GCP chronicle Mappings

Chronicle is Google Cloud's data aggregation platform and threat detection system designed to collect massive amounts of security telemetry, detect malicious events, and report based on known indicators of compromise. Most of the attacks were correlated using Chronicle's documentation and the threat detection rules available on their GitHub repo.

Mappings

Capability ID Capability Description Category Value ATT&CK ID ATT&CK Name
chronicle Chronicle detect minimal T1021.002 SMB/Windows Admin Shares
chronicle Chronicle detect minimal T1037 Boot or Logon Initialization Scripts
chronicle Chronicle detect minimal T1053.005 Scheduled Task
chronicle Chronicle detect minimal T1218.005 Mshta
chronicle Chronicle detect minimal T1543.001 Launch Agent
chronicle Chronicle detect minimal T1543.004 Launch Daemon
chronicle Chronicle detect minimal T1546.001 Change Default File Association
chronicle Chronicle detect minimal T1547.001 Registry Run Keys / Startup Folder
chronicle Chronicle detect minimal T1547 Boot or Logon Autostart Execution
chronicle Chronicle detect minimal T1546 Event Triggered Execution
chronicle Chronicle detect minimal T1543 Create or Modify System Process
chronicle Chronicle detect minimal T1548.002 Bypass User Account Control
chronicle Chronicle detect minimal T1564.001 Hidden Files and Directories
chronicle Chronicle detect minimal T1564 Hide Artifacts
chronicle Chronicle detect minimal T1003.003 NTDS
chronicle Chronicle detect minimal T1078 Valid Accounts
chronicle Chronicle detect minimal T1134.005 SID-History Injection
chronicle Chronicle detect minimal T1003 OS Credential Dumping
chronicle Chronicle detect minimal T1548 Abuse Elevation Control Mechanism
chronicle Chronicle detect minimal T1584.002 DNS Server
chronicle Chronicle detect minimal T1562.004 Disable or Modify System Firewall
chronicle Chronicle detect minimal T1098.001 Additional Cloud Credentials
chronicle Chronicle detect minimal T1530 Data from Cloud Storage Object
chronicle Chronicle detect minimal T1070.002 Clear Linux or Mac System Logs
chronicle Chronicle detect minimal T1136.001 Local Account
chronicle Chronicle detect minimal T1098 Account Manipulation
chronicle Chronicle detect minimal T1106 Native API
chronicle Chronicle detect minimal T1021.004 SSH
chronicle Chronicle detect minimal T1578 Modify Cloud Compute Infrastructure
chronicle Chronicle detect minimal T1052.001 Exfiltration over USB
chronicle Chronicle detect minimal T1112 Modify Registry
chronicle Chronicle detect minimal T1021 Remote Services
chronicle Chronicle detect minimal T1052 Exfiltration Over Physical Medium
chronicle Chronicle detect minimal T1053 Scheduled Task/Job
chronicle Chronicle detect minimal T1070 Indicator Removal on Host
chronicle Chronicle detect minimal T1134 Access Token Manipulation
chronicle Chronicle detect minimal T1218 Signed Binary Proxy Execution
chronicle Chronicle detect minimal T1584 Compromise Infrastructure
chronicle Chronicle detect minimal T1056 Input Capture
chronicle Chronicle detect minimal T1056.003 Web Portal Capture
chronicle Chronicle detect minimal T1056.004 Credential API Hooking
chronicle Chronicle detect minimal T1071.001 Web Protocols
chronicle Chronicle detect minimal T1071 Application Layer Protocol
chronicle Chronicle detect minimal T1059 Command and Scripting Interpreter
chronicle Chronicle detect minimal T1218.010 Regsvr32
chronicle Chronicle detect minimal T1059.003 Windows Command Shell
chronicle Chronicle detect minimal T1082 System Information Discovery
chronicle Chronicle detect minimal T1218.003 CMSTP
chronicle Chronicle detect minimal T1018 Remote System Discovery
chronicle Chronicle detect minimal T1552 Unsecured Credentials
