Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)
Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history)
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1548 | Abuse Elevation Control Mechanism |
Monitor executed commands and arguments that may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. |
|
| .001 | Setuid and Setgid |
Monitor for execution of utilities, like chmod, and their command-line arguments to look for setuid or setguid bits being set. |
||
| .002 | Bypass User Account Control |
Monitor executed commands and arguments that may bypass UAC mechanisms to elevate process privileges on system. |
||
| .003 | Sudo and Sudo Caching |
Monitor executed commands and arguments that may perform sudo caching and/or use the suoders file to elevate privileges, such as the |
||
| Enterprise | T1134 | Access Token Manipulation |
Monitor executed commands and arguments for token manipulation by auditing command-line activity. Specifically, analysts should look for use of the |
|
| .001 | Token Impersonation/Theft |
Monitor executed commands and arguments to detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command. Detailed command-line logging is not enabled by default in Windows.[3] |
||
| .002 | Create Process with Token |
Monitor executed commands and arguments to detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command or similar artifacts. Detailed command-line logging is not enabled by default in Windows.[3] |
||
| .003 | Make and Impersonate Token |
Monitor executed commands and arguments to detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command or similar artifacts. Detailed command-line logging is not enabled by default in Windows.[3] |
||
| Enterprise | T1087 | Account Discovery |
Monitor logs and other sources of command execution history for actions that could be taken to gather information about accounts, including the use of calls to cloud APIs that perform account discovery. System and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained. |
|
| .001 | Local Account |
Monitor for execution of commands and arguments associated with enumeration or information gathering of local accounts and groups such as System and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained. |
||
| .002 | Domain Account |
Monitor for execution of commands and arguments associated with enumeration or information gathering of domain accounts and groups, such as System and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained. |
||
| .003 | Email Account |
Monitor for execution of commands and arguments associated with enumeration or information gathering of email addresses and accounts such as |
||
| .004 | Cloud Account |
Monitor logs for actions that could be taken to gather information about cloud accounts, including the use of calls to cloud APIs that perform account discovery. System and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained. |
||
| Enterprise | T1098 | Account Manipulation |
Monitor executed commands and arguments for suspicious commands to modify accounts or account settings (including files such as the authorized_keys or /etc/ssh/sshd_config). Monitor executed commands and arguments of suspicious commands (such as Add-MailboxPermission) that may be indicative of modifying the permissions of Exchange and other related service settings. |
|
| .004 | SSH Authorized Keys |
Monitor executed commands and arguments to modify the authorized_keys or /etc/ssh/sshd_config files. |
||
| Enterprise | T1010 | Application Window Discovery |
Monitor executed commands and arguments for actions that could be taken to gather system and network information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. |
|
| Enterprise | T1560 | Archive Collected Data |
Monitor executed commands and arguments for actions that will aid in compression or encrypting data that is collected prior to exfiltration, such as tar. |
|
| .001 | Archive via Utility |
Monitor executed commands and arguments for actions that will aid in compression or encrypting data that is collected prior to exfiltration, such as tar. |
||
| Enterprise | T1123 | Audio Capture |
Monitor executed commands and arguments for actions that can leverage a computer’s peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information. |
|
| Enterprise | T1119 | Automated Collection |
Monitor executed commands and arguments for actions that could be taken to collect internal data. |
|
| Enterprise | T1020 | Automated Exfiltration |
Monitor executed commands and arguments that may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection |
|
| Enterprise | T1197 | BITS Jobs |
Monitor executed commands and arguments from the BITSAdmin tool (especially the ‘Transfer’, 'Create', 'AddFile', 'SetNotifyFlags', 'SetNotifyCmdLine', 'SetMinRetryDelay', 'SetCustomHeaders', and 'Resume' command options)[4] Admin logs, PowerShell logs, and the Windows Event log for BITS activity.[5] Also consider investigating more detailed information about jobs by parsing the BITS job database.[6] |
|
| Enterprise | T1547 | Boot or Logon Autostart Execution |
Monitor executed commands and arguments that may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. |
|
| .001 | Registry Run Keys / Startup Folder |
Monitor executed commands and arguments that may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. |
||
| .002 | Authentication Package |
Monitor executed commands and arguments that may abuse authentication packages to execute DLLs when the system boots. |
||
| .003 | Time Providers |
Monitor executed commands and arguments that may abuse time providers to execute DLLs when the system boots. |
||
| .004 | Winlogon Helper DLL |
Monitor executed commands and arguments that may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. |
||
| .005 | Security Support Provider |
Monitor executed commands and arguments that may abuse security support providers (SSPs) to execute DLLs when the system boots. |
||
| .006 | Kernel Modules and Extensions |
Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: On macOS, monitor for execution of |
||
| .007 | Re-opened Applications |
Monitor executed commands and arguments that may modify plist files to automatically run an application when a user logs in. |
||
| .013 | XDG Autostart Entries |
Monitor executed commands and arguments that may modify XDG autostart entries to execute programs or commands during system boot. |
||
| .014 | Active Setup |
Monitor executed commands and arguments that may achieve persistence by adding a Registry key to the Active Setup of the local machine. |
