From e55e597e346e43a00b4654631a4407186381e105 Mon Sep 17 00:00:00 2001 From: Marcus Bakker Date: Tue, 23 Apr 2019 13:51:46 +0200 Subject: [PATCH] Updated to version 1.1 --- .../techniques-administration-endpoints.yaml | 458 +++++++++++++++++- 1 file changed, 457 insertions(+), 1 deletion(-) diff --git a/sample-data/techniques-administration-endpoints.yaml b/sample-data/techniques-administration-endpoints.yaml index c93096f..a608d38 100644 --- a/sample-data/techniques-administration-endpoints.yaml +++ b/sample-data/techniques-administration-endpoints.yaml @@ -1,6 +1,6 @@ %YAML 1.2 --- -version: 1.0 +version: 1.1 file_type: technique-administration name: endpoints-example platform: windows @@ -11,7 +11,9 @@ techniques: # # - If desired you are free to add any key-value pairs. This will not impact the functionality of the tool. - technique_id: T1222 + technique_name: File Permissions Modification detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -19,10 +21,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1223 + technique_name: Compiled HTML File detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -30,10 +35,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1221 + technique_name: Template Injection detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -41,10 +49,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 2 comment: '' - technique_id: T1220 + technique_name: XSL Script Processing detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -52,10 +63,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1217 + technique_name: Browser Bookmark Discovery detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -63,40 +77,52 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1196 + technique_name: Control Panel Items detection: + applicable_to: ['client endpoints'] date_registered: 2019-01-10 date_implemented: 2018-12-01 score: 4 location: [EDR] comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1214 + technique_name: Credentials in Registry detection: + applicable_to: ['all'] date_registered: 2019-01-10 date_implemented: 2018-12-01 score: 3 location: [EDR] comment: '' visibility: + applicable_to: ['all'] score: 2 comment: '' - technique_id: T1189 + technique_name: Drive-by Compromise detection: + applicable_to: ['all'] date_registered: 2019-01-10 date_implemented: 2018-11-01 score: 1 location: [SIEM UC 123, Tool Model Y] comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1203 + technique_name: Exploitation for Client Execution detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -104,10 +130,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 2 comment: '' - technique_id: T1210 + technique_name: Exploitation of Remote Services detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -115,10 +144,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1211 + technique_name: Exploitation for Defense Evasion detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -126,10 +158,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1202 + technique_name: Indirect Command Execution detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -137,10 +172,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1212 + technique_name: Exploitation for Credential Access detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -148,10 +186,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1201 + technique_name: Password Policy Discovery detection: + applicable_to: ['domain controllers'] date_registered: 2019-01-10 date_implemented: 2017-01-01 score: 4 @@ -159,10 +200,13 @@ techniques: - 'Third party product A' comment: '' visibility: + applicable_to: ['all'] score: 2 comment: '' - technique_id: T1191 + technique_name: CMSTP detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -170,10 +214,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1219 + technique_name: Remote Access Tools detection: + applicable_to: ['all'] date_registered: 2019-01-10 date_implemented: 2017-01-01 score: 4 @@ -181,10 +228,13 @@ techniques: - 'Third party product A' comment: '' visibility: + applicable_to: ['all'] score: 2 comment: '' - technique_id: T1198 + technique_name: SIP and Trust Provider Hijacking detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -192,10 +242,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1218 + technique_name: Signed Binary Proxy Execution detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -203,10 +256,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 2 comment: '' - technique_id: T1193 + technique_name: Spearphishing Attachment detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -214,10 +270,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1216 + technique_name: Signed Script Proxy Execution detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -225,10 +284,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 2 comment: '' - technique_id: T1192 + technique_name: Spearphishing Link detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -236,10 +298,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 2 comment: '' - technique_id: T1209 + technique_name: Time Providers detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -247,10 +312,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1195 + technique_name: Supply Chain Compromise detection: + applicable_to: ['all'] date_registered: 2019-01-10 date_implemented: 2017-01-01 score: 2 @@ -258,10 +326,13 @@ techniques: - 'Third party product A' comment: '' visibility: + applicable_to: ['all'] score: 2 comment: '' - technique_id: T1194 + technique_name: Spearphishing via Service detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -269,30 +340,39 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 4 comment: '' - technique_id: T1204 + technique_name: User Execution detection: + applicable_to: ['all'] date_registered: 2019-01-10 date_implemented: 2018-12-01 score: 0 location: [EDR] comment: '' visibility: + applicable_to: ['all'] score: 2 comment: '' - technique_id: T1182 + technique_name: AppCert DLLs detection: + applicable_to: ['all'] date_registered: 2019-01-10 date_implemented: 2018-12-01 score: 3 location: [EDR] comment: '' visibility: + applicable_to: ['all'] score: 2 comment: '' - technique_id: T1176 + technique_name: Browser Extensions detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -300,10 +380,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1175 + technique_name: Distributed Component Object Model detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -311,10 +394,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1185 + technique_name: Man in the Browser detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -322,10 +408,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1174 + technique_name: Password Filter DLL detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -333,10 +422,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 2 comment: '' - technique_id: T1170 + technique_name: Mshta detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -344,10 +436,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 2 comment: '' - technique_id: T1171 + technique_name: LLMNR/NBT-NS Poisoning detection: + applicable_to: ['all'] date_registered: 2019-01-10 date_implemented: 2017-01-01 score: 2 @@ -355,10 +450,13 @@ techniques: - 'Third party product A' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1173 + technique_name: Dynamic Data Exchange detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -366,20 +464,26 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1181 + technique_name: Extra Window Memory Injection detection: + applicable_to: ['all'] date_registered: 2019-01-10 date_implemented: 2018-12-01 score: 4 location: [EDR] comment: '' visibility: + applicable_to: ['all'] score: 2 comment: '' - technique_id: T1179 + technique_name: Hooking detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -387,10 +491,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1186 + technique_name: Process Doppelgänging detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -398,10 +505,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 2 comment: '' - technique_id: T1172 + technique_name: Domain Fronting detection: + applicable_to: ['all'] date_registered: 2019-01-10 date_implemented: 2018-08-01 score: 5 @@ -409,20 +519,26 @@ techniques: - 'Model A' comment: '' visibility: + applicable_to: ['all'] score: 4 comment: '' - technique_id: T1183 + technique_name: Image File Execution Options Injection detection: + applicable_to: ['all'] date_registered: 2019-01-10 date_implemented: 2018-11-01 score: 2 location: [Tool] comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1177 + technique_name: LSASS Driver detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -430,10 +546,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1180 + technique_name: Screensaver detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -441,30 +560,39 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 2 comment: '' - technique_id: T1134 + technique_name: Access Token Manipulation detection: + applicable_to: ['all'] date_registered: 2019-01-10 date_implemented: 2018-12-01 score: 4 location: [EDR] comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1138 + technique_name: Application Shimming detection: + applicable_to: ['all'] date_registered: 2019-01-10 date_implemented: 2018-12-01 score: 1 location: [SIEM] comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1140 + technique_name: Deobfuscate/Decode Files or Information detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -472,10 +600,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1136 + technique_name: Create Account detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -483,10 +614,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1137 + technique_name: Office Application Startup detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -494,10 +628,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 2 comment: '' - technique_id: T1158 + technique_name: Hidden Files and Directories detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -505,10 +642,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1135 + technique_name: Network Share Discovery detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -516,10 +656,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1132 + technique_name: Data Encoding detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -527,10 +670,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 2 comment: '' - technique_id: T1131 + technique_name: Authentication Package detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -538,10 +684,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1129 + technique_name: Execution through Module Load detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -549,10 +698,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1128 + technique_name: Netsh Helper DLL detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -560,10 +712,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 2 comment: '' - technique_id: T1127 + technique_name: Trusted Developer Utilities detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -571,10 +726,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 2 comment: '' - technique_id: T1126 + technique_name: Network Share Connection Removal detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -582,10 +740,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1125 + technique_name: Video Capture detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -593,10 +754,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1124 + technique_name: System Time Discovery detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -604,10 +768,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1123 + technique_name: Audio Capture detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -615,10 +782,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1122 + technique_name: Component Object Model Hijacking detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -626,10 +796,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1121 + technique_name: Regsvcs/Regasm detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -637,10 +810,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 2 comment: '' - technique_id: T1118 + technique_name: InstallUtil detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -648,20 +824,26 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 