2330 lines
46 KiB
YAML
2330 lines
46 KiB
YAML
%YAML 1.2
|
|
---
|
|
version: 1.1
|
|
file_type: technique-administration
|
|
name: example
|
|
platform: windows
|
|
techniques:
|
|
# - Note that detection and visibility are independent from each other.
|
|
# Meaning that detection could be left blank and only have visibility filled in.
|
|
# - Also note that the below serves purely as an example and is therefore not accurate on all areas.
|
|
#
|
|
# - If desired you are free to add any key-value pairs. This will not impact the functionality of the tool.
|
|
- technique_id: T1222
|
|
technique_name: File Permissions Modification
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1223
|
|
technique_name: Compiled HTML File
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1221
|
|
technique_name: Template Injection
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 2
|
|
comment: ''
|
|
- technique_id: T1220
|
|
technique_name: XSL Script Processing
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1217
|
|
technique_name: Browser Bookmark Discovery
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1196
|
|
technique_name: Control Panel Items
|
|
detection:
|
|
applicable_to: ['client endpoints']
|
|
date_registered: 2019-01-10
|
|
date_implemented: 2018-12-01
|
|
score: 4
|
|
location: [EDR]
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1214
|
|
technique_name: Credentials in Registry
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered: 2019-01-10
|
|
date_implemented: 2018-12-01
|
|
score: 3
|
|
location: [EDR]
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 2
|
|
comment: ''
|
|
- technique_id: T1189
|
|
technique_name: Drive-by Compromise
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered: 2019-01-10
|
|
date_implemented: 2018-11-01
|
|
score: 1
|
|
location: [SIEM UC 123, Tool Model Y]
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1203
|
|
technique_name: Exploitation for Client Execution
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 2
|
|
comment: ''
|
|
- technique_id: T1210
|
|
technique_name: Exploitation of Remote Services
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1211
|
|
technique_name: Exploitation for Defense Evasion
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1202
|
|
technique_name: Indirect Command Execution
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1212
|
|
technique_name: Exploitation for Credential Access
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1201
|
|
technique_name: Password Policy Discovery
|
|
detection:
|
|
applicable_to: ['domain controllers']
|
|
date_registered: 2019-01-10
|
|
date_implemented: 2017-01-01
|
|
score: 4
|
|
location:
|
|
- 'Third party product A'
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 2
|
|
comment: ''
|
|
- technique_id: T1191
|
|
technique_name: CMSTP
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1219
|
|
technique_name: Remote Access Tools
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered: 2019-01-10
|
|
date_implemented: 2017-01-01
|
|
score: 4
|
|
location:
|
|
- 'Third party product A'
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 2
|
|
comment: ''
|
|
- technique_id: T1198
|
|
technique_name: SIP and Trust Provider Hijacking
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1218
|
|
technique_name: Signed Binary Proxy Execution
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 2
|
|
comment: ''
|
|
- technique_id: T1193
|
|
technique_name: Spearphishing Attachment
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1216
|
|
technique_name: Signed Script Proxy Execution
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 2
|
|
comment: ''
|
|
- technique_id: T1192
|
|
technique_name: Spearphishing Link
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 2
|
|
comment: ''
|
|
- technique_id: T1209
|
|
technique_name: Time Providers
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1195
|
|
technique_name: Supply Chain Compromise
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered: 2019-01-10
|
|
date_implemented: 2017-01-01
|
|
score: 2
|
|
location:
|
|
- 'Third party product A'
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 2
|
|
comment: ''
|
|
- technique_id: T1194
|
|
technique_name: Spearphishing via Service
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 4
|
|
comment: ''
|
|
- technique_id: T1204
|
|
technique_name: User Execution
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered: 2019-01-10
|
|
date_implemented: 2018-12-01
|
|
score: 0
|
|
location: [EDR]
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 2
|
|
comment: ''
|
|
- technique_id: T1182
|
|
technique_name: AppCert DLLs
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered: 2019-01-10
|
|
date_implemented: 2018-12-01
|
|
score: 3
|
|
location: [EDR]
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 2
|
|
comment: ''
|
|
- technique_id: T1176
|
|
technique_name: Browser Extensions
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1175
|
|
technique_name: Distributed Component Object Model
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1185
|
|
technique_name: Man in the Browser
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1174
|
|
technique_name: Password Filter DLL
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 2