||
| Enterprise | T1037 | Boot or Logon Initialization Scripts |
Monitor executed commands and arguments that may consist of logon scripts for unusual access by abnormal users or at abnormal times. |
|
| .001 | Logon Script (Windows) |
Monitor executed commands and arguments for logon scripts |
||
| .002 | Login Hook |
Monitor executed commands with arguments to install or modify login hooks. |
||
| .003 | Network Logon Script |
Monitor executed commands and arguments for logon scripts |
||
| .004 | RC Scripts |
Monitor executed commands and arguments resulting from RC scripts for unusual or unknown applications or behavior |
||
| .005 | Startup Items |
Monitor executed commands and arguments for logon scripts |
||
| Enterprise | T1217 | Browser Bookmark Discovery |
Monitor executed commands and arguments for actions that could be taken to gather browser bookmark information. Remote access tools with built-in features may interact directly using APIs to gather information. Information may also be acquired through system management tools such as Windows Management Instrumentation and PowerShell. |
|
| Enterprise | T1176 | Browser Extensions |
Monitor executed commands and arguments for usage of the profiles tool, such as profiles install -type=configuration. |
|
| Enterprise | T1110 | Brute Force |
Monitor executed commands and arguments that may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. |
|
| Enterprise | T1115 | Clipboard Data |
Monitor executed commands and arguments to collect data stored in the clipboard from users copying information within or between applications. |
|
| Enterprise | T1059 | Command and Scripting Interpreter |
Monitor command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. |
|
| .001 | PowerShell |
If proper execution policy is set, adversaries will likely be able to define their own execution policy if they obtain administrator or system access, either through the Registry or at the command line. This change in policy on a system may be a way to detect malicious use of PowerShell. If PowerShell is not used in an environment, then simply looking for PowerShell execution may detect malicious activity. It is also beneficial to turn on PowerShell logging to gain increased fidelity in what occurs during execution (which is applied to .NET invocations). [13] PowerShell 5.0 introduced enhanced logging capabilities, and some of those features have since been added to PowerShell 4.0. Earlier versions of PowerShell do not have many logging features.[14] An organization can gather PowerShell execution details in a data analytic platform to supplement it with other data. |
||
| .002 | AppleScript |
Monitor executed commands and arguments that may abuse AppleScript for execution. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script. |
||
| .003 | Windows Command Shell |
Monitor executed commands and arguments that may abuse the Windows command shell for execution. Usage of the Windows command shell may be common on administrator, developer, or power user systems depending on job function. If scripting is restricted for normal users, then any attempt to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. |
||
| .004 | Unix Shell |
Monitor executed commands and arguments that may abuse Unix shell commands and scripts for execution. Unix shell usage may be common on administrator, developer, or power user systems, depending on job function. If scripting is restricted for normal users, then any attempt to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. |
||
| .005 | Visual Basic |
Monitor executed commands and arguments that may abuse Visual Basic (VB) for execution. |
||
| .006 | Python |
Monitor systems for abnormal Python usage and python.exe behavior, which could be an indicator of malicious activity. Understanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor executed commands and arguments that may abuse Python commands and scripts for execution. |
||
| .007 | JavaScript |
Scripting execution is likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other programmable post-compromise behaviors and could be used as indicators of detection leading back to the source. Monitor for execution of JXA through |
||
| .008 | Network Device CLI |
Consider reviewing command history in either the console or as part of the running memory to determine if unauthorized or suspicious commands were used to modify device configuration. [15] Consider comparing a copy of the network device configuration against a known-good version to discover unauthorized changes to the command interpreter. The same process can be accomplished through a comparison of the run-time memory, though this is non-trivial and may require assistance from the vendor. |
||
| Enterprise | T1609 | Container Administration Command |
Monitor commands and arguments executed by container services. In Docker, the daemon log provides insight into events at the daemon and container service level. Kubernetes system component logs may also detect activities running in and out of containers in the cluster. |
|
| Enterprise | T1136 | Create Account |
Monitor executed commands and arguments for actions that are associated with account creation, such as net user or useradd |
|
| .001 | Local Account |
Monitor executed commands and arguments for actions that are associated with local account creation, such as net user /add , useradd , and dscl -create |
||
| .002 | Domain Account |
Monitor executed commands and arguments for actions that are associated with local account creation, such as net user /add /domain. |
||
| Enterprise | T1543 | Create or Modify System Process |
Command-line invocation of tools capable of modifying services may be unusual, depending on how systems are typically used in a particular environment. Look for abnormal process call trees from known services and for execution of other commands that could relate to Discovery or other adversary techniques. |
|
| .001 | Launch Agent |
Ensure Launch Agent's |
||
| .002 | Systemd Service |
Suspicious systemd services can also be identified by comparing results against a trusted system baseline. Malicious systemd services may be detected by using the systemctl utility to examine system wide services: |
||
| .003 | Windows Service |