2 comment: '' - technique_id: T1117 + technique_name: Regsvr32 detection: + applicable_to: ['all'] date_registered: 2019-01-10 date_implemented: 2018-12-01 score: 3 location: [EDR] comment: '' visibility: + applicable_to: ['all'] score: 2 comment: '' - technique_id: T1114 + technique_name: Email Collection detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -669,10 +851,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1113 + technique_name: Screen Capture detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -680,10 +865,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1112 + technique_name: Modify Registry detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -691,10 +879,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1111 + technique_name: Two-Factor Authentication Interception detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -702,10 +893,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1109 + technique_name: Component Firmware detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -713,10 +907,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 2 comment: '' - technique_id: T1108 + technique_name: Redundant Access detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -724,10 +921,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1106 + technique_name: Execution through API detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -735,10 +935,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 2 comment: '' - technique_id: T1105 + technique_name: Remote File Copy detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -746,10 +949,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1103 + technique_name: AppInit DLLs detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -757,10 +963,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 2 comment: '' - technique_id: T1102 + technique_name: Web Service detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -768,20 +977,26 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1101 + technique_name: Security Support Provider detection: + applicable_to: ['all'] date_registered: 2019-01-10 date_implemented: 2018-11-01 score: 4 location: [SIEM UC 789] comment: '' visibility: + applicable_to: ['all'] score: 3 comment: '' - technique_id: T1100 + technique_name: Web Shell detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -789,20 +1004,26 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1099 + technique_name: Timestomp detection: + applicable_to: ['all'] date_registered: 2019-01-10 date_implemented: 2018-11-01 score: 2 location: [Tool Model X] comment: '' visibility: + applicable_to: ['all'] score: 4 comment: '' - technique_id: T1095 + technique_name: Standard Non-Application Layer Protocol detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -810,10 +1031,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 3 comment: '' - technique_id: T1094 + technique_name: Custom Command and Control Protocol detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -821,10 +1045,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 3 comment: '' - technique_id: T1093 + technique_name: Process Hollowing detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -832,10 +1059,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 2 comment: '' - technique_id: T1090 + technique_name: Connection Proxy detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -843,10 +1073,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1089 + technique_name: Disabling Security Tools detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -854,10 +1087,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1088 + technique_name: Bypass User Account Control detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -865,10 +1101,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1087 + technique_name: Account Discovery detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -876,30 +1115,39 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1086 + technique_name: PowerShell detection: + applicable_to: ['all'] date_registered: 2019-01-10 date_implemented: 2018-12-01 score: 3 location: [EDR] comment: '' visibility: + applicable_to: ['all'] score: 2 comment: '' - technique_id: T1085 + technique_name: Rundll32 detection: + applicable_to: ['all'] date_registered: 2019-01-10 date_implemented: 2018-12-01 score: 3 location: [EDR] comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1083 + technique_name: File and Directory Discovery detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -907,10 +1155,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1082 + technique_name: System Information Discovery detection: + applicable_to: ['all'] date_registered: 2019-01-10 date_implemented: 2017-01-01 score: 3 @@ -918,10 +1169,13 @@ techniques: - 'Third party product A' comment: '' visibility: + applicable_to: ['all'] score: 2 comment: '' - technique_id: T1080 + technique_name: Taint Shared Content detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -929,10 +1183,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 2 comment: '' - technique_id: T1079 + technique_name: Multilayer Encryption detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -940,10 +1197,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1078 + technique_name: Valid Accounts detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -951,10 +1211,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 2 comment: '' - technique_id: T1077 + technique_name: Windows Admin Shares detection: + applicable_to: ['all'] date_registered: 2019-01-10 date_implemented: 2018-10-01 score: 0 @@ -962,10 +1225,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1076 + technique_name: Remote Desktop Protocol detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -973,10 +1239,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1074 + technique_name: Data Staged detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -984,10 +1253,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1073 + technique_name: DLL Side-Loading detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -995,10 +1267,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1072 + technique_name: Third-party