Analytic List (by date added)

Analytic ATT&CK Techniques Implementations Applicable Platform(s)
CAR-2013-01-002: Autorun Differences   Windows
CAR-2013-01-003: SMB Events Monitoring Pseudocode N/A
CAR-2013-02-003: Processes Spawning cmd.exe Dnif, Pseudocode Windows
CAR-2013-02-008: Simultaneous Logins on a Host Pseudocode Windows, Linux, macOS
CAR-2013-02-012: User Logged in to Multiple Hosts   Windows, Linux, macOS
CAR-2013-03-001: Reg.exe called from Command Shell Dnif, Pseudocode Windows
CAR-2013-04-002: Quick execution of a series of suspicious commands Dnif, Pseudocode, Sigma Windows, Linux, macOS
CAR-2013-05-002: Suspicious Run Locations Dnif, Pseudocode, Sigma Windows
CAR-2013-05-003: SMB Write Request Pseudocode Windows, Linux, macOS
CAR-2013-05-004: Execution with AT Dnif, Eql, Pseudocode, Splunk Windows
CAR-2013-05-005: SMB Copy and Execution Pseudocode Windows, Linux, macOS
CAR-2013-05-009: Running executables with same hash and different names Dnif, Sigma, Splunk Windows, Linux, macOS
CAR-2013-07-001: Suspicious Arguments Dnif, Eql, Pseudocode, Splunk Windows, Linux, macOS
CAR-2013-07-002: RDP Connection Detection Pseudocode, Sigma N/A
CAR-2013-07-005: Command Line Usage of Archiving Software Dnif, Pseudocode N/A
CAR-2013-08-001: Execution with schtasks Dnif, Pseudocode Windows
CAR-2013-09-003: SMB Session Setups Pseudocode N/A
CAR-2013-09-005: Service Outlier Executables Pseudocode, Sigma Windows
CAR-2013-10-001: User Login Activity Monitoring Dnif, Pseudocode, Splunk Windows, Linux, macOS
CAR-2013-10-002: DLL Injection via Load Library Pseudocode Windows
CAR-2014-02-001: Service Binary Modifications Pseudocode Windows
CAR-2014-03-001: SMB Write Request - NamedPipes Pseudocode Windows, Linux, macOS
CAR-2014-03-005: Remotely Launched Executables via Services Pseudocode Windows
CAR-2014-03-006: RunDLL32.exe monitoring Dnif, Pseudocode Windows
CAR-2014-04-003: Powershell Execution Dnif, Eql, Pseudocode, Splunk Windows
CAR-2014-05-001: RPC Activity Pseudocode Windows
CAR-2014-05-002: Services launching Cmd Dnif, Eql, Pseudocode, Splunk Windows
CAR-2014-07-001: Service Search Path Interception Pseudocode Windows
CAR-2014-11-002: Outlier Parents of Cmd Pseudocode Windows
CAR-2014-11-003: Debuggers for Accessibility Applications Pseudocode Windows
CAR-2014-11-004: Remote PowerShell Sessions Eql, Pseudocode Windows
CAR-2014-11-005: Remote Registry Pseudocode Windows
CAR-2014-11-006: Windows Remote Management (WinRM) Pseudocode Windows
CAR-2014-11-007: Remote Windows Management Instrumentation (WMI) over RPC Pseudocode Windows
CAR-2014-11-008: Command Launched from WinLogon Eql, Pseudocode, Splunk Windows
CAR-2014-12-001: Remotely Launched Executables via WMI Pseudocode Windows
CAR-2015-04-001: Remotely Scheduled Tasks via AT Pseudocode Windows
CAR-2015-04-002: Remotely Scheduled Tasks via Schtasks Pseudocode Windows
CAR-2015-07-001: All Logins Since Last Boot   Pseudocode Windows, Linux, macOS
CAR-2016-03-001: Host Discovery Commands Eql, Pseudocode, Splunk Windows, Linux, macOS
CAR-2016-03-002: Create Remote Process via WMIC Eql, Pseudocode, Splunk Windows
CAR-2016-04-002: User Activity from Clearing Event Logs Pseudocode, Sigma Windows, Linux, macOS
CAR-2016-04-003: User Activity from Stopping Windows Defensive Services Pseudocode Windows
CAR-2016-04-004: Successful Local Account Login Pseudocode Windows
CAR-2016-04-005: Remote Desktop Logon Pseudocode, Sigma Windows
CAR-2019-04-001: UAC Bypass Pseudocode, Sigma, Splunk Windows
CAR-2019-04-002: Generic Regsvr32 Pseudocode, Splunk Windows
CAR-2019-04-003: Squiblydoo Eql, Psuedocode, Splunk Windows
CAR-2019-04-004: Credential Dumping via Mimikatz Splunk Windows
CAR-2019-07-001: Access Permission Modification Pseudocode, Splunk Windows, Linux, macOS
CAR-2019-07-002: Lsass Process Dump via Procdump Eql, Pseudocode, Sigma, Splunk Windows
CAR-2019-08-001: Credential Dumping via Windows Task Manager Eql, Pseudocode, Splunk Windows
CAR-2019-08-002: Active Directory Dumping via NTDSUtil Eql, Pseudocode, Splunk Windows
CAR-2020-04-001: Shadow Copy Deletion Eql, Pseudocode, Sigma, Splunk Windows
CAR-2020-05-001: MiniDump of LSASS Splunk Windows
CAR-2020-05-003: Rare LolBAS Command Lines Pseudocode, Splunk Windows
CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities Pseudocode, Splunk Windows
CAR-2020-08-002: NTFS Alternate Data Stream Execution - LOLBAS Pseudocode, Splunk Windows