|
|
comment: ''
|
|
- technique_id: T1170
|
|
technique_name: Mshta
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 2
|
|
comment: ''
|
|
- technique_id: T1171
|
|
technique_name: LLMNR/NBT-NS Poisoning
|
|
detection:
|
|
- applicable_to: ['client endpoint']
|
|
date_registered: 2019-01-10
|
|
date_implemented: 2017-01-01
|
|
score: 2
|
|
location:
|
|
- 'Third party product A'
|
|
comment: |
|
|
This comment will be
|
|
multiline in
|
|
Excel
|
|
- applicable_to: ['servers']
|
|
date_registered: 2019-05-01
|
|
date_implemented: 2019-05-01
|
|
score: 3
|
|
location:
|
|
- 'Model I'
|
|
comment: ''
|
|
visibility:
|
|
- applicable_to: ['client endpoint']
|
|
score: 2
|
|
comment: ''
|
|
- applicable_to: ['servers']
|
|
score: 3
|
|
comment: |
|
|
This comment will be
|
|
multiline in
|
|
Excel
|
|
- technique_id: T1173
|
|
technique_name: Dynamic Data Exchange
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1181
|
|
technique_name: Extra Window Memory Injection
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered: 2019-01-10
|
|
date_implemented: 2018-12-01
|
|
score: 4
|
|
location: [EDR]
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 2
|
|
comment: ''
|
|
- technique_id: T1179
|
|
technique_name: Hooking
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1186
|
|
technique_name: Process Doppelgänging
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 2
|
|
comment: ''
|
|
- technique_id: T1172
|
|
technique_name: Domain Fronting
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered: 2019-01-10
|
|
date_implemented: 2018-08-01
|
|
score: 5
|
|
location:
|
|
- 'Model A'
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 4
|
|
comment: ''
|
|
- technique_id: T1183
|
|
technique_name: Image File Execution Options Injection
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered: 2019-01-10
|
|
date_implemented: 2018-11-01
|
|
score: 2
|
|
location: [Tool]
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1177
|
|
technique_name: LSASS Driver
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1180
|
|
technique_name: Screensaver
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 2
|
|
comment: ''
|
|
- technique_id: T1134
|
|
technique_name: Access Token Manipulation
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered: 2019-01-10
|
|
date_implemented: 2018-12-01
|
|
score: 4
|
|
location: [EDR]
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1138
|
|
technique_name: Application Shimming
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered: 2019-01-10
|
|
date_implemented: 2018-12-01
|
|
score: 1
|
|
location: [SIEM]
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1140
|
|
technique_name: Deobfuscate/Decode Files or Information
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1136
|
|
technique_name: Create Account
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1137
|
|
technique_name: Office Application Startup
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 2
|
|
comment: ''
|
|
- technique_id: T1158
|
|
technique_name: Hidden Files and Directories
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1135
|
|
technique_name: Network Share Discovery
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1132
|
|
technique_name: Data Encoding
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 2
|
|
comment: ''
|
|
- technique_id: T1131
|
|
technique_name: Authentication Package
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1129
|
|
technique_name: Execution through Module Load
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1128
|
|
technique_name: Netsh Helper DLL
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 2
|
|
comment: ''
|
|
- technique_id: T1127
|
|
technique_name: Trusted Developer Utilities
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 2
|
|
comment: ''
|
|
- technique_id: T1126
|
|
technique_name: Network Share Connection Removal
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1125
|
|
technique_name: Video Capture
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1124
|
|
technique_name: System Time Discovery
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1123
|
|
technique_name: Audio Capture
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1122
|
|
technique_name: Component Object Model Hijacking
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1121
|
|
technique_name: Regsvcs/Regasm
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 2
|
|
comment: ''
|
|
- technique_id: T1118
|
|
technique_name: InstallUtil
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 2
|
|
comment: ''
|
|
- technique_id: T1117
|
|
technique_name: Regsvr32
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered: 2019-01-10
|
|
date_implemented: 2018-12-01
|
|
score: 3
|
|
location: [EDR]
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 2
|
|
comment: ''
|
|
- technique_id: T1114
|
|
technique_name: Email Collection
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1113
|
|
technique_name: Screen Capture
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1112
|
|
technique_name: Modify Registry
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1111
|
|
technique_name: Two-Factor Authentication Interception
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1109
|
|
technique_name: Component Firmware