chronicle Chronicle detect minimal T1486 Data Encrypted for Impact
chronicle Chronicle detect minimal T1204 User Execution
chronicle Chronicle detect minimal T1036.005 Match Legitimate Name or Location
chronicle Chronicle detect minimal T1027.004 Compile After Delivery
chronicle Chronicle detect minimal T1127.001 MSBuild
chronicle Chronicle detect minimal T1127 Trusted Developer Utilities Proxy Execution
chronicle Chronicle detect minimal T1190 Exploit Public-Facing Application
chronicle Chronicle detect minimal T1068 Exploitation for Privilege Escalation
chronicle Chronicle detect minimal T1036 Masquerading
chronicle Chronicle detect minimal T1055 Process Injection
chronicle Chronicle detect minimal T1210 Exploitation of Remote Services
chronicle Chronicle detect minimal T1037.003 Network Logon Script
chronicle Chronicle detect minimal T1212 Exploitation for Credential Access
chronicle Chronicle detect minimal T1505.003 Web Shell
chronicle Chronicle detect minimal T1059.007 JavaScript
chronicle Chronicle detect minimal T1560 Archive Collected Data
chronicle Chronicle detect minimal T1203 Exploitation for Client Execution
chronicle Chronicle detect minimal T1132 Data Encoding
chronicle Chronicle detect minimal T1132.001 Standard Encoding
chronicle Chronicle detect minimal T1195.002 Compromise Software Supply Chain
chronicle Chronicle detect minimal T1195 Supply Chain Compromise
chronicle Chronicle detect minimal T1072 Software Deployment Tools
chronicle Chronicle detect minimal T1546.007 Netsh Helper DLL
chronicle Chronicle detect minimal T1505 Server Software Component
chronicle Chronicle detect minimal T1574.007 Path Interception by PATH Environment Variable
chronicle Chronicle detect minimal T1574 Hijack Execution Flow
chronicle Chronicle detect minimal T1087.004 Cloud Account
chronicle Chronicle detect minimal T1087 Account Discovery
chronicle Chronicle detect minimal T1070.004 File Deletion
chronicle Chronicle detect minimal T1020 Automated Exfiltration
chronicle Chronicle detect minimal T1041 Exfiltration Over C2 Channel
chronicle Chronicle detect minimal T1011 Exfiltration Over Other Network Medium
chronicle Chronicle detect minimal T1027 Obfuscated Files or Information
chronicle Chronicle detect minimal T1484 Domain Policy Modification
chronicle Chronicle detect minimal T1136 Create Account
chronicle Chronicle detect minimal T1543.003 Windows Service
chronicle Chronicle detect minimal T1070.006 Timestomp
chronicle Chronicle detect minimal T1003.001 LSASS Memory
chronicle Chronicle detect minimal T1137.001 Office Template Macros
chronicle Chronicle detect minimal T1137 Office Application Startup
chronicle Chronicle detect minimal T1057 Process Discovery
chronicle Chronicle detect minimal T1016 System Network Configuration Discovery
chronicle Chronicle detect minimal T1049 System Network Connections Discovery
chronicle Chronicle detect minimal T1033 System Owner/User Discovery
chronicle Chronicle detect minimal T1588.002 Tool
chronicle Chronicle detect minimal T1588 Obtain Capabilities
chronicle Chronicle detect minimal T1070.001 Clear Windows Event Logs
chronicle Chronicle detect minimal T1569.002 Service Execution
chronicle Chronicle detect minimal T1569 System Services
chronicle Chronicle detect minimal T1546.008 Accessibility Features
chronicle Chronicle detect minimal T1048 Exfiltration Over Alternative Protocol
chronicle Chronicle detect minimal T1105 Ingress Tool Transfer
chronicle Chronicle detect minimal T1495 Firmware Corruption
chronicle Chronicle detect minimal T1497 Virtualization/Sandbox Evasion
chronicle Chronicle detect minimal T1202 Indirect Command Execution
chronicle Chronicle detect minimal T1546.003 Windows Management Instrumentation Event Subscription