MITRE Shield will be retired on October 18th in favor of MITRE Engage. To learn more, click here.
Standard Operating Procedure
Establish a structured way of interacting with systems so that non-standard interactions are more easily detectable.
Standard Operating Procedures (SOPs) establish a structured way of interacting with systems and services. These procedures are in place for all users to ensure they can accomplish their goal in the approved manner. If an adversary attempts to perform any tasks which do not conform to the SOP, that activity will be easier to identify, alert on, and respond to.
Opportunities
| ID | Description |
|---|---|
| DOS0027 | There is an opportunity to create a detection with a moderately high probability of success. |
| DOS0095 | There is an opportunity to detect an adversary's activity if they are unable to follow a company's documented standard operating procedures. |
Use Cases
| ID | Description |
|---|---|
| DUC0047 | A defender can detect user accounts created outside the acceptable process. |
| DUC0054 | A defender can define operating procedures for adding services and alert when they are not followed. |
| DUC0061 | A defender can define operating procedures for modifying GPOs and alert when they are not followed. |
| DUC0095 | A defender can implement a standard operating procedure which restricts users from using 2FA or MFA more than once without another process being invoked. |
| DUC0254 | A defender can define operating procedures for interacting with cloud services and alert when they are not followed. |
Procedures
| ID | Description |
|---|---|
| DPR0057 | Require approvals and waivers for users to make changes to their system which requires administrative access. Any changes not made through this process are suspect and immediately investigated as malicious activity. |
| DPR0058 | Create a development library that all users must leverage in order to interact with any hosted databases. This library modifies queries to look difficult to write. Any queries made without the library will now be obvious to detect and are immediately investigated as malicious activity. |
ATT&CK® Techniques
ID | Name | ATT&CK Tactics |
|---|---|---|
| T1111 | Two-Factor Authentication Interception | Credential Access |
| T1136 | Create Account | Persistence |
| T1562 | Impair Defenses | Defense Evasion |
| T1569 | System Services | Execution |
| T1580 | Cloud Infrastructure Discovery | Discovery |