Monitor processes and command-line arguments for actions that could create or modify services. Command-line invocation of tools capable of adding or modifying services may be unusual, depending on how systems are typically used in a particular environment. Services may also be modified through Windows system management tools such as Windows Management Instrumentation and PowerShell, so additional logging may need to be configured to gather the appropriate data. Also collect service utility execution and service binary path arguments used for analysis. Service binary paths may even be changed to execute commands or scripts. |
||
| .004 | Launch Daemon |
Some legitimate LaunchDaemons point to unsigned code that could be exploited. For Launch Daemons with the |
||
| Enterprise | T1555 | Credentials from Password Stores |
Monitor executed commands and arguments that may search for common password storage locations to obtain user credentials. |
|
| .001 | Keychain |
Monitor executed commands with arguments that may be used to collect Keychain data from a system to acquire credentials. |
||
| .002 | Securityd Memory |
Monitor executed commands and arguments that may obtain root access (allowing them to read securityd’s memory), then they can scan through memory to find the correct sequence of keys in relatively few tries to decrypt the user’s logon keychain. |
||
| .003 | Credentials from Web Browsers |
Monitor executed commands and arguments that may acquire credentials from web browsers by reading files specific to the target browser.[17] |
||
| .004 | Windows Credential Manager |
Monitor executed commands and arguments of |
||
| .005 | Password Managers |
Monitor executed commands and arguments that may acquire user credentials from third-party password managers. [19] |
||
| Enterprise | T1485 | Data Destruction |
Monitor executed commands and arguments for binaries that could be involved in data destruction activity, such as SDelete. |
|
| Enterprise | T1486 | Data Encrypted for Impact |
Monitor executed commands and arguments for actions involved in data destruction activity, such as vssadmin, wbadmin, and bcdedit |
|
| Enterprise | T1005 | Data from Local System |
Monitor executed commands and arguments that may search and collect local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. |
|
| Enterprise | T1039 | Data from Network Shared Drive |
Monitor executed commands and arguments for actions that could be taken to collect files from a network share. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as Windows Management Instrumentation and PowerShell. |
|
| Enterprise | T1025 | Data from Removable Media |
Monitor executed commands and arguments for actions that could be taken to collect files from a system's connected removable media. For example, data may be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. |
|
| Enterprise | T1074 | Data Staged |
Monitor executed commands and arguments arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as Windows Management Instrumentation and PowerShell. |
|
| .001 | Local Data Staging |
Monitor executed commands and arguments arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as Windows Management Instrumentation and PowerShell. |
||
| .002 | Remote Data Staging |
Monitor executed commands and arguments arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as Windows Management Instrumentation and PowerShell. |
||
| Enterprise | T1622 | Debugger Evasion |
Monitor executed commands and arguments that may employ various means to detect and avoid debugged environments. Detecting actions related to debugger identification may be difficult depending on the adversary's implementation and monitoring required. |
|
| Enterprise | T1006 | Direct Volume Access |
Monitor executed commands and arguments that could be taken to copy files from the logical drive and evade common file system protections. Since this technique may also be used through PowerShell, additional logging of PowerShell scripts is recommended. |
|
| Enterprise | T1561 | Disk Wipe |
Monitor for direct access read/write attempts using the |
|
| .001 | Disk Content Wipe |
Monitor executed commands and arguments that may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources. |
||
| .002 | Disk Structure Wipe |
Monitor executed commands and arguments that may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources. |
||
| Enterprise | T1484 | Domain Policy Modification |
Monitor executed commands and arguments for modifications to domain trust settings, such as when a user or application modifies the federation settings on the domain or updates domain authentication from Managed to Federated via ActionTypes |
|
| .001 | Group Policy Modification |
Monitor executed commands and arguments that may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain |
||
| .002 | Domain Trust Modification |
Monitor executed commands and arguments that updates domain authentication from Managed to Federated via ActionTypes |
||
| Enterprise | T1482 | Domain Trust Discovery |
Monitor executed commands and arguments for actions that could be taken to gather system and network information, such as nltest /domain_trusts. Remote access tools with built-in features may interact directly with the Windows API to gather information. |
|
| Enterprise | T1114 | Email Collection |
Monitor executed processes and command-line arguments for actions that could be taken to gather local email files. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. |
|
| .001 | Local Email Collection |
Monitor executed commands and arguments for actions that could be taken to gather local email files. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. |
||
| .002 | Remote Email Collection |
Monitor executed commands and arguments for actions that may target an Exchange server, Office 365, or Google Workspace to collect sensitive information. |
||
| Enterprise | T1546 | Event Triggered Execution |
Monitor executed commands and arguments that may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. |
|
| .001 | Change Default File Association |
Monitor executed commands and arguments that may establish persistence by executing malicious content triggered by a file type association. |
||
| .002 | Screensaver |
Monitor executed commands and arguments of .scr files. |
||
| .003 | Windows Management Instrumentation Event Subscription |
Monitor executed commands and arguments that can be used to register WMI persistence, such as the |
||
| .004 | Unix Shell Configuration Modification |
Monitor executed commands and arguments that may establish persistence through executing malicious commands triggered by a user’s shell. |
||
| .005 | Trap |