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 2
|
|
comment: ''
|
|
- technique_id: T1108
|
|
technique_name: Redundant Access
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1106
|
|
technique_name: Execution through API
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 2
|
|
comment: ''
|
|
- technique_id: T1105
|
|
technique_name: Remote File Copy
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1103
|
|
technique_name: AppInit DLLs
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 2
|
|
comment: ''
|
|
- technique_id: T1102
|
|
technique_name: Web Service
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1101
|
|
technique_name: Security Support Provider
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered: 2019-01-10
|
|
date_implemented: 2018-11-01
|
|
score: 4
|
|
location: [SIEM UC 789]
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 3
|
|
comment: ''
|
|
- technique_id: T1100
|
|
technique_name: Web Shell
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1099
|
|
technique_name: Timestomp
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered: 2019-01-10
|
|
date_implemented: 2018-11-01
|
|
score: 2
|
|
location: [Tool Model X]
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 4
|
|
comment: ''
|
|
- technique_id: T1095
|
|
technique_name: Standard Non-Application Layer Protocol
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 3
|
|
comment: ''
|
|
- technique_id: T1094
|
|
technique_name: Custom Command and Control Protocol
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 3
|
|
comment: ''
|
|
- technique_id: T1093
|
|
technique_name: Process Hollowing
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 2
|
|
comment: ''
|
|
- technique_id: T1090
|
|
technique_name: Connection Proxy
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1089
|
|
technique_name: Disabling Security Tools
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1088
|
|
technique_name: Bypass User Account Control
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1087
|
|
technique_name: Account Discovery
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1086
|
|
technique_name: PowerShell
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered: 2019-01-10
|
|
date_implemented: 2018-12-01
|
|
score: 3
|
|
location: [EDR]
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 2
|
|
comment: ''
|
|
- technique_id: T1085
|
|
technique_name: Rundll32
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered: 2019-01-10
|
|
date_implemented: 2018-12-01
|
|
score: 3
|
|
location: [EDR]
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1083
|
|
technique_name: File and Directory Discovery
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1082
|
|
technique_name: System Information Discovery
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered: 2019-01-10
|
|
date_implemented: 2017-01-01
|
|
score: 3
|
|
location:
|
|
- 'Third party product A'
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 2
|
|
comment: ''
|
|
- technique_id: T1080
|
|
technique_name: Taint Shared Content
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 2
|
|
comment: ''
|
|
- technique_id: T1079
|
|
technique_name: Multilayer Encryption
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1078
|
|
technique_name: Valid Accounts
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 2
|
|
comment: ''
|
|
- technique_id: T1077
|
|
technique_name: Windows Admin Shares
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered: 2019-01-10
|
|
date_implemented: 2018-10-01
|
|
score: 0
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1076
|
|
technique_name: Remote Desktop Protocol
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1074
|
|
technique_name: Data Staged
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1073
|
|
technique_name: DLL Side-Loading
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1072
|
|
technique_name: Third-party Software
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1071
|
|
technique_name: Standard Application Layer Protocol
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered: 2019-01-10
|
|
date_implemented: 2018-11-01
|
|
score: -1
|
|
location: [SIEM UC 123]
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 2
|
|
comment: ''
|
|
- technique_id: T1070
|
|
technique_name: Indicator Removal on Host
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1069
|
|
technique_name: Permission Groups Discovery
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1068
|
|
technique_name: Exploitation for Privilege Escalation
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1066
|
|
technique_name: Indicator Removal from Tools
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1065
|
|
technique_name: Uncommonly Used Port
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered: 2019-01-10
|
|
date_implemented: 2018-10-01
|
|
score: 5
|
|
location:
|
|
- 'Model B'
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 3
|
|
comment: ''
|
|
- technique_id: T1064
|
|
technique_name: Scripting
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered: 2019-01-10
|
|
date_implemented: 2018-12-01
|
|
score: 3
|
|
location: [EDR, AV Product]
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1063
|
|
technique_name: Security Software Discovery
