-
Notifications
You must be signed in to change notification settings - Fork 327
/
CAR-2013-01-002.yaml
74 lines (73 loc) · 2.63 KB
/
CAR-2013-01-002.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
title: Autorun Differences
submission_date: 2013/01/25
information_domain: 'Analytic, Host'
platforms:
- Windows
subtypes:
- Registry
analytic_types:
- Situational Awareness
- TTP
contributors:
- MITRE
id: CAR-2013-01-002
description: |-
The Sysinternals tool [Autoruns](../sensors/autoruns) checks the registry and file system for known identify persistence mechanisms. It will output any tools identified, including built-in or added-on Microsoft functionality and third party software. Many of these locations are known by adversaries and used to obtain [Persistence](https://attack.mitre.org/tactics/TA0003). Running Autoruns periodically in an environment makes it possible to collect and monitor its output for differences, which may include the removal or addition of persistent tools. Depending on the persistence mechanism and location, legitimate software may be more likely to make changes than an adversary tool. Thus, this analytic may result in significant noise in a highly dynamic environment. While Autoruns is a convenient method to scan for programs using persistence mechanisms its scanning nature does not conform well to streaming based analytics. This analytic could be replaced with one that draws from sensors that collect registry and file information if streaming analytics are desired.
Utilizes the Sysinternals autoruns tool (ignoring validated Microsoft entries). Primarily not a detection analytic by itself but through analysis of results by an analyst can be used for such. Building another analytic on top of this one identifying unusual entries would likely be a beneficial alternative.
coverage:
- technique: T1543
tactics:
- TA0003
subtechniques:
- T1543.003
coverage: Moderate
- technique: T1053
tactics:
- TA0003
subtechniques:
- T1053.005
coverage: Moderate
- technique: T1547
tactics:
- TA0003
subtechniques:
- T1547.001
- T1547.010
- T1547.004
coverage: Moderate
- technique: T1574
tactics:
- TA0003
- TA0004
subtechniques:
- T1574.007
- T1574.008
- T1574.009
- T1574.010
- T1574.011
coverage: Moderate
- technique: T1546
tactics:
- TA0004
- TA0003
subtechniques:
- T1546.001
- T1546.003
- T1546.008
- T1546.010
coverage: Moderate
- technique: T1112
tactics:
- TA0003
- TA0002
coverage: Moderate
- technique: T1037
tactics:
- TA0003
subtechniques:
- T1037.001
coverage: Moderate
d3fend_mappings:
- iri: d3f:SystemInitConfigAnalysis
id: D3-SICA
label: System Init Config Analysis