Monitor executed commands and arguments that may establish persistence by executing malicious content triggered by an interrupt signal. |
||
| .006 | LC_LOAD_DYLIB Addition |
Monitor executed commands and arguments that may establish persistence by executing malicious content triggered by the execution of tainted binaries. |
||
| .007 | Netsh Helper DLL |
Monitor executed commands and arguments that may establish persistence by executing malicious content triggered by Netsh Helper DLLs. |
||
| .008 | Accessibility Features |
Monitor executed commands and arguments that may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Command line invocation of tools capable of modifying the Registry for associated keys are also suspicious. Utility arguments and the binaries themselves should be monitored for changes. |
||
| .009 | AppCert DLLs |
Monitor executed commands and arguments that may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. |
||
| .010 | AppInit DLLs |
Monitor executed commands and arguments that may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. |
||
| .011 | Application Shimming |
Monitor executed commands and arguments for sdbinst.exe for potential indications of application shim abuse. |
||
| .012 | Image File Execution Options Injection |
Monitor executed commands and arguments that may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. |
||
| .013 | PowerShell Profile |
Monitor abnormal PowerShell commands, unusual loading of PowerShell drives or modules. |
||
| .014 | Emond |
Monitor executed commands and arguments that may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Daemon (emond). |
||
| .015 | Component Object Model Hijacking |
Monitor executed commands and arguments that may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. |
||
| Enterprise | T1480 | Execution Guardrails |
Monitor executed commands and arguments that may gather information about the victim's business relationships that can be used during targeting. Detecting the use of guardrails may be difficult depending on the implementation. |
|
| .001 | Environmental Keying |
Monitor executed commands and arguments that may gather the victim's physical location(s) that can be used during targeting. Detecting the use of environmental keying may be difficult depending on the implementation. |
||
| Enterprise | T1048 | Exfiltration Over Alternative Protocol |
Monitor executed commands and arguments that may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. |
|
| .001 | Exfiltration Over Symmetric Encrypted Non-C2 Protocol |
Monitor executed commands and arguments that may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel. |
||
| .002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
Monitor executed commands and arguments that may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel. |
||
| .003 | Exfiltration Over Unencrypted Non-C2 Protocol |
Monitor executed commands and arguments that may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel. |
||
| Enterprise | T1041 | Exfiltration Over C2 Channel |
Monitor executed commands and arguments that may steal data by exfiltrating it over an existing command and control channel. |
|
| Enterprise | T1011 | Exfiltration Over Other Network Medium |
Monitor executed commands and arguments that may attempt to exfiltrate data over a different network medium than the command and control channel |
|
| .001 | Exfiltration Over Bluetooth |
Monitor executed commands and arguments that may attempt to exfiltrate data over Bluetooth rather than the command and control channel. |
||
| Enterprise | T1052 | Exfiltration Over Physical Medium |
Monitor executed commands and arguments that may attempt to exfiltrate data via a physical medium, such as a removable drive. |
|
| .001 | Exfiltration over USB |
Monitor executed commands and arguments that may attempt to exfiltrate data over a USB connected physical device. |
||
| Enterprise | T1567 | Exfiltration Over Web Service |
Monitor executed commands and arguments that may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. |
|
| .001 | Exfiltration to Code Repository |
Monitor executed command and arguments that may exfiltrate data to a code repository rather than over their primary command and control channel. |
||
| .002 | Exfiltration to Cloud Storage |
Monitor executed commands and arguments that may exfiltrate data to a cloud storage service rather than over their primary command and control channel. |
||
| Enterprise | T1083 | File and Directory Discovery |
Monitor executed commands and arguments that may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. |
|
| Enterprise | T1222 | File and Directory Permissions Modification |
Many of the commands used to modify ACLs and file/directory ownership are built-in system utilities and may generate a high false positive alert rate, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible. |
|
| .001 | Windows File and Directory Permissions Modification |
Monitor for executed commands and arguments for PowerShell cmdlets that can be used to retrieve or modify file and directory DACLs. |
||
| .002 | Linux and Mac File and Directory Permissions Modification |
Many of the commands used to modify ACLs and file/directory ownership are built-in system utilities and may generate a high false positive alert rate, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible. Commonly abused command arguments include |
||
| Enterprise | T1615 | Group Policy Discovery |
Monitor for suspicious use of |
|
| Enterprise | T1564 | Hide Artifacts |
Monitor executed commands and arguments that may attempt to hide artifacts associated with their behaviors to evade detection. |
|
| .001 | Hidden Files and Directories |
Monitor the file system and shell commands for files being created with a leading "." and the Windows command-line use of attrib.exe to add the hidden attribute. |
||
| .002 | Hidden Users |
Monitor executed commands and arguments that could be taken to add a new user and subsequently hide it from login screens. |
||
| .003 | Hidden Window |
Monitor executed commands and arguments that may use hidden windows to conceal malicious activity from the plain sight of users. In Windows, enable and configure event logging and PowerShell logging to check for the hidden window style. |
||
| .004 | NTFS File Attributes |
The Streams tool of Sysinternals can be used to uncover files with ADSs. The |
||
| .006 | Run Virtual Instance |
Consider monitoring for commands and arguments that may be atypical for benign use of virtualization software. Usage of virtualization binaries or command-line arguments associated with running a silent installation may be especially suspect (ex. |
