Updates
News
Information about the latest CAR updates and changes can be found in this section.
February 2022
- Updated analytic coverage page, now with separate ATT&CK navigator layers for each repository.
- New analytics added
January 2022
- New analytics added
May 2021
- New analytics added - special thanks to the Splunk Threat Research team for working with us to incorporate these.
- CAR-2021-05-001: Attempt To Add Certificate To Untrusted Store
- CAR-2021-05-002: Batch File Write to System32
- CAR-2021-05-003: BCDEdit Failure Recovery Modification
- CAR-2021-05-004: BITS Job Persistence
- CAR-2021-05-005: BITSAdmin Download File
- CAR-2021-05-006: CertUtil Download With URLCache and Split Arguments
- CAR-2021-05-007: CertUtil Download With VerifyCtl and Split Arguments
- CAR-2021-05-008: Certutil exe certificate extraction
- CAR-2021-05-009: CertUtil With Decode Argument
- CAR-2021-05-010: Create local admin accounts using net exe
- CAR-2021-05-011: Create Remote Thread into LSASS
- CAR-2021-05-012: Create Service In Suspicious File Path
April 2021
- New analytics added
March 2021
- Added Coverage Comparison page, which compares ATT&CK Technique/Sub-technique coverage across CAR, Sigma, and Elastic Detection rules.
- New analytics added
January-Feburary 2021
- New analytics added - special thanks to all of the submissions that we’ve received!
- CAR-2021-01-001: Identifying Port Scanning Activity
- CAR-2021-01-002: Unusually Long Command Line Strings
- CAR-2021-01-003: Clearing Windows Logs with Wevtutil
- CAR-2021-01-004: Unusual Child Process For Spoolsv.Exe Or Connhost.Exe
- CAR-2021-01-009: Detecting Shadow Copy Deletion via Vssadmin.exe
- CAR-2021-02-001: Webshell-Indicative Process Tree
- CAR-2021-02-002: Get System Elevation
November 2020
- Data Model update! We’re excited to roll out these changes, and we think you will like the new capabilities.
- See the full new data model
- Added Authentication, Email, HTTP, and Socket objects
- Updated other objects:
- Removed several unnecessary fields
- Renamed some fields to make their intent more clear
- Added several fields that have become necessary for modern analytics
- Removed and added some Event types
- New analytics added
- CAR-2020-11-001: Boot or Logon Initialization Scripts
- CAR-2020-11-002: Local Network Sniffing
- CAR-2020-11-003: DLL Injection with Mavinject
- CAR-2020-11-004: Processes Started From Irregular Parent
- CAR-2020-11-005: Clear Powershell Console Command History
- CAR-2020-11-006: Local Permission Group Discovery
- CAR-2020-11-007: Network Share Connection Removal
- CAR-2020-11-008: MSBuild and msxsl
- CAR-2020-11-009: Compiled HTML Access
- CAR-2020-11-010: CMSTP
- CAR-2020-11-011: Registry Edit from Screensaver
September 2020
- New analytics added
August 2020
- New analytics added
July 2020
- Updated ATT&CK Detection for all analytics for latest ATT&CK release.
May 2020
- Updated ATT&CK Navigator layer to incorporate sub-technique mappings for all CAR analytics.
- Added Sysmon 11.0 sensor with data model mappings and CAR analytic coverage.
- Added one new field to the Process object
env_vars
- New analytics added
April 2020
- All analytics have been updated to account for ATT&CK sub-techniques (wherever applicable). Check out the new sub-technique based coverage table here.
- Added Applicable Platforms to all analytics. This captures the set of platforms the analytic may be applicable for; note that this does not necessarily mean that an implementation for a particular platform exists for a given analytic.
- Added YAML for sensors (those added recently) and data models on Github.
- New analytics added