We have a blog! Check out MITRE Shield on Medium.

Behavioral Analytics

Deploy tools that detect unusual system or user behavior.

Instrument a system to collect detailed information about process execution and user activity, develop a sense of normal or expected behaviors, and alert on abnormal or unexpected activity. This can be accomplished either onboard the target system or by shipping data to a centralized analysis and alerting system.

Details
ID: DTE0007
Tactics:  Detect Disrupt Facilitate

Opportunities

IDDescription
DOS0131 There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors.

Use Cases

IDDescription
DUC0129 By looking for anomalies in host resource consumption and alerting on suspect activity, the defender can detect the use of system resources at odd times or at odd levels.
DUC0130 By looking for anomalies in system service states and alerting on suspect situations, the defender can detect potential malicious activity and triage the system to re-enable the services that have been stopped.
DUC0131 The defender can use behavioral analytics detect an XSL process doing something abnormal.
DUC0136 A defender could develop behavioral analytics to detect the examination of commonly used guardrails such as inspection of VM artifacts, enumeration of connected storage and/or devices, domain information, etc.
DUC0149 A defender could use implement behavioral analytics that detects common access token manipulation techniques and allow or deny these actions.
DUC0166 A defender could monitor for anomalous behavior from client applications, such as atypical module loads, file reads/writes, or network connections.
DUC0168 A defender can monitor user interactions with images and containers to identify ones that are added or altered anomalously.
DUC0212 A defender can detect the use of non-standard protocols. By implementing behavior analytics specific to a rise in protocol traffic to a system or set of systems, one might be able to detect malicious communications from an adversary.
DUC0213 A defender can detect the use of external web services for communication relay. By implementing behavior analytics anomalies in what domains a system is communicating with, how frequently, and at what times, a defender can potentially identify malicious traffic.
DUC0217 A defender can implement behavior analytics which would indicate activity on a system executing commands in non-standard ways. This could indicate malicious activity.
DUC0218 A defender can implement behavioral analytics which would indicate activity on or against a domain controller. Activity which is out of sync with scheduled domain tasks, or results in an uptick in traffic with a particular system on the network could indicate malicious activity.
DUC0220 A defender can look for known files in non-standard locations or files that are creating anomalous processes or connections.
DUC0221 A defender can look for anomalies in how commands are being executed on a system. This can expose potentially malicious activity.
DUC0237 A defender can detect adversaries leveraging unused cloud regions. By implementing behavioral analytics for cloud hosts interacting with the network from regions that are not normal, one can detect potential malicious activity.
DUC0239 Defenders can detect adversaries attempting to exfiltrate to a cloud account. This can detect a system connecting to these cloud providers that it might not normally connect to, not using an account that it normally does, or during a time when it normally doesn't do so.
DUC0240 Defenders can detect adversaries attempting to open a port by analyzing incoming network connections. By looking for anomalies in what network traffic comes in, as well as patterns that might indicate intentional sequences, one can potentially identify malicious traffic. One can also look at anomalies in services suddenly listening on ports that were not being used before.
DUC0241 Defenders can look for anomalies in where an account is authenticating and what it is authenticating to in order to detect potentially malicious intent.
DUC0243 A defender can look for anomalies in accounts being active with other services/systems during hours they are normally not active. This can indicate malicious activity.
DUC0244 Defenders can detect adversaries attempting to exfiltrate over web services by implementing behavioral analytics. This can detect a system connecting to these web services that it might not normally connect to, or during a time when it normally doesn't do so.

Procedures

IDDescription
DPR0013 Use behavioral analytics to detect Living Off The Land Binaries (LOLBins) being used to download and execute a file.
DPR0014 Use behavioral analytics to identify a system running development tools, but is not used by someone who does development.
DPR0015 Use behavioral analytics to identify abnormal system processes being used to launch a different process.

ATT&CK® Techniques

IDNameATT&CK Tactics
T1036 Masquerading Defense Evasion
T1070 Indicator Removal on Host Defense Evasion
T1095 Non-Application Layer Protocol Command and Control
T1102 Web Service Command and Control
T1134 Access Token Manipulation Defense EvasionPrivilege Escalation
T1202 Indirect Command Execution Defense Evasion
T1207 Rogue Domain Controller Defense Evasion
T1216 Signed Script Proxy Execution Defense Evasion
T1220 XSL Script Processing Defense Evasion
T1480 Execution Guardrails Defense Evasion
T1489 Service Stop Impact
T1496 Resource Hijacking Impact
T1525 Implant Container Image Persistence
T1535 Unused/Unsupported Cloud Regions Defense Evasion
T1537 Transfer Data to Cloud Account Exfiltration
T1550 Use Alternate Authentication Material Defense EvasionLateral Movement
T1554 Compromise Client Software Binary Persistence
T1563 Remote Service Session Hijacking Lateral Movement
T1567 Exfiltration Over Web Service Exfiltration