||
| .008 | Email Hiding Rules |
On Windows systems, monitor for creation of suspicious inbox rules through the use of the |
||
| .009 | Resource Forking |
Monitor executed commands and arguments that are leveraging the use of resource forks, especially those immediately followed by potentially malicious activity such as creating network connections. |
||
| Enterprise | T1574 | Hijack Execution Flow |
Monitor executed commands and arguments that may execute their own malicious payloads by hijacking the way operating systems run programs. |
|
| .006 | Dynamic Linker Hijacking |
Monitor executed commands and arguments associated with modifications to variables and files associated with loading shared libraries such as LD_PRELOAD on Linux and DYLD_INSERT_LIBRARIES on macOS. |
||
| .011 | Services Registry Permissions Weakness |
Monitor for the execution of commands and arguments that can be used for adversaries to modify services' registry keys and values through applications such as Windows Management Instrumentation and PowerShell. Additional logging may need to be configured to gather the appropriate data. |
||
| .012 | COR_PROFILER |
Extra scrutiny should be placed on suspicious modification of Registry keys such as COR_ENABLE_PROFILING, COR_PROFILER, and COR_PROFILER_PATH by command line tools like wmic.exe, setx.exe, and Reg. Monitoring for command-line arguments indicating a change to COR_PROFILER variables may aid in detection. |
||
| Enterprise | T1562 | Impair Defenses |
Monitor executed commands and arguments that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. |
|
| .001 | Disable or Modify Tools |
Monitor for the execution of commands and arguments associated with disabling or modification of security software processes or services such as |
||
| .002 | Disable Windows Event Logging |
Monitor executed commands and arguments for commands that can be used to disable logging. For example, Wevtutil, auditpol, sc stop EventLog, and offensive tooling (such as Mimikatz and Invoke-Phant0m) may be used to clear logs.[31][32] |
||
| .003 | Impair Command History Logging |
Correlating a user session with a distinct lack of new commands in their |
||
| .004 | Disable or Modify System Firewall |
Monitor executed commands and arguments associated with disabling or the modification of system firewalls such as |
||
| .006 | Indicator Blocking |
Monitor executed commands and arguments that may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. |
||
| .009 | Safe Mode Boot |
Monitor executed commands and arguments associated with making configuration changes to boot settings, such as |
||
| .010 | Downgrade Attack |
Monitor for commands or other activity that may be indicative of attempts to abuse older or deprecated technologies (ex: |
||
| Enterprise | T1070 | Indicator Removal on Host |
Monitor executed commands and arguments that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. |
|
| .001 | Clear Windows Event Logs |
Monitor executed commands and arguments for actions that would delete Windows event logs (via PowerShell) |
||
| .002 | Clear Linux or Mac System Logs |
Monitor executed commands and arguments for actions that could be taken to remove or overwrite system logs. |
||
| .003 | Clear Command History |
Monitor executed commands and arguments for actions that could be taken to clear command history, such as |
||
| .004 | File Deletion |
Monitor executed commands and arguments for actions that could be utilized to unlink, rename, or delete files. |
||
| .005 | Network Share Connection Removal |
Monitor executed commands and arguments of net use commands associated with establishing and removing remote shares over SMB, including following best practices for detection of Windows Admin Shares. |
||
| Enterprise | T1202 | Indirect Command Execution |
Monitor executed commands and arguments to bypass security restrictions that limit the use of command-line interpreters. |
|
| Enterprise | T1490 | Inhibit System Recovery |
Use process monitoring to monitor the execution and command line parameters of binaries involved in inhibiting system recovery, such as vssadmin, wbadmin, and bcdedit. |
|
| Enterprise | T1056 | .002 | Input Capture: GUI Input Capture |
Monitor executed commands and arguments, such as requests for credentials and/or strings related to creating password prompts that may be malicious.[36] |
| Enterprise | T1570 | Lateral Tool Transfer |
Monitor executed commands and arguments for actions for abnormal usage of utilities and command-line arguments that may be used in support of remote transfer of files |
|
| Enterprise | T1036 | Masquerading |
Monitor executed commands and arguments that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. [37] |
|
| .003 | Rename System Utilities |
Monitor executed commands and arguments for actions that could be taken to gather... |
||
| .004 | Masquerade Task or Service |
Monitor executed commands and arguments that may attempt to manipulate the name of a task or service to make it appear legitimate or benign. |
||
| Enterprise | T1112 | Modify Registry |
Monitor executed commands and arguments for actions that could be taken to change, conceal, and/or delete information in the Registry. The Registry may also be modified through Windows system management tools such as Windows Management Instrumentation and PowerShell, which may require additional logging features to be configured in the operating system to collect necessary information for analysis. |
|
| Enterprise | T1046 | Network Service Discovery |
Monitor executed commands and arguments that may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. |
|
| Enterprise | T1135 | Network Share Discovery |
Monitor executed commands and arguments that may create and cultivate social media accounts that can be used during targeting. |
|
| Enterprise | T1040 | Network Sniffing |
Monitor executed commands and arguments for actions that aid in sniffing network traffic to capture information about an environment, including authentication material passed over the network |
|
| Enterprise | T1027 | Obfuscated Files or Information |
Monitor executed commands and arguments containing indicators of obfuscation and known suspicious syntax such as uninterpreted escape characters like '''^''' and '''"'''. Deobfuscation tools can be used to detect these indicators in files/payloads. [38] [39] [40] |
|
| .004 | Compile After Delivery |
