BUILD CYBER ANALYTICS
The MITRE Cyber Analytics Repository (CAR) is a knowledge base of analytics developed by MITRE based on the MITRE ATT&CK adversary model. CAR defines a data model that is leveraged in its pseudocode representations, but also includes implementations directly targeted at specific tools (e.g., Splunk, EQL) in its analytics. With respect to coverage, CAR is focused on providing a set of validated and well-explained analytics, in particular with regards to their operating theory and rationale.
For this Ransomware Resource Center, we have created a specific view within the ATT&CK Navigator that highlights the known ransomware actors, software, and their tactics and techniques that are presently documented in ATT&CK. The analytics listed below are to detect those techniques.
Below are the cyber analytics relevant to ransomware techniques that are presently documented in ATT&CK. This information continues to evolve. Feedback on relevant information from the user community is welcome at HealthCyber@mitre.org.
The analytics are shown in three groups based on the data sources used in collecting the required events:
Detections with data available in Windows
These events can be detected by collecting Windows security log events.
Detections Using Events from a Domain Controller
- CAR-2013-02-012: User Logged in to Multiple Hosts
- CAR-2013-02-008: Simultaneous Logins on a Host
- CAR-2013-10-001: User Login Activity Monitoring
Detections Using Events from an Endpoint Data Source
- CAR-2016-04-005: Remote Desktop Logon
Detections with data available in Windows with additional configuration
To use these detections, it is necessary to turn on EventID 4688 (Event Named, “A new process has been created”) in the Windows security log. Once this event has been enabled on endpoints, their logs need to be sent to a system that will be used to implement the following detections.
- CAR-2013-03-001: exe called from Command Shell
- CAR-2013-04-002: Quick execution of a series of suspicious commands
- CAR-2016-03-001: Host Discovery Commands
- CAR-2013-09-005: Service Outlier Executables
- CAR-2014-05-002: Services launching Cmd
- CAR-2013-08-001: Execution with schtasks
- CAR-2013-07-005: Command Line Usage of Archiving Software
- CAR-2014-11-002: Outlier Parents of Cmd
- CAR-2016-03-002: Create Remote Process via WMIC
- CAR-2013-02-003: Processes Spawning cmd.exe
- CAR-2014-04-003: Powershell Execution
- CAR-2014-11-004: Remote PowerShell Sessions
- CAR-2014-03-006: exe monitoring
- CAR-2020-04-001: Shadow Copy Deletion
- CAR-2013-07-001: Suspicious Arguments
- CAR-2019-07-002: Lsass Process Dump via Procdump
To use the following detections, it is also necessary to activate file auditing on the folders to be monitored.
Detections that require additional telemetry
These detections need more data than Windows provides out of the box. They require additional tools such as Microsoft Sysmon, or an EDR solution. Consult the individual detections below for details.
- CAR-2014-03-005: Remotely Launched Executables via Services
- CAR-2013-05-003: SMB Write Request
- CAR-2013-05-005: SMB Copy and Execution
- CAR-2015-04-002: Remotely Scheduled Tasks via Schtasks
- CAR-2013-01-002: Autorun Differences
- CAR-2013-10-002: DLL Injection via Load Library
- CAR-2014-11-007: Remote Windows Management Instrumentation (WMI) over RPC
- CAR-2014-12-001: Remotely Launched Executables via WMI
- CAR-2014-11-005: Remote Registry
- CAR-2014-11-006: Windows Remote Management (WinRM)
- CAR-2014-05-001: RPC Activity
- CAR-2013-01-003: SMB Events Monitoring
- CAR-2014-03-001: SMB Write Request – NamedPipes
- CAR-2013-07-002: RDP Connection Detection
- CAR-2019-04-004: Credential Dumping via Mimikatz