T1187: Forced Authentication	(N/A - technique only)	CAR-2013-09-003: SMB Session Setups
T1197: BITS Jobs	(N/A - technique only)	CAR-2021-05-004: BITS Job Persistence CAR-2021-05-005: BITSAdmin Download File
T1204: User Execution	T1204.002: Malicious File	CAR-2021-05-002: Batch File Write to System32
T1218: System Binary Proxy Execution
	T1218.010: Regsvr32	CAR-2019-04-002: Generic Regsvr32 CAR-2019-04-003: Squiblydoo
	T1218.011: Rundll32	CAR-2014-03-006: RunDLL32.exe monitoring
	T1218.001: Compiled HTML File	CAR-2020-11-009: Compiled HTML Access
	T1218.003: CMSTP	CAR-2020-11-010: CMSTP
T1222: File and Directory Permissions Modification
	T1222.001: Windows File and Directory Permissions Modification	CAR-2019-07-001: Access Permission Modification
	T1222.002: Linux and Mac File and Directory Permissions Modification	CAR-2019-07-001: Access Permission Modification
T1490: Inhibit System Recovery	(N/A - technique only)	CAR-2021-01-009: Detecting Shadow Copy Deletion or Resize CAR-2021-05-003: BCDEdit Failure Recovery Modification
T1505: Server Software Component	T1505.003: Web Shell	CAR-2021-02-001: Webshell-Indicative Process Tree
T1518: Software Discovery	T1518.001: Security Software Discovery	CAR-2013-04-002: Quick execution of a series of suspicious commands
T1543: Create or Modify System Process	T1543.003: Windows Service	CAR-2013-01-002: Autorun Differences CAR-2013-04-002: Quick execution of a series of suspicious commands CAR-2013-09-005: Service Outlier Executables CAR-2014-02-001: Service Binary Modifications CAR-2014-03-005: Remotely Launched Executables via Services CAR-2014-05-002: Services launching Cmd
T1546: Event Triggered Execution
	T1546.001: Change Default File Association	CAR-2013-01-002: Autorun Differences
	T1546.003: Windows Management Instrumentation Event Subscription	CAR-2013-01-002: Autorun Differences
	T1546.008: Accessibility Features	CAR-2013-01-002: Autorun Differences CAR-2014-11-003: Debuggers for Accessibility Applications CAR-2014-11-008: Command Launched from WinLogon
	T1546.010: AppInit DLLs	CAR-2013-01-002: Autorun Differences CAR-2020-09-005: AppInit DLLs
	T1546.002: Screensaver	CAR-2020-11-011: Registry Edit from Screensaver
	T1546.015: Component Object Model Hijacking	CAR-2020-09-002: Component Object Model Hijacking
T1547: Boot or Logon Autostart Execution
	T1547.004: Winlogon Helper DLL	CAR-2013-01-002: Autorun Differences CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify
	T1547.001: Registry Run Keys / Startup Folder	CAR-2013-01-002: Autorun Differences CAR-2013-03-001: Reg.exe called from Command Shell CAR-2020-05-003: Rare LolBAS Command Lines CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key 'Common Startup'
	T1547.010: Port Monitors	CAR-2013-01-002: Autorun Differences
T1548: Abuse Elevation Control Mechanism	(N/A - technique only)	CAR-2021-02-002: Get System Elevation
T1548: Abuse Elevation Control Mechanism	T1548.002: Bypass User Account Control	CAR-2013-10-002: DLL Injection via Load Library CAR-2019-04-001: UAC Bypass CAR-2021-01-008: Disable UAC
T1550: Use Alternate Authentication Material	T1550.002: Pass the Hash	CAR-2016-04-004: Successful Local Account Login
T1552: Unsecured Credentials
	T1552.001: Credentials In Files	CAR-2020-09-004: Credentials in Files & Registry
	T1552.002: Credentials in Registry	CAR-2020-09-004: Credentials in Files & Registry
T1553: Subvert Trust Controls	T1553.004: Install Root Certificate	CAR-2021-05-001: Attempt To Add Certificate To Untrusted Store
T1559: Inter-Process Communication	T1559.002: Dynamic Data Exchange	CAR-2021-01-006: Unusual Child Process spawned using DDE exploit
T1560: Archive Collected Data	T1560.001: Archive via Utility	CAR-2013-07-005: Command Line Usage of Archiving Software
T1562: Impair Defenses
	T1562.001: Disable or Modify Tools	CAR-2013-04-002: Quick execution of a series of suspicious commands CAR-2016-04-003: User Activity from Stopping Windows Defensive Services CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt
	T1562.002: Disable Windows Event Logging	CAR-2022-03-001: Disable Windows Event Logging
	T1562.006: Indicator Blocking	CAR-2013-04-002: Quick execution of a series of suspicious commands CAR-2020-09-003: Indicator Blocking - Driver Unloaded
T1564: Hide Artifacts	T1564.004: NTFS File Attributes	CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities CAR-2020-08-002: NTFS Alternate Data Stream Execution - LOLBAS
T1569: System Services
	T1569.002: Service Execution	CAR-2013-04-002: Quick execution of a series of suspicious commands CAR-2014-02-001: Service Binary Modifications CAR-2014-03-005: Remotely Launched Executables via Services CAR-2021-05-012: Create Service In Suspicious File Path
	T1569.001: Launchctl	CAR-2021-05-012: Create Service In Suspicious File Path
T1570: Lateral Tool Transfer	(N/A - technique only)	CAR-2013-05-003: SMB Write Request CAR-2013-05-005: SMB Copy and Execution CAR-2014-03-001: SMB Write Request - NamedPipes
T1574: Hijack Execution Flow
	T1574.007: Path Interception by PATH Environment Variable	CAR-2013-01-002: Autorun Differences
	T1574.008: Path Interception by Search Order Hijacking	CAR-2013-01-002: Autorun Differences
	T1574.009: Path Interception by Unquoted Path	CAR-2013-01-002: Autorun Differences CAR-2014-07-001: Service Search Path Interception
	T1574.010: Services File Permissions Weakness	CAR-2013-01-002: Autorun Differences CAR-2014-02-001: Service Binary Modifications
	T1574.011: Services Registry Permissions Weakness	CAR-2013-01-002: Autorun Differences CAR-2013-03-001: Reg.exe called from Command Shell CAR-2013-04-002: Quick execution of a series of suspicious commands CAR-2020-05-003: Rare LolBAS Command Lines
	T1574.001: DLL Search Order Hijacking	CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0
T1606: Forge Web Credentials	T1606.002: SAML Tokens	CAR-2021-05-008: Certutil exe certificate extraction