System Activity Monitoring

Collect system activity logs which can reveal adversary activity.

Capturing system logs can show logins, user and system events, etc. Collecting this data and potentially sending it to a centralized location can help reveal the presence of an adversary and the actions they perform on a compromised system.

Details
ID: DTE0034
Tactics:  Detect Collect

Opportunities

IDDescription
DOS0001 There is an opportunity to study the adversary and collect first-hand observations about them and their tools.
DOS0005 There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique.
DOS0021 When authorized behavior is defined and limited for trusted partners, adversaries exploiting trust relationships are easier to detect.
DOS0027 There is an opportunity to create a detection with a moderately high probability of success.
DOS0028 There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access.
DOS0123 There is an opportunity to detect an adversary who modifies website content (internally or externally) by monitoring for unauthorized changes to websites.
DOS0141 There is an opportunity to monitor logs on a system for common ways adversaries behave and detect on that activity.

Use Cases

IDDescription
DUC0011 A defender can monitor systems for the use of removeable media.
DUC0021 Defenders can monitor trusted partner access, detecting unauthorized activity.
DUC0027 A defender can capture system activity logs and generate alerts if the adversary creates new scheduled tasks or alters existing tasks.
DUC0033 A defender can detect the presence of an adversary by monitoring for processes that are created by commands and/or scripts they execute on a system.
DUC0039 A defender can use process monitoring to look for command execution and command line parameters commonly used to inhibit system recovery.
DUC0043 A defender can implement monitoring to alert if a user account is altered outside normal business hours, from remote locations, etc.
DUC0052 A defender can collect system process information and look for abnormal activity tied to Office processes.
DUC0060 A defender can monitor for signs that security tools and other controls are being tampered with by an adversary.
DUC0063 A defender could monitor for known commands used to hide artifacts on a system and for activity associated with those hidden artifacts.
DUC0065 A defender could monitor for directory service changes using Windows event logs. This can alert to the presence of an adversary in the network.
DUC0070 A defender can monitor processes and command-line arguments which could be used by an adversary to change or delete information in the Windows registry.
DUC0072 A defender can monitor for user login activity that may reveal an adversary leveraging brute force techniques.
DUC0120 A defender can use process monitoring to look for the execution of utilities commonly used for data destruction, such as SDelete.
DUC0121 A defender can use process monitoring to look for the execution of utilities commonly used for ransomware and other data encryption.
DUC0123 A defender can monitor websites for unplanned content changes and generate alerts when activity is detected.
DUC0128 A defender can collect system activity and detect commands that interact with firmware. This can speed up the recovery of a system.
DUC0141 By collecting system logs, a defender can implement detections that identify abnormal BITS usage.
DUC0238 A defender could monitor logs off-system in order to detect adversary activities even when logs have been deleted on the system.

Procedures

IDDescription
DPR0059 Ensure that systems capture and retain common system level activity artifacts that might be produced.
DPR0060 Monitor Windows systems for event codes that reflect an adversary changing passwords, adding accounts to groups, etc.

ATT&CK® Techniques

IDNameATT&CK Tactics
T1053 Scheduled Task/Job ExecutionPersistencePrivilege Escalation
T1059 Command and Scripting Interpreter Execution
T1091 Replication Through Removable Media Lateral MovementInitial Access
T1098 Account Manipulation Persistence
T1110 Brute Force Credential Access
T1112 Modify Registry Defense Evasion
T1127 Trusted Developer Utilities Proxy Execution Defense Evasion
T1137 Office Application Startup Persistence
T1197 BITS Jobs Defense EvasionPersistence
T1199 Trusted Relationship Initial Access
T1484 Group Policy Modification Defense EvasionPrivilege Escalation
T1485 Data Destruction Impact
T1486 Data Encrypted for Impact Impact
T1490 Inhibit System Recovery Impact
T1491 Defacement Impact
T1495 Firmware Corruption Impact
T1531 Account Access Removal Impact
T1556 Modify Authentication Process Credential AccessDefense Evasion
T1562 Impair Defenses Defense Evasion
T1564 Hide Artifacts Defense Evasion