Monitor executed commands and arguments for actions that could be taken to gather common compilers, such as csc.exe and GCC/MinGW, and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior. |
||
| Enterprise | T1137 | Office Application Startup |
Monitor executed commands and arguments that may leverage Microsoft Office-based applications for persistence between startups. Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.[41] SensePost, whose tool Ruler can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.[42] |
|
| .001 | Office Template Macros |
Monitor executed commands and arguments that may abuse Microsoft Office templates to obtain persistence on a compromised system. |
||
| .002 | Office Test |
Monitor executed commands and arguments that may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system. |
||
| .003 | Outlook Forms |
Monitor executed commands and arguments that may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.[41] |
||
| .004 | Outlook Home Page |
Monitor executed commands and arguments that may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.[41] |
||
| .005 | Outlook Rules |
Monitor executed commands and arguments that may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.[41] This PowerShell script is ineffective in gathering rules with modified PR_RULE_MSG_NAME and PR_RULE_MSG_PROVIDER properties caused by adversaries using a Microsoft Exchange Server Messaging API Editor (MAPI Editor), so only examination with the Exchange Administration tool MFCMapi can reveal these mail forwarding rules.[43] |
||
| .006 | Add-ins |
Monitor executed commands and arguments that may abuse Microsoft Office add-ins to obtain persistence on a compromised system. |
||
| Enterprise | T1003 | OS Credential Dumping |
Monitor executed commands and arguments that may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Look for command-lines that invoke AuditD or the Security Accounts Manager (SAM). Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module, [44] which may require additional logging features to be configured in the operating system to collect necessary information for analysis. |
|
| .001 | LSASS Memory |
Monitor executed commands and arguments that may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module,[44] which may require additional logging features to be configured in the operating system to collect necessary information for analysis. |
||
| .002 | Security Account Manager |
Monitor executed commands and arguments that may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. |
||
| .003 | NTDS |
Monitor executed commands and arguments that may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. Look for command-lines that invoke attempts to access or copy the NTDS.dit. |
||
| .004 | LSA Secrets |
Monitor executed commands and arguments that may access to a host may attempt to access Local Security Authority (LSA) secrets. Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module,[44] which may require additional logging features to be configured in the operating system to collect necessary information for analysis. |
||
| .005 | Cached Domain Credentials |
Monitor executed commands and arguments that may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable.[45]. Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module,[44] which may require additional logging features to be configured in the operating system to collect necessary information for analysis.Detection of compromised /techniques/T1078 in-use by adversaries may help as well. |
||
| .007 | Proc Filesystem |
Monitor executed commands and arguments that may gather credentials from information stored in the Proc filesystem or |
||
| .008 | /etc/passwd and /etc/shadow |
Monitor executed commands and arguments that may attempt to dump the contents of |
||
| Enterprise | T1201 | Password Policy Discovery |
Monitor executed commands and arguments for actions that may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. |
|
| Enterprise | T1120 | Peripheral Device Discovery |
Monitor executed commands and arguments that may attempt to gather information about attached peripheral devices and components connected to a computer system. |
|
| Enterprise | T1069 | Permission Groups Discovery |
Monitor executed commands and arguments acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell |
|
| .001 | Local Groups |
Monitor for executed commands and arguments that may attempt to find local system groups and permission settings. |
||
| .002 | Domain Groups |
Monitor for executed commands and arguments that may attempt to find domain-level groups and permission settings. |
||
| .003 | Cloud Groups |
Monitor for executed commands and arguments that may attempt to find cloud groups and permission settings. |
||
| Enterprise | T1647 | Plist File Modification |
Monitor for commands with arguments (such as opening common command-line editors) used to modify plist files, especially commonly abused files such as those in |
|
| Enterprise | T1542 | Pre-OS Boot |
Monitor executed commands and arguments in command history in either the console or as part of the running memory to determine if unauthorized or suspicious commands were used to modify device configuration. |
|
| .005 | TFTP Boot |
Monitor executed commands and arguments in command history in either the console or as part of the running memory to determine if unauthorized or suspicious commands were used to modify device configuration. |
||
| Enterprise | T1057 | Process Discovery |
Monitor executed commands and arguments for actions that may attempt to get information about running processes on a system. |
|
| Enterprise | T1012 | Query Registry |
Monitor executed commands and arguments for actions that may interact with the Windows Registry to gather information about the system, configuration, and installed software. |
|
| Enterprise | T1563 | Remote Service Session Hijacking |
Monitor executed commands and arguments that may take control of preexisting sessions with remote services to move laterally in an environment. |
|
| .001 | SSH Hijacking |
Monitor executed commands and arguments that may hijack a legitimate user's SSH session to move laterally within an environment. |
||
| .002 | RDP Hijacking |
monitor service creation that uses cmd.exe /k or cmd.exe /c in its arguments to detect RDP session hijacking. |
||
| Enterprise | T1021 | Remote Services |
Monitor executed commands and arguments that may use Valid Accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user. |
|