Analytic List (by technique/sub-technique coverage)

ATT&CK Technique ATT&CK Sub-technique(s) CAR Analytic(s)
Create or Modify System Process Windows Service
Scheduled Task/Job (N/A - see below) (N/A - see below)
Scheduled Task
At (Windows)
Boot or Logon Autostart Execution (N/A - see below) (N/A - see below)
Registry Run Keys / Startup Folder
Port Monitors
Winlogon Helper DLL
Hijack Execution Flow (N/A - see below) (N/A - see below)
Services File Permissions Weakness
Services Registry Permissions Weakness
Path Interception by PATH Environment Variable
Path Interception by Search Order Hijacking
Path Interception by Unquoted Path
Event Triggered Execution (N/A - see below) (N/A - see below)
Accessibility Features
Change Default File Association
Windows Management Instrumentation Event Subscription
AppInit DLLs
Boot or Logon Initialization Scripts Logon Script (Windows)
Remote Services (N/A - technique only)
Remote Desktop Protocol
SMB/Windows Admin Shares
Distributed Component Object Model
Windows Remote Management
Command and Scripting Interpreter (N/A - see below) (N/A - see below)
Windows Command Shell
Visual Basic
Valid Accounts (N/A - see below) (N/A - see below)
Domain Accounts
Local Accounts
Account Discovery (N/A - see below) (N/A - see below)
Local Account
Domain Account
OS Credential Dumping (N/A - see below) (N/A - see below)
LSASS Memory
Security Account Manager
Permission Groups Discovery (N/A - see below) (N/A - see below)
Local Groups
Domain Groups
System Services Service Execution
Software Discovery Security Software Discovery
Impair Defenses (N/A - see below) (N/A - see below)
Disable or Modify Tools
Indicator Blocking
Rename System Utilities
Archive Collected Data Archive via Utility
Process Injection Dynamic-link Library Injection
Abuse Elevation Control Mechanism Bypass User Access Control
Signed Binary Proxy Execution (N/A - see below) (N/A - see below)
Indicator Removal on Host Clear Windows Event Logs
Use Alternate Authentication Material Pass the Hash
File and Directory Permissions Modification (N/A - see below) (N/A - see below)
Windows File and Directory Permissions Modification
Linux and Mac File and Directory Permissions Modification
Hide Artifacts NTFS File Attributes