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1061
|
|
technique_name: Graphical User Interface
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1060
|
|
technique_name: Registry Run Keys / Startup Folder
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 2
|
|
comment: ''
|
|
- technique_id: T1059
|
|
technique_name: Command-Line Interface
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 2
|
|
comment: ''
|
|
- technique_id: T1058
|
|
technique_name: Service Registry Permissions Weakness
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1057
|
|
technique_name: Process Discovery
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 2
|
|
comment: ''
|
|
- technique_id: T1056
|
|
technique_name: Input Capture
|
|
detection:
|
|
applicable_to: ['client endpoints']
|
|
date_registered: 2019-01-10
|
|
date_implemented: 2018-12-01
|
|
score: 4
|
|
location: [EDR]
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 2
|
|
comment: ''
|
|
- technique_id: T1055
|
|
technique_name: Process Injection
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered: 2019-01-10
|
|
date_implemented: 2018-12-01
|
|
score: 4
|
|
location: [EDR]
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1054
|
|
technique_name: Indicator Blocking
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1053
|
|
technique_name: Scheduled Task
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1051
|
|
technique_name: Shared Webroot
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 2
|
|
comment: ''
|
|
- technique_id: T1050
|
|
technique_name: New Service
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: 'Model G'
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 2
|
|
comment: ''
|
|
- technique_id: T1049
|
|
technique_name: System Network Connections Discovery
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 2
|
|
comment: ''
|
|
- technique_id: T1048
|
|
technique_name: Exfiltration Over Alternative Protocol
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1047
|
|
technique_name: Windows Management Instrumentation
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1043
|
|
technique_name: Commonly Used Port
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered: 2019-01-10
|
|
date_implemented: 2018-10-01
|
|
score: 0
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 2
|
|
comment: ''
|
|
- technique_id: T1042
|
|
technique_name: Change Default File Association
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 2
|
|
comment: ''
|
|
- technique_id: T1041
|
|
technique_name: Exfiltration Over Command and Control Channel
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered: 2019-01-10
|
|
date_implemented: 2017-01-01
|
|
score: 2
|
|
location:
|
|
- 'Third party product A'
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 2
|
|
comment: ''
|
|
- technique_id: T1040
|
|
technique_name: Network Sniffing
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1039
|
|
technique_name: Data from Network Shared Drive
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1038
|
|
technique_name: DLL Search Order Hijacking
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1037
|
|
technique_name: Logon Scripts
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered: 2019-01-10
|
|
date_implemented: 2018-05-07
|
|
score: 3
|
|
location:
|
|
- 'Model F'
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 2
|
|
comment: ''
|
|
- technique_id: T1036
|
|
technique_name: Masquerading
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered: 2019-01-10
|
|
date_implemented: 2018-02-01
|
|
score: 4
|
|
location: [Model C]
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1035
|
|
technique_name: Service Execution
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered: 2019-01-10
|
|
date_implemented: 2018-12-01
|
|
score: 4
|
|
location: [EDR]
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 2
|
|
comment: ''
|
|
- technique_id: T1034
|
|
technique_name: Path Interception
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 2
|
|
comment: ''
|
|
- technique_id: T1033
|
|
technique_name: System Owner/User Discovery
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered: 2019-01-10
|
|
date_implemented: 2017-01-01
|
|
score: 3
|
|
location:
|
|
- 'Third party product A'
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1032
|
|
technique_name: Standard Cryptographic Protocol
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 3
|
|
comment: ''
|
|
- technique_id: T1031
|
|
technique_name: Modify Existing Service
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 2
|
|
comment: ''
|
|
- technique_id: T1030
|
|
technique_name: Data Transfer Size Limits
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1029
|
|
technique_name: Scheduled Transfer
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1028
|
|
technique_name: Windows Remote Management
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1027
|
|
technique_name: Obfuscated Files or Information
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1026
|
|
technique_name: Multiband Communication
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1025
|
|
technique_name: Data from Removable Media
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1024
|
|
technique_name: Custom Cryptographic Protocol