| .002 | SMB/Windows Admin Shares |
Monitor executed commands and arguments that connect to remote shares, such as Net, on the command-line interface and Discovery techniques that could be used to find remotely accessible systems.[46] |
||
| .006 | Windows Remote Management |
Monitor executed commands and arguments that may invoke a WinRM script to correlate it with other related events.[47] |
||
| Enterprise | T1018 | Remote System Discovery |
Monitor executed commands and arguments that may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system |
|
| Enterprise | T1496 | Resource Hijacking |
Monitor executed commands and arguments that may indicate common cryptomining functionality |
|
| Enterprise | T1053 | Scheduled Task/Job |
Monitor executed commands and arguments that may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. |
|
| .002 | At |
Monitor executed commands and arguments for actions that could be taken to create/modify tasks. Tasks may also be created through Windows system management tools such as Windows Management Instrumentation and PowerShell, so additional logging may need to be configured to gather the appropriate data. |
||
| .003 | Cron |
Monitor executed atq command and ensure IP addresses stored in the SSH_CONNECTION and SSH_CLIENT variables, machines that created the jobs, are trusted hosts. All at jobs are stored in /var/spool/cron/atjobs/. |
||
| .005 | Scheduled Task |
Monitor executed commands and arguments for actions that could be taken to gather tasks may also be created through Windows system management tools such as Windows Management Instrumentation and PowerShell, so additional logging may need to be configured to gather the appropriate data. |
||
| .006 | Systemd Timers |
Monitor executed commands and arguments the 'systemd-run' utility as it may be used to create timers |
||
| Enterprise | T1113 | Screen Capture |
Monitor executed commands and arguments that may attempt to take screen captures of the desktop to gather information over the course of an operation. |
|
| Enterprise | T1505 | .004 | Server Software Component: IIS Components |
Monitor execution and command-line arguments of |
| .005 | Server Software Component: Terminal Services DLL |
Monitor executed commands and arguments for potential adversary actions to modify Registry values (ex: |
||
| Enterprise | T1489 | Service Stop |
Monitor executed commands and arguments that may stop or disable services on a system to render those services unavailable to legitimate users. |
|
| Enterprise | T1518 | Software Discovery |
Monitor executed commands and arguments that may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. |
|
| .001 | Security Software Discovery |
Monitor executed commands and arguments that may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. |
||
| Enterprise | T1558 | Steal or Forge Kerberos Tickets |
Monitor executed commands and arguments that may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable Pass the Ticket. |
|
| Enterprise | T1553 | Subvert Trust Controls |
Command monitoring may reveal malicious attempts to modify trust settings, such as the installation of root certificates or modifications to trust attributes/policies applied to files. |
|
| .001 | Gatekeeper Bypass |
Monitor and investigate attempts to modify extended file attributes with utilities such as |
||
| .004 | Install Root Certificate |
Monitor for commands, such as |
||
| .006 | Code Signing Policy Modification |
Monitor for the execution of commands that could modify the code signing policy of a system, such as |
||
| Enterprise | T1218 | System Binary Proxy Execution |
Monitor executed commands and arguments that may forge credential materials that can be used to gain access to web applications or Internet services. |
|
| .001 | Compiled HTML File |
Monitor executed commands and arguments that may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.[54] |
||
| .002 | Control Panel |
When executed from the command line or clicked, control.exe will execute the CPL file (ex: |
||
| .003 | CMSTP |
Monitor executed commands and arguments that may gather information about the victim's hosts that can be used during targeting. |
||
| .004 | InstallUtil |
Monitor executed commands and arguments used before and after the InstallUtil.exe invocation may also be useful in determining the origin and purpose of the binary being executed. |
||
| .005 | Mshta |
Look for mshta.exe executing raw or obfuscated script within the command-line. Compare recent invocations of mshta.exe with prior history of known good arguments and executed .hta files to determine anomalous and potentially adversarial activity. Command arguments used before and after the mshta.exe invocation may also be useful in determining the origin and purpose of the .hta file being executed. |
||
| .007 | Msiexec |
Command arguments used before and after the invocation of msiexec.exe may also be useful in determining the origin and purpose of the MSI files or DLLs being executed. |
||
| .008 | Odbcconf |
Command arguments used before and after the invocation of odbcconf.exe may also be useful in determining the origin and purpose of the DLL being loaded. |
||
| .009 | Regsvcs/Regasm |
Command arguments used before and after Regsvcs.exe or Regasm.exe invocation may also be useful in determining the origin and purpose of the binary being executed. |
||
| .010 | Regsvr32 |
Command arguments used before and after the regsvr32.exe invocation may also be useful in determining the origin and purpose of the script or DLL being loaded. [56] |
||
| .011 | Rundll32 |
Command arguments used with the rundll32.exe invocation may also be useful in determining the origin and purpose of the DLL being loaded. |
||
| .012 | Verclsid |
Command arguments used before and after the invocation of verclsid.exe may also be useful in determining the origin and purpose of the payload being executed. |
||
| .013 | Mavinject |
Adversaries may rename abusable binaries to evade detections, but the argument |
||
| .014 | MMC |
Monitor executed commands and arguments that may gather information about the victim's DNS that can be used during targeting. |
||
| Enterprise | T1082 | System Information Discovery |
Monitor executed commands and arguments that may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. |
|
| Enterprise | T1614 | System Location Discovery |
Monitor executed commands and arguments that may gather information in an attempt to calculate the geographical location of a victim host. |
|
