Logo
v1.0.0

Contents

  • Overview
  • Introduction
  • Definitions
  • Model Mapping Pages
    • Level 5: Core to Sub-Technique or Technique
    • Level 4: Core to Some Implementations of (Sub-)Technique
    • Level 3: Core to Pre-Existing Tools
    • Level 2: Core to Adversary-Brought Tool
    • Level 1: Ephemeral Values
    • Column A: Application
    • Column U: User-Mode
    • Column K: Kernel-Mode
    • Observables Quick Search
  • Combining Observables
  • Example Mappings
  • How to Score an Analytic
  • Analytics Repository
  • Capability Abstraction
  • Future Work
  • Acknowledgements
  • Changelog
Summiting the Pyramid
  • Model Mapping Pages
  • Observables Quick Search

Observables Quick Search

Analytic Robustness Categories

Level Name

Observables

5: Core to Sub-Technique or Technique

TargetObject = “HKLMSOFTWAREMicrosoftWindows NTCurrentVersionScheduleTaskCacheTree” OR “HKLMSOFTWAREMicrosoftWindows NTCurrentVersionScheduleTaskCache” