NIST 800-53 SI-4 Mappings

System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at external interfaces to the system. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives guide and inform the determination of the events. System monitoring capabilities are achieved through a variety of tools and techniques, including intrusion detection and prevention systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software.

Depending on the security architecture, the distribution and configuration of monitoring devices may impact throughput at key internal and external boundaries as well as at other locations across a network due to the introduction of network throughput latency. If throughput management is needed, such devices are strategically located and deployed as part of an established organization-wide security architecture. Strategic locations for monitoring devices include selected perimeter locations and near key servers and server farms that support critical applications. Monitoring devices are typically employed at the managed interfaces associated with controls SC-07 and AC-17. The information collected is a function of the organizational monitoring objectives and the capability of systems to support such objectives. Specific types of transactions of interest include Hypertext Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. System monitoring is an integral part of organizational continuous monitoring and incident response programs, and output from system monitoring serves as input to those programs. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other controls (e.g., AC-02g, AC-02(07), AC-02(12)(a), AC-17(01), AU-13, AU-13(01), AU-13(02), CM-03f, CM-06d, MA-03a, MA-04a, SC-05(03)(b), SC-07a, SC-07(24)(b), SC-18b, SC-43b). Adjustments to levels of system monitoring are based on law enforcement information, intelligence information, or other sources of information. The legality of system monitoring activities is based on applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
SI-4 System Monitoring Protects T1001 Data Obfuscation
SI-4 System Monitoring Protects T1001.001 Junk Data
SI-4 System Monitoring Protects T1001.002 Steganography
SI-4 System Monitoring Protects T1001.003 Protocol Impersonation
SI-4 System Monitoring Protects T1003 OS Credential Dumping
SI-4 System Monitoring Protects T1003.001 LSASS Memory
SI-4 System Monitoring Protects T1003.002 Security Account Manager
SI-4 System Monitoring Protects T1003.003 NTDS
SI-4 System Monitoring Protects T1003.004 LSA Secrets
SI-4 System Monitoring Protects T1003.005 Cached Domain Credentials
SI-4 System Monitoring Protects T1003.006 DCSync
SI-4 System Monitoring Protects T1003.007 Proc Filesystem
SI-4 System Monitoring Protects T1003.008 /etc/passwd and /etc/shadow
SI-4 System Monitoring Protects T1008 Fallback Channels
SI-4 System Monitoring Protects T1011 Exfiltration Over Other Network Medium
SI-4 System Monitoring Protects T1011.001 Exfiltration Over Bluetooth
SI-4 System Monitoring Protects T1020.001 Traffic Duplication
SI-4 System Monitoring Protects T1021 Remote Services
SI-4 System Monitoring Protects T1021.001 Remote Desktop Protocol
SI-4 System Monitoring Protects T1021.002 SMB/Windows Admin Shares
SI-4 System Monitoring Protects T1021.003 Distributed Component Object Model
SI-4 System Monitoring Protects T1021.004 SSH
SI-4 System Monitoring Protects T1021.005 VNC
SI-4 System Monitoring Protects T1021.006 Windows Remote Management
SI-4 System Monitoring Protects T1027 Obfuscated Files or Information
