MITRE Shield will be retired on October 18th in favor of MITRE Engage. To learn more, click here.
Behavioral Analytics
Deploy tools that detect unusual system or user behavior.
Instrument a system to collect detailed information about process execution and user activity, develop a sense of normal or expected behaviors, and alert on abnormal or unexpected activity. This can be accomplished either onboard the target system or by shipping data to a centralized analysis and alerting system.
Details
ID:
DTE0007
Opportunities
| ID | Description |
|---|---|
| DOS0131 | There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. |
Use Cases
| ID | Description |
|---|---|
| DUC0129 | By looking for anomalies in host resource consumption and alerting on suspect activity, the defender can detect the use of system resources at odd times or at odd levels. |
| DUC0130 | By looking for anomalies in system service states and alerting on suspect situations, the defender can detect potential malicious activity and triage the system to re-enable the services that have been stopped. |
| DUC0131 | The defender can use behavioral analytics detect an XSL process doing something abnormal. |
| DUC0136 | A defender could develop behavioral analytics to detect the examination of commonly used guardrails such as inspection of VM artifacts, enumeration of connected storage and/or devices, domain information, etc. |
| DUC0149 | A defender could use implement behavioral analytics that detects common access token manipulation techniques and allow or deny these actions. |
| DUC0166 | A defender could monitor for anomalous behavior from client applications, such as atypical module loads, file reads/writes, or network connections. |
| DUC0168 | A defender can monitor user interactions with images and containers to identify ones that are added or altered anomalously. |
| DUC0212 | A defender can detect the use of non-standard protocols. By implementing behavior analytics specific to a rise in protocol traffic to a system or set of systems, one might be able to detect malicious communications from an adversary. |
| DUC0213 | A defender can detect the use of external web services for communication relay. By implementing behavior analytics anomalies in what domains a system is communicating with, how frequently, and at what times, a defender can potentially identify malicious traffic. |
| DUC0217 | A defender can implement behavior analytics which would indicate activity on a system executing commands in non-standard ways. This could indicate malicious activity. |
| DUC0218 | A defender can implement behavioral analytics which would indicate activity on or against a domain controller. Activity which is out of sync with scheduled domain tasks, or results in an uptick in traffic with a particular system on the network could indicate malicious activity. |
| DUC0220 | A defender can look for known files in non-standard locations or files that are creating anomalous processes or connections. |
| DUC0221 | A defender can look for anomalies in how commands are being executed on a system. This can expose potentially malicious activity. |
| DUC0237 | A defender can detect adversaries leveraging unused cloud regions. By implementing behavioral analytics for cloud hosts interacting with the network from regions that are not normal, one can detect potential malicious activity. |
| DUC0239 | Defenders can detect adversaries attempting to exfiltrate to a cloud account. This can detect a system connecting to these cloud providers that it might not normally connect to, not using an account that it normally does, or during a time when it normally doesn't do so. |
| DUC0240 | Defenders can detect adversaries attempting to open a port by analyzing incoming network connections. By looking for anomalies in what network traffic comes in, as well as patterns that might indicate intentional sequences, one can potentially identify malicious traffic. One can also look at anomalies in services suddenly listening on ports that were not being used before. |
| DUC0241 | Defenders can look for anomalies in where an account is authenticating and what it is authenticating to in order to detect potentially malicious intent. |
| DUC0243 | A defender can look for anomalies in accounts being active with other services/systems during hours they are normally not active. This can indicate malicious activity. |
| DUC0244 | Defenders can detect adversaries attempting to exfiltrate over web services by implementing behavioral analytics. This can detect a system connecting to these web services that it might not normally connect to, or during a time when it normally doesn't do so. |
Procedures
| ID | Description |
|---|---|
| DPR0013 | Use behavioral analytics to detect Living Off The Land Binaries (LOLBins) being used to download and execute a file. |
| DPR0014 | Use behavioral analytics to identify a system running development tools, but is not used by someone who does development. |
| DPR0015 | Use behavioral analytics to identify abnormal system processes being used to launch a different process. |
ATT&CK® Techniques
ID | Name | ATT&CK Tactics |
|---|---|---|
| T1036 | Masquerading | Defense Evasion |
| T1070 | Indicator Removal on Host | Defense Evasion |
| T1095 | Non-Application Layer Protocol | Command and Control |
| T1102 | Web Service | Command and Control |
| T1134 | Access Token Manipulation | Defense Evasion, Privilege Escalation |
| T1202 | Indirect Command Execution | Defense Evasion |
| T1207 | Rogue Domain Controller | Defense Evasion |
| T1216 | Signed Script Proxy Execution | Defense Evasion |
| T1220 | XSL Script Processing | Defense Evasion |
| T1480 | Execution Guardrails | Defense Evasion |
| T1489 | Service Stop | Impact |
| T1496 | Resource Hijacking | Impact |
| T1525 | Implant Container Image | Persistence |
| T1535 | Unused/Unsupported Cloud Regions | Defense Evasion |
| T1537 | Transfer Data to Cloud Account | Exfiltration |
| T1550 | Use Alternate Authentication Material | Defense Evasion, Lateral Movement |
| T1554 | Compromise Client Software Binary | Persistence |
| T1563 | Remote Service Session Hijacking | Lateral Movement |
| T1567 | Exfiltration Over Web Service | Exfiltration |