Software detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -1006,20 +1281,26 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1071 + technique_name: Standard Application Layer Protocol detection: + applicable_to: ['all'] date_registered: 2019-01-10 date_implemented: 2018-11-01 score: -1 location: [SIEM UC 123] comment: '' visibility: + applicable_to: ['all'] score: 2 comment: '' - technique_id: T1070 + technique_name: Indicator Removal on Host detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -1027,10 +1308,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1069 + technique_name: Permission Groups Discovery detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -1038,10 +1322,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1068 + technique_name: Exploitation for Privilege Escalation detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -1049,10 +1336,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1066 + technique_name: Indicator Removal from Tools detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -1060,10 +1350,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1065 + technique_name: Uncommonly Used Port detection: + applicable_to: ['all'] date_registered: 2019-01-10 date_implemented: 2018-10-01 score: 5 @@ -1071,20 +1364,26 @@ techniques: - 'Model B' comment: '' visibility: + applicable_to: ['all'] score: 3 comment: '' - technique_id: T1064 + technique_name: Scripting detection: + applicable_to: ['all'] date_registered: 2019-01-10 date_implemented: 2018-12-01 score: 3 location: [EDR, AV Product] comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1063 + technique_name: Security Software Discovery detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -1092,10 +1391,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1061 + technique_name: Graphical User Interface detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -1103,10 +1405,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1060 + technique_name: Registry Run Keys / Startup Folder detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -1114,10 +1419,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 2 comment: '' - technique_id: T1059 + technique_name: Command-Line Interface detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -1125,10 +1433,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 2 comment: '' - technique_id: T1058 + technique_name: Service Registry Permissions Weakness detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -1136,10 +1447,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1057 + technique_name: Process Discovery detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -1147,30 +1461,39 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 2 comment: '' - technique_id: T1056 + technique_name: Input Capture detection: + applicable_to: ['client endpoints'] date_registered: 2019-01-10 date_implemented: 2018-12-01 score: 4 location: [EDR] comment: '' visibility: + applicable_to: ['all'] score: 2 comment: '' - technique_id: T1055 + technique_name: Process Injection detection: + applicable_to: ['all'] date_registered: 2019-01-10 date_implemented: 2018-12-01 score: 4 location: [EDR] comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1054 + technique_name: Indicator Blocking detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -1178,20 +1501,26 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1053 + technique_name: Scheduled Task detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 location: '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1051 + technique_name: Shared Webroot detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -1199,10 +1528,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 2 comment: '' - technique_id: T1050 + technique_name: New Service detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -1210,10 +1542,13 @@ techniques: - '' comment: 'Model G' visibility: + applicable_to: ['all'] score: 2 comment: '' - technique_id: T1049 + technique_name: System Network Connections Discovery detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -1221,10 +1556,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 2 comment: '' - technique_id: T1048 + technique_name: Exfiltration Over Alternative Protocol detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -1232,10 +1570,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1047 + technique_name: Windows Management Instrumentation detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -1243,10 +1584,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1043 + technique_name: Commonly Used Port detection: + applicable_to: ['all'] date_registered: 2019-01-10 date_implemented: 2018-10-01 score: 0 @@ -1254,10 +1598,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 2 comment: '' - technique_id: T1042 + technique_name: Change Default File Association detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -1265,10 +1612,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 2 comment: '' - technique_id: T1041 + technique_name: Exfiltration Over Command and Control Channel detection: + applicable_to: ['all'] date_registered: 2019-01-10 date_implemented: 2017-01-01 score: 2 @@ -1276,10 +1626,13 @@ techniques: - 'Third party product A' comment: '' visibility: + applicable_to: ['all'] score: 2 comment: '' - technique_id: T1040 + technique_name: Network Sniffing detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -1287,10 +1640,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1039 + technique_name: Data from Network Shared Drive detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -1298,10 +1654,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1038 + technique_name: DLL Search Order Hijacking detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -1309,10 +1668,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1037 + technique_name: Logon Scripts detection: + applicable_to: ['all'] date_registered: 2019-01-10 date_implemented: 2018-05-07 score: 3 @@ -1320,30 +1682,39 @@ techniques: - 'Model F' comment: '' visibility: + applicable_to: ['all'] score: 2 comment: '' - technique_id: T1036 + technique_name: Masquerading detection: + applicable_to: ['all'] date_registered: 2019-01-10 