SI-4 System Monitoring Protects T1027.002 Software Packing
SI-4 System Monitoring Protects T1029 Scheduled Transfer
SI-4 System Monitoring Protects T1030 Data Transfer Size Limits
SI-4 System Monitoring Protects T1036 Masquerading
SI-4 System Monitoring Protects T1036.003 Rename System Utilities
SI-4 System Monitoring Protects T1036.005 Match Legitimate Name or Location
SI-4 System Monitoring Protects T1037 Boot or Logon Initialization Scripts
SI-4 System Monitoring Protects T1037.002 Logon Script (Mac)
SI-4 System Monitoring Protects T1037.003 Network Logon Script
SI-4 System Monitoring Protects T1037.004 Rc.common
SI-4 System Monitoring Protects T1037.005 Startup Items
SI-4 System Monitoring Protects T1040 Network Sniffing
SI-4 System Monitoring Protects T1041 Exfiltration Over C2 Channel
SI-4 System Monitoring Protects T1046 Network Service Scanning
SI-4 System Monitoring Protects T1048 Exfiltration Over Alternative Protocol
SI-4 System Monitoring Protects T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol
SI-4 System Monitoring Protects T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
SI-4 System Monitoring Protects T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
SI-4 System Monitoring Protects T1052 Exfiltration Over Physical Medium
SI-4 System Monitoring Protects T1052.001 Exfiltration over USB
SI-4 System Monitoring Protects T1053 Scheduled Task/Job
SI-4 System Monitoring Protects T1053.001 At (Linux)
SI-4 System Monitoring Protects T1053.002 At (Windows)
SI-4 System Monitoring Protects T1053.003 Cron
SI-4 System Monitoring Protects T1053.004 Launchd
SI-4 System Monitoring Protects T1053.005 Scheduled Task
SI-4 System Monitoring Protects T1053.006 Systemd Timers
SI-4 System Monitoring Protects T1055 Process Injection
SI-4 System Monitoring Protects T1055.001 Dynamic-link Library Injection
SI-4 System Monitoring Protects T1055.002 Portable Executable Injection
SI-4 System Monitoring Protects T1055.003 Thread Execution Hijacking
SI-4 System Monitoring Protects T1055.004 Asynchronous Procedure Call
SI-4 System Monitoring Protects T1055.005 Thread Local Storage
SI-4 System Monitoring Protects T1055.008 Ptrace System Calls
SI-4 System Monitoring Protects T1055.009 Proc Memory
SI-4 System Monitoring Protects T1055.011 Extra Window Memory Injection
SI-4 System Monitoring Protects T1055.012 Process Hollowing
SI-4 System Monitoring Protects T1055.013 Process Doppelgänging
SI-4 System Monitoring Protects T1055.014 VDSO Hijacking
SI-4 System Monitoring Protects T1056.002 GUI Input Capture
SI-4 System Monitoring Protects T1059 Command and Scripting Interpreter
SI-4 System Monitoring Protects T1059.001 PowerShell
SI-4 System Monitoring Protects T1059.005 Visual Basic
SI-4 System Monitoring Protects T1059.006 Python
SI-4 System Monitoring Protects T1059.007 JavaScript/JScript
SI-4 System Monitoring Protects T1068 Exploitation for Privilege Escalation
SI-4 System Monitoring Protects T1070 Indicator Removal on Host
SI-4 System Monitoring Protects T1070.001 Clear Windows Event Logs
SI-4 System Monitoring Protects T1070.002 Clear Linux or Mac System Logs
SI-4 System Monitoring Protects T1070.003 Clear Command History
SI-4 System Monitoring Protects T1071 Application Layer Protocol
SI-4 System Monitoring Protects T1071.001 Web Protocols
SI-4 System Monitoring Protects T1071.002 File Transfer Protocols
SI-4 System Monitoring Protects T1071.003 Mail Protocols
SI-4 System Monitoring Protects T1071.004 DNS
SI-4 System Monitoring Protects T1072 Software Deployment Tools
SI-4 System Monitoring Protects T1078 Valid Accounts
SI-4 System Monitoring Protects T1078.001 Default Accounts
SI-4 System Monitoring Protects T1078.002 Domain Accounts
SI-4 System Monitoring Protects T1078.003 Local Accounts
SI-4 System Monitoring Protects T1078.004 Cloud Accounts
SI-4 System Monitoring Protects T1080 Taint Shared Content
SI-4 System Monitoring Protects T1087 Account Discovery
SI-4 System Monitoring Protects T1087.001 Local Account
SI-4 System Monitoring Protects T1087.002 Domain Account
SI-4 System Monitoring Protects T1090 Proxy
SI-4 System Monitoring Protects T1090.001 Internal Proxy
SI-4 System Monitoring Protects T1090.002 External Proxy
SI-4 System Monitoring Protects T1091 Replication Through Removable Media
SI-4 System Monitoring Protects T1092 Communication Through Removable Media
SI-4 System Monitoring Protects T1095 Non-Application Layer Protocol
SI-4 System Monitoring Protects T1098 Account Manipulation
SI-4 System Monitoring Protects T1098.001 Additional Cloud Credentials
SI-4 System Monitoring Protects T1098.002 Exchange Email Delegate Permissions
SI-4 System Monitoring Protects T1098.003 Add Office 365 Global Administrator Role
SI-4 System Monitoring Protects T1098.004 SSH Authorized Keys
SI-4 System Monitoring Protects T1102 Web Service
SI-4 System Monitoring Protects T1102.001 Dead Drop Resolver
SI-4 System Monitoring Protects T1102.002 Bidirectional Communication
SI-4 System Monitoring Protects T1102.003 One-Way Communication
SI-4 System Monitoring Protects T1104 Multi-Stage Channels
SI-4 System Monitoring Protects T1105 Ingress Tool Transfer
SI-4 System Monitoring Protects T1110 Brute Force
SI-4 System Monitoring Protects T1110.001 Password Guessing
SI-4 System Monitoring Protects T1110.002 Password Cracking
SI-4 System Monitoring Protects T1110.003 Password Spraying
SI-4 System Monitoring Protects T1110.004 Credential Stuffing
SI-4 System Monitoring Protects T1111 Two-Factor Authentication Interception
SI-4 System Monitoring Protects T1114 Email Collection
SI-4 System Monitoring Protects T1114.001 Local Email Collection
SI-4 System Monitoring Protects T1114.002 Remote Email Collection
SI-4 System Monitoring Protects T1114.003 Email Forwarding Rule
SI-4 System Monitoring Protects T1119 Automated Collection
SI-4 System Monitoring Protects T1127 Trusted Developer Utilities Proxy Execution
SI-4 System Monitoring Protects T1127.001 MSBuild
SI-4 System Monitoring Protects T1129 Shared Modules
SI-4 System Monitoring Protects T1132 Data Encoding
SI-4 System Monitoring Protects T1132.001 Standard Encoding
SI-4 System Monitoring Protects T1132.002 Non-Standard Encoding
SI-4 System Monitoring Protects T1133 External Remote Services
SI-4 System Monitoring Protects T1135 Network Share Discovery
SI-4 System Monitoring Protects T1136 Create Account
SI-4 System Monitoring Protects T1136.001 Local Account
SI-4 System Monitoring Protects T1136.002 Domain Account
SI-4 System Monitoring Protects T1136.003 Cloud Account
SI-4 System Monitoring Protects T1137 Office Application Startup
SI-4 System Monitoring Protects T1137.001 Office Template Macros
SI-4 System Monitoring Protects T1176 Browser Extensions
SI-4 System Monitoring Protects T1185 Man in the Browser
SI-4 System Monitoring Protects T1187 Forced Authentication
SI-4 System Monitoring Protects T1189 Drive-by Compromise
SI-4 System Monitoring Protects T1190 Exploit Public-Facing Application
SI-4 System Monitoring Protects T1197 BITS Jobs
SI-4 System Monitoring Protects T1201 Password Policy Discovery
