MITRE Shield will be retired on October 18th in favor of MITRE Engage. To learn more, click here.
System Activity Monitoring
Collect system activity logs which can reveal adversary activity.
Capturing system logs can show logins, user and system events, etc. Collecting this data and potentially sending it to a centralized location can help reveal the presence of an adversary and the actions they perform on a compromised system.
Opportunities
| ID | Description |
|---|---|
| DOS0001 | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. |
| DOS0005 | There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique. |
| DOS0021 | When authorized behavior is defined and limited for trusted partners, adversaries exploiting trust relationships are easier to detect. |
| DOS0027 | There is an opportunity to create a detection with a moderately high probability of success. |
| DOS0028 | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. |
| DOS0123 | There is an opportunity to detect an adversary who modifies website content (internally or externally) by monitoring for unauthorized changes to websites. |
| DOS0141 | There is an opportunity to monitor logs on a system for common ways adversaries behave and detect on that activity. |
Use Cases
| ID | Description |
|---|---|
| DUC0011 | A defender can monitor systems for the use of removeable media. |
| DUC0021 | Defenders can monitor trusted partner access, detecting unauthorized activity. |
| DUC0027 | A defender can capture system activity logs and generate alerts if the adversary creates new scheduled tasks or alters existing tasks. |
| DUC0033 | A defender can detect the presence of an adversary by monitoring for processes that are created by commands and/or scripts they execute on a system. |
| DUC0039 | A defender can use process monitoring to look for command execution and command line parameters commonly used to inhibit system recovery. |
| DUC0043 | A defender can implement monitoring to alert if a user account is altered outside normal business hours, from remote locations, etc. |
| DUC0052 | A defender can collect system process information and look for abnormal activity tied to Office processes. |
| DUC0060 | A defender can monitor for signs that security tools and other controls are being tampered with by an adversary. |
| DUC0063 | A defender could monitor for known commands used to hide artifacts on a system and for activity associated with those hidden artifacts. |
| DUC0065 | A defender could monitor for directory service changes using Windows event logs. This can alert to the presence of an adversary in the network. |
| DUC0070 | A defender can monitor processes and command-line arguments which could be used by an adversary to change or delete information in the Windows registry. |
| DUC0072 | A defender can monitor for user login activity that may reveal an adversary leveraging brute force techniques. |
| DUC0120 | A defender can use process monitoring to look for the execution of utilities commonly used for data destruction, such as SDelete. |
| DUC0121 | A defender can use process monitoring to look for the execution of utilities commonly used for ransomware and other data encryption. |
| DUC0123 | A defender can monitor websites for unplanned content changes and generate alerts when activity is detected. |
| DUC0128 | A defender can collect system activity and detect commands that interact with firmware. This can speed up the recovery of a system. |
| DUC0141 | By collecting system logs, a defender can implement detections that identify abnormal BITS usage. |
| DUC0238 | A defender could monitor logs off-system in order to detect adversary activities even when logs have been deleted on the system. |
Procedures
| ID | Description |
|---|---|
| DPR0059 | Ensure that systems capture and retain common system level activity artifacts that might be produced. |
| DPR0060 | Monitor Windows systems for event codes that reflect an adversary changing passwords, adding accounts to groups, etc. |
ATT&CK® Techniques
ID | Name | ATT&CK Tactics |
|---|---|---|
| T1053 | Scheduled Task/Job | Execution, Persistence, Privilege Escalation |
| T1059 | Command and Scripting Interpreter | Execution |
| T1091 | Replication Through Removable Media | Lateral Movement, Initial Access |
| T1098 | Account Manipulation | Persistence |
| T1110 | Brute Force | Credential Access |
| T1112 | Modify Registry | Defense Evasion |
| T1127 | Trusted Developer Utilities Proxy Execution | Defense Evasion |
| T1137 | Office Application Startup | Persistence |
| T1197 | BITS Jobs | Defense Evasion, Persistence |
| T1199 | Trusted Relationship | Initial Access |
| T1484 | Group Policy Modification | Defense Evasion, Privilege Escalation |
| T1485 | Data Destruction | Impact |
| T1486 | Data Encrypted for Impact | Impact |
| T1490 | Inhibit System Recovery | Impact |
| T1491 | Defacement | Impact |
| T1495 | Firmware Corruption | Impact |
| T1531 | Account Access Removal | Impact |
| T1556 | Modify Authentication Process | Credential Access, Defense Evasion |
| T1562 | Impair Defenses | Defense Evasion |
| T1564 | Hide Artifacts | Defense Evasion |