date_implemented: 2018-02-01 score: 4 location: [Model C] comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1035 + technique_name: Service Execution detection: + applicable_to: ['all'] date_registered: 2019-01-10 date_implemented: 2018-12-01 score: 4 location: [EDR] comment: '' visibility: + applicable_to: ['all'] score: 2 comment: '' - technique_id: T1034 + technique_name: Path Interception detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -1351,10 +1722,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 2 comment: '' - technique_id: T1033 + technique_name: System Owner/User Discovery detection: + applicable_to: ['all'] date_registered: 2019-01-10 date_implemented: 2017-01-01 score: 3 @@ -1362,10 +1736,13 @@ techniques: - 'Third party product A' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1032 + technique_name: Standard Cryptographic Protocol detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -1373,10 +1750,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 3 comment: '' - technique_id: T1031 + technique_name: Modify Existing Service detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -1384,10 +1764,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 2 comment: '' - technique_id: T1030 + technique_name: Data Transfer Size Limits detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -1395,10 +1778,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1029 + technique_name: Scheduled Transfer detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -1406,20 +1792,26 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1028 + technique_name: Windows Remote Management detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 location: '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1027 + technique_name: Obfuscated Files or Information detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -1427,10 +1819,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1026 + technique_name: Multiband Communication detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -1438,10 +1833,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1025 + technique_name: Data from Removable Media detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -1449,20 +1847,26 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1024 + technique_name: Custom Cryptographic Protocol detection: + applicable_to: ['all'] date_registered: 2019-01-10 date_implemented: 2018-12-01 score: 0 location: [EDR] comment: '' visibility: + applicable_to: ['all'] score: 2 comment: '' - technique_id: T1023 + technique_name: Shortcut Modification detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -1470,10 +1874,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1022 + technique_name: Data Encrypted detection: + applicable_to: ['all'] date_registered: 2019-01-10 date_implemented: 2017-10-10 score: 2 @@ -1481,10 +1888,13 @@ techniques: - 'Model D' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1020 + technique_name: Automated Exfiltration detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -1492,10 +1902,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1018 + technique_name: Remote System Discovery detection: + applicable_to: ['all'] date_registered: 2019-01-10 date_implemented: 2017-01-01 score: 3 @@ -1503,10 +1916,13 @@ techniques: - 'Third party product A' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1017 + technique_name: Application Deployment Software detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -1514,10 +1930,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1016 + technique_name: System Network Configuration Discovery detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -1525,10 +1944,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 2 comment: '' - technique_id: T1015 + technique_name: Accessibility Features detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -1536,10 +1958,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 2 comment: '' - technique_id: T1013 + technique_name: Port Monitors detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -1547,10 +1972,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1012 + technique_name: Query Registry detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -1558,10 +1986,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 2 comment: '' - technique_id: T1011 + technique_name: Exfiltration Over Other Network Medium detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -1569,10 +2000,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 2 comment: '' - technique_id: T1010 + technique_name: Application Window Discovery detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -1580,10 +2014,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1008 + technique_name: Fallback Channels detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -1591,10 +2028,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1007 + technique_name: System Service Discovery detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -1602,10 +2042,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 2 comment: '' - technique_id: T1005 + technique_name: Data from Local System detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -1613,10 +2056,13 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1004 + technique_name: Winlogon Helper DLL detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -1624,20 +2070,26 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 2 comment: '' - technique_id: T1003 + technique_name: Credential Dumping detection: + applicable_to: ['all'] date_registered: 2019-01-10 date_implemented: 2018-12-01 score: 3 location: [EDR] comment: '' visibility: + applicable_to: ['all'] score: 2 comment: '' - technique_id: T1002 + technique_name: Data Compressed detection: + applicable_to: ['all'] date_registered: 2019-01-10 date_implemented: 2017-10-10 score: 2 @@ -1645,10 +2097,13 @@ techniques: - 'Model E' comment: '' visibility: + applicable_to: ['all'] score: 1 comment: '' - technique_id: T1001 + technique_name: Data Obfuscation detection: + applicable_to: ['all'] date_registered: date_implemented: score: -1 @@ -1656,5 +2111,6 @@ techniques: - '' comment: '' visibility: + applicable_to: ['all'] score: 2 comment: ''