SI-4 System Monitoring Protects T1203 Exploitation for Client Execution
SI-4 System Monitoring Protects T1204 User Execution
SI-4 System Monitoring Protects T1204.001 Malicious Link
SI-4 System Monitoring Protects T1204.002 Malicious File
SI-4 System Monitoring Protects T1205 Traffic Signaling
SI-4 System Monitoring Protects T1205.001 Port Knocking
SI-4 System Monitoring Protects T1210 Exploitation of Remote Services
SI-4 System Monitoring Protects T1211 Exploitation for Defense Evasion
SI-4 System Monitoring Protects T1212 Exploitation for Credential Access
SI-4 System Monitoring Protects T1213 Data from Information Repositories
SI-4 System Monitoring Protects T1213.001 Confluence
SI-4 System Monitoring Protects T1213.002 Sharepoint
SI-4 System Monitoring Protects T1216 Signed Script Proxy Execution
SI-4 System Monitoring Protects T1216.001 PubPrn
SI-4 System Monitoring Protects T1218 Signed Binary Proxy Execution
SI-4 System Monitoring Protects T1218.001 Compiled HTML File
SI-4 System Monitoring Protects T1218.002 Control Panel
SI-4 System Monitoring Protects T1218.003 CMSTP
SI-4 System Monitoring Protects T1218.004 InstallUtil
SI-4 System Monitoring Protects T1218.005 Mshta
SI-4 System Monitoring Protects T1218.008 Odbcconf
SI-4 System Monitoring Protects T1218.009 Regsvcs/Regasm
SI-4 System Monitoring Protects T1218.010 Regsvr32
SI-4 System Monitoring Protects T1218.011 Rundll32
SI-4 System Monitoring Protects T1218.012 Verclsid
SI-4 System Monitoring Protects T1219 Remote Access Software
SI-4 System Monitoring Protects T1220 XSL Script Processing
SI-4 System Monitoring Protects T1221 Template Injection
SI-4 System Monitoring Protects T1222 File and Directory Permissions Modification
SI-4 System Monitoring Protects T1222.001 Windows File and Directory Permissions Modification
SI-4 System Monitoring Protects T1222.002 Linux and Mac File and Directory Permissions Modification
SI-4 System Monitoring Protects T1484 Domain Policy Modification
SI-4 System Monitoring Protects T1485 Data Destruction
SI-4 System Monitoring Protects T1486 Data Encrypted for Impact
SI-4 System Monitoring Protects T1489 Service Stop
SI-4 System Monitoring Protects T1490 Inhibit System Recovery
SI-4 System Monitoring Protects T1491 Defacement
SI-4 System Monitoring Protects T1491.001 Internal Defacement
SI-4 System Monitoring Protects T1491.002 External Defacement
SI-4 System Monitoring Protects T1499 Endpoint Denial of Service
SI-4 System Monitoring Protects T1499.001 OS Exhaustion Flood
SI-4 System Monitoring Protects T1499.002 Service Exhaustion Flood
SI-4 System Monitoring Protects T1499.003 Application Exhaustion Flood
SI-4 System Monitoring Protects T1499.004 Application or System Exploitation
SI-4 System Monitoring Protects T1505 Server Software Component
SI-4 System Monitoring Protects T1505.001 SQL Stored Procedures
SI-4 System Monitoring Protects T1505.002 Transport Agent
SI-4 System Monitoring Protects T1525 Implant Container Image
SI-4 System Monitoring Protects T1528 Steal Application Access Token
SI-4 System Monitoring Protects T1530 Data from Cloud Storage Object
SI-4 System Monitoring Protects T1537 Transfer Data to Cloud Account
SI-4 System Monitoring Protects T1539 Steal Web Session Cookie
SI-4 System Monitoring Protects T1542.004 ROMMONkit
SI-4 System Monitoring Protects T1542.005 TFTP Boot
SI-4 System Monitoring Protects T1543 Create or Modify System Process
SI-4 System Monitoring Protects T1543.002 Systemd Service
SI-4 System Monitoring Protects T1543.003 Windows Service