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered: 2019-01-10
|
|
date_implemented: 2018-12-01
|
|
score: 0
|
|
location: [EDR]
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 2
|
|
comment: ''
|
|
- technique_id: T1023
|
|
technique_name: Shortcut Modification
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1022
|
|
technique_name: Data Encrypted
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered: 2019-01-10
|
|
date_implemented: 2017-10-10
|
|
score: 2
|
|
location:
|
|
- 'Model D'
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1020
|
|
technique_name: Automated Exfiltration
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1018
|
|
technique_name: Remote System Discovery
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered: 2019-01-10
|
|
date_implemented: 2017-01-01
|
|
score: 3
|
|
location:
|
|
- 'Third party product A'
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1017
|
|
technique_name: Application Deployment Software
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1016
|
|
technique_name: System Network Configuration Discovery
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 2
|
|
comment: ''
|
|
- technique_id: T1015
|
|
technique_name: Accessibility Features
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 2
|
|
comment: ''
|
|
- technique_id: T1013
|
|
technique_name: Port Monitors
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1012
|
|
technique_name: Query Registry
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 2
|
|
comment: ''
|
|
- technique_id: T1011
|
|
technique_name: Exfiltration Over Other Network Medium
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 2
|
|
comment: ''
|
|
- technique_id: T1010
|
|
technique_name: Application Window Discovery
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1008
|
|
technique_name: Fallback Channels
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1007
|
|
technique_name: System Service Discovery
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 2
|
|
comment: ''
|
|
- technique_id: T1005
|
|
technique_name: Data from Local System
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1004
|
|
technique_name: Winlogon Helper DLL
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 2
|
|
comment: ''
|
|
- technique_id: T1003
|
|
technique_name: Credential Dumping
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered: 2019-01-10
|
|
date_implemented: 2018-12-01
|
|
score: 3
|
|
location: [EDR]
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 2
|
|
comment: ''
|
|
- technique_id: T1002
|
|
technique_name: Data Compressed
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered: 2019-01-10
|
|
date_implemented: 2017-10-10
|
|
score: 2
|
|
location:
|
|
- 'Model E'
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1001
|
|
technique_name: Data Obfuscation
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 2
|
|
comment: ''
|
|
- technique_id: T1485
|
|
technique_name: Data Destruction
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1486
|
|
technique_name: Data Encrypted for Impact
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered: 2019-05-01
|
|
date_implemented: 2015-01-01
|
|
score: 4
|
|
location:
|
|
- 'Model J'
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 3
|
|
comment: ''
|
|
- technique_id: T1488
|
|
technique_name: Disk Content Wipe
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1499
|
|
technique_name: Endpoint Denial of Service
|
|
detection:
|
|
applicable_to: ['websites']
|
|
date_registered: 2019-05-01
|
|
date_implemented: 2015-01-01
|
|
score: 5
|
|
location:
|
|
- 'Third party'
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['websites']
|
|
score: 4
|
|
comment: ''
|
|
- technique_id: T1490
|
|
technique_name: Inhibit System Recovery
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1498
|
|
technique_name: Network Denial of Service
|
|
detection:
|
|
applicable_to: ['websites']
|
|
date_registered: 2019-05-01
|
|
date_implemented: 2015-01-01
|
|
score: 5
|
|
location:
|
|
- 'Third party'
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['websites']
|
|
score: 4
|
|
comment: ''
|
|
- technique_id: T1496
|
|
technique_name: Resource Hijacking
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1494
|
|
technique_name: Runtime Data Manipulation
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 2
|
|
comment: ''
|
|
- technique_id: T1489
|
|
technique_name: Service Stop
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 2
|
|
comment: ''
|
|
- technique_id: T1500
|
|
technique_name: Compile After Delivery
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1483
|
|
technique_name: Domain Generation Algorithms
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 1
|
|
comment: ''
|
|
- technique_id: T1482
|
|
technique_name: Domain Trust Discovery
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 2
|
|
comment: ''
|
|
- technique_id: T1480
|
|
technique_name: Execution Guardrails
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 4
|
|
comment: ''
|
|
- technique_id: T1497
|
|
technique_name: Virtualization/Sandbox Evasion
|
|
detection:
|
|
applicable_to: ['all']
|
|
date_registered:
|
|
date_implemented:
|
|
score: -1
|
|
location:
|
|
- ''
|
|
comment: ''
|
|
visibility:
|
|
applicable_to: ['all']
|
|
score: 2
|
|
comment: '' |