| .001 | System Language Discovery |
Monitor executed commands and arguments that may attempt to gather information about the system language of a victim in order to infer the geographical location of that host. |
||
| Enterprise | T1016 | System Network Configuration Discovery |
Monitor executed commands and arguments that may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. |
|
| .001 | Internet Connection Discovery |
Monitor executed commands and arguments that may check for Internet connectivity on compromised systems. |
||
| Enterprise | T1049 | System Network Connections Discovery |
Monitor executed commands and arguments that may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. |
|
| Enterprise | T1033 | System Owner/User Discovery |
Monitor executed commands and arguments that may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Look for command-lines that invoke AuditD or the Security Accounts Manager (SAM). Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module, [44] which may require additional logging features to be configured in the operating system to collect necessary information for analysis. |
|
| Enterprise | T1216 | System Script Proxy Execution |
Monitor executed commands and arguments for scripts like PubPrn.vbs that may be used to proxy execution of malicious files. |
|
| .001 | PubPrn |
Monitor executed commands and arguments for scripts like PubPrn.vbs that may be used to proxy execution of malicious files. |
||
| Enterprise | T1007 | System Service Discovery |
Monitor executed commands and arguments that could be taken to gather system information related to services. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. |
|
| Enterprise | T1569 | System Services |
Monitor for command line invocations of tools capable of modifying services that doesn’t correspond to normal usage patterns and known software, patch cycles, etc. |
|
| .001 | Launchctl |
Monitor command-line execution of the |
||
| .002 | Service Execution |
Monitor executed commands and arguments that may abuse the Windows service control manager to execute malicious commands or payloads. |
||
| Enterprise | T1529 | System Shutdown/Reboot |
Monitor executed commands and arguments of binaries involved in shutting down or rebooting systems. |
|
| Enterprise | T1124 | System Time Discovery |
Monitor executed commands and arguments for actions that may gather the system time and/or time zone from a local or remote system. |
|
| Enterprise | T1127 | Trusted Developer Utilities Proxy Execution |
Monitor executed commands and arguments used before and after invocation of the utilities may also be useful in determining the origin and purpose of the binary being executed. |
|
| .001 | MSBuild |
Monitor executed commands and arguments used before and after invocation of the utilities may also be useful in determining the origin and purpose of the binary being executed. |
||
| Enterprise | T1552 | Unsecured Credentials |
While detecting adversaries accessing credentials may be difficult without knowing they exist in the environment, it may be possible to detect adversary use of credentials they have obtained. Monitor the command-line arguments of executing processes for suspicious words or regular expressions that may indicate searching for a password (for example: password, pwd, login, secure, or credentials). See Valid Accounts for more information. |
|
| .001 | Credentials In Files |
While detecting adversaries accessing these files may be difficult without knowing they exist in the first place, it may be possible to detect adversary use of credentials they have obtained. Monitor executed commands and arguments of executing processes for suspicious words or regular expressions that may indicate searching for a password (for example: password, pwd, login, secure, or credentials). See Valid Accounts for more information. |
||
| .002 | Credentials in Registry |
Monitor executed commands and arguments that may search the Registry on compromised systems for insecurely stored credentials. |
||
| .003 | Bash History |
While users do typically rely on their history of commands, they often access this history through other utilities like "history" instead of commands like |
||
| .004 | Private Keys |
Monitor executed commands and arguments that may search for private key certificate files on compromised systems for insecurely stored credentials. |
||
| .006 | Group Policy Preferences |
Monitor executed commands and arguments that may search for SYSVOL data and/or GPP XML files, especially on compromised domain controllers. |
||
| .007 | Container API |
Establish centralized logging for the activity of container and Kubernetes cluster components. Monitor logs for actions that could be taken to gather credentials to container and cloud infrastructure, including the use of discovery API calls by new or unexpected users and APIs that access Docker logs. |
||
| Enterprise | T1204 | User Execution |
Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain Initial Access that require user interaction. This includes compression applications, such as those for zip files, that can be used to Deobfuscate/Decode Files or Information in payloads. |
|
| .003 | Malicious Image |
Monitor executed commands and arguments that may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. |
||
| Enterprise | T1125 | Video Capture |
Monitor executed commands and arguments that can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. |
|
| Enterprise | T1497 | Virtualization/Sandbox Evasion |
Monitor executed commands and arguments that may employ various means to detect and avoid virtualization and analysis environments. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. |
|
| .001 | System Checks |
Monitor executed commands and arguments that may employ various means to detect and avoid virtualization and analysis environments. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. |
||
| .002 | User Activity Based Checks |
Monitor executed commands and arguments that may employ various means to detect and avoid virtualization and analysis environments. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. |
||
| .003 | Time Based Evasion |
Monitor executed commands and arguments that may employ various time-based methods to detect and avoid virtualization and analysis environments. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. |
||
| Enterprise | T1047 | Windows Management Instrumentation |
Monitor executed commands and arguments for actions that are used to perform remote behavior |
|