SI-4 System Monitoring Protects T1546.002 Screensaver
SI-4 System Monitoring Protects T1546.004 .bash_profile and .bashrc
SI-4 System Monitoring Protects T1546.006 LC_LOAD_DYLIB Addition
SI-4 System Monitoring Protects T1546.008 Accessibility Features
SI-4 System Monitoring Protects T1546.013 PowerShell Profile
SI-4 System Monitoring Protects T1546.014 Emond
SI-4 System Monitoring Protects T1547.002 Authentication Package
SI-4 System Monitoring Protects T1547.003 Time Providers
SI-4 System Monitoring Protects T1547.005 Security Support Provider
SI-4 System Monitoring Protects T1547.006 Kernel Modules and Extensions
SI-4 System Monitoring Protects T1547.007 Re-opened Applications
SI-4 System Monitoring Protects T1547.008 LSASS Driver
SI-4 System Monitoring Protects T1547.011 Plist Modification
SI-4 System Monitoring Protects T1548 Abuse Elevation Control Mechanism
SI-4 System Monitoring Protects T1548.001 Setuid and Setgid
SI-4 System Monitoring Protects T1548.002 Bypass User Account Control
SI-4 System Monitoring Protects T1548.003 Sudo and Sudo Caching
SI-4 System Monitoring Protects T1548.004 Elevated Execution with Prompt
SI-4 System Monitoring Protects T1550 Use Alternate Authentication Material
SI-4 System Monitoring Protects T1550.001 Application Access Token
SI-4 System Monitoring Protects T1550.003 Pass the Ticket
SI-4 System Monitoring Protects T1552 Unsecured Credentials
SI-4 System Monitoring Protects T1552.001 Credentials In Files
SI-4 System Monitoring Protects T1552.002 Credentials in Registry
SI-4 System Monitoring Protects T1552.003 Bash History
SI-4 System Monitoring Protects T1552.004 Private Keys
SI-4 System Monitoring Protects T1552.005 Cloud Instance Metadata API
SI-4 System Monitoring Protects T1552.006 Group Policy Preferences
SI-4 System Monitoring Protects T1553 Subvert Trust Controls
SI-4 System Monitoring Protects T1553.001 Gatekeeper Bypass
SI-4 System Monitoring Protects T1553.003 SIP and Trust Provider Hijacking
SI-4 System Monitoring Protects T1553.004 Install Root Certificate
SI-4 System Monitoring Protects T1555 Credentials from Password Stores
SI-4 System Monitoring Protects T1555.001 Keychain
SI-4 System Monitoring Protects T1555.002 Securityd Memory
SI-4 System Monitoring Protects T1556 Modify Authentication Process
SI-4 System Monitoring Protects T1556.001 Domain Controller Authentication
SI-4 System Monitoring Protects T1556.002 Password Filter DLL
SI-4 System Monitoring Protects T1556.003 Pluggable Authentication Modules
SI-4 System Monitoring Protects T1556.004 Network Device Authentication
SI-4 System Monitoring Protects T1557 Man-in-the-Middle
SI-4 System Monitoring Protects T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay
SI-4 System Monitoring Protects T1557.002 ARP Cache Poisoning
SI-4 System Monitoring Protects T1558 Steal or Forge Kerberos Tickets
SI-4 System Monitoring Protects T1558.002 Silver Ticket
SI-4 System Monitoring Protects T1558.003 Kerberoasting
SI-4 System Monitoring Protects T1558.004 AS-REP Roasting
SI-4 System Monitoring Protects T1559 Inter-Process Communication
SI-4 System Monitoring Protects T1559.002 Dynamic Data Exchange
SI-4 System Monitoring Protects T1560 Archive Collected Data
SI-4 System Monitoring Protects T1560.001 Archive via Utility
SI-4 System Monitoring Protects T1561 Disk Wipe
SI-4 System Monitoring Protects T1561.001 Disk Content Wipe
SI-4 System Monitoring Protects T1561.002 Disk Structure Wipe
SI-4 System Monitoring Protects T1562 Impair Defenses
SI-4 System Monitoring Protects T1562.001 Disable or Modify Tools
