Collect system activity logs which can reveal adversary activity.
Capturing system logs can show logins, user and system events, etc. Collecting this data and potentially sending it to a centralized location can help reveal the presence of an adversary and the actions they perform on a compromised system.
|There is an opportunity to study the adversary and collect first-hand observations about them and their tools.
|There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique.
|When authorized behavior is defined and limited for trusted partners, adversaries exploiting trust relationships are easier to detect.
|There is an opportunity to create a detection with a moderately high probability of success.
|There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access.
|There is an opportunity to detect an adversary who modifies website content (internally or externally) by monitoring for unauthorized changes to websites.
|There is an opportunity to monitor logs on a system for common ways adversaries behave and detect on that activity.
|A defender can monitor systems for the use of removeable media.
|Defenders can monitor trusted partner access, detecting unauthorized activity.
|A defender can capture system activity logs and generate alerts if the adversary creates new scheduled tasks or alters existing tasks.
|A defender can detect the presence of an adversary by monitoring for processes that are created by commands and/or scripts they execute on a system.
|A defender can use process monitoring to look for command execution and command line parameters commonly used to inhibit system recovery.
|A defender can implement monitoring to alert if a user account is altered outside normal business hours, from remote locations, etc.
|A defender can collect system process information and look for abnormal activity tied to Office processes.
|A defender can monitor for signs that security tools and other controls are being tampered with by an adversary.
|A defender could monitor for known commands used to hide artifacts on a system and for activity associated with those hidden artifacts.
|A defender could monitor for directory service changes using Windows event logs. This can alert to the presence of an adversary in the network.
|A defender can monitor processes and command-line arguments which could be used by an adversary to change or delete information in the Windows registry.
|A defender can monitor for user login activity that may reveal an adversary leveraging brute force techniques.
|A defender can use process monitoring to look for the execution of utilities commonly used for data destruction, such as SDelete.
|A defender can use process monitoring to look for the execution of utilities commonly used for ransomware and other data encryption.
|A defender can monitor websites for unplanned content changes and generate alerts when activity is detected.
|A defender can collect system activity and detect commands that interact with firmware. This can speed up the recovery of a system.
|By collecting system logs, a defender can implement detections that identify abnormal BITS usage.
|A defender could monitor logs off-system in order to detect adversary activities even when logs have been deleted on the system.
|Ensure that systems capture and retain common system level activity artifacts that might be produced.
|Monitor Windows systems for event codes that reflect an adversary changing passwords, adding accounts to groups, etc.
|Execution, Persistence, Privilege Escalation
|Command and Scripting Interpreter
|Replication Through Removable Media
|Lateral Movement, Initial Access
|Trusted Developer Utilities Proxy Execution
|Office Application Startup
|Defense Evasion, Persistence
|Group Policy Modification
|Defense Evasion, Privilege Escalation
|Data Encrypted for Impact
|Inhibit System Recovery
|Account Access Removal
|Modify Authentication Process
|Credential Access, Defense Evasion