SI-4 System Monitoring Protects T1562.002 Disable Windows Event Logging
SI-4 System Monitoring Protects T1562.003 Impair Command History Logging
SI-4 System Monitoring Protects T1562.004 Disable or Modify System Firewall
SI-4 System Monitoring Protects T1562.006 Indicator Blocking
SI-4 System Monitoring Protects T1563 Remote Service Session Hijacking
SI-4 System Monitoring Protects T1563.001 SSH Hijacking
SI-4 System Monitoring Protects T1563.002 RDP Hijacking
SI-4 System Monitoring Protects T1564.002 Hidden Users
SI-4 System Monitoring Protects T1564.004 NTFS File Attributes
SI-4 System Monitoring Protects T1564.006 Run Virtual Instance
SI-4 System Monitoring Protects T1564.007 VBA Stomping
SI-4 System Monitoring Protects T1565 Data Manipulation
SI-4 System Monitoring Protects T1565.001 Stored Data Manipulation
SI-4 System Monitoring Protects T1565.002 Transmitted Data Manipulation
SI-4 System Monitoring Protects T1565.003 Runtime Data Manipulation
SI-4 System Monitoring Protects T1566 Phishing
SI-4 System Monitoring Protects T1566.001 Spearphishing Attachment
SI-4 System Monitoring Protects T1566.002 Spearphishing Link
SI-4 System Monitoring Protects T1566.003 Spearphishing via Service
SI-4 System Monitoring Protects T1568 Dynamic Resolution
SI-4 System Monitoring Protects T1568.002 Domain Generation Algorithms
SI-4 System Monitoring Protects T1569 System Services
SI-4 System Monitoring Protects T1569.002 Service Execution
SI-4 System Monitoring Protects T1570 Lateral Tool Transfer
SI-4 System Monitoring Protects T1571 Non-Standard Port
SI-4 System Monitoring Protects T1572 Protocol Tunneling
SI-4 System Monitoring Protects T1573 Encrypted Channel
SI-4 System Monitoring Protects T1573.001 Symmetric Cryptography
SI-4 System Monitoring Protects T1573.002 Asymmetric Cryptography
SI-4 System Monitoring Protects T1574 Hijack Execution Flow
SI-4 System Monitoring Protects T1574.001 DLL Search Order Hijacking
SI-4 System Monitoring Protects T1574.002 DLL Side-Loading
SI-4 System Monitoring Protects T1574.004 Dylib Hijacking
SI-4 System Monitoring Protects T1574.005 Executable Installer File Permissions Weakness
SI-4 System Monitoring Protects T1574.007 Path Interception by PATH Environment Variable
SI-4 System Monitoring Protects T1574.008 Path Interception by Search Order Hijacking
SI-4 System Monitoring Protects T1574.009 Path Interception by Unquoted Path
SI-4 System Monitoring Protects T1574.010 Services File Permissions Weakness
SI-4 System Monitoring Protects T1578 Modify Cloud Compute Infrastructure
SI-4 System Monitoring Protects T1578.001 Create Snapshot
SI-4 System Monitoring Protects T1578.002 Create Cloud Instance
SI-4 System Monitoring Protects T1578.003 Delete Cloud Instance
SI-4 System Monitoring Protects T1598 Phishing for Information
SI-4 System Monitoring Protects T1598.001 Spearphishing Service
SI-4 System Monitoring Protects T1598.002 Spearphishing Attachment
SI-4 System Monitoring Protects T1598.003 Spearphishing Link
SI-4 System Monitoring Protects T1599 Network Boundary Bridging
SI-4 System Monitoring Protects T1599.001 Network Address Translation Traversal
SI-4 System Monitoring Protects T1601 Modify System Image
SI-4 System Monitoring Protects T1601.001 Patch System Image
SI-4 System Monitoring Protects T1601.002 Downgrade System Image
SI-4 System Monitoring Protects T1602 Data from Configuration Repository
SI-4 System Monitoring Protects T1602.001 SNMP (MIB Dump)
SI-4 System Monitoring Protects T1602.002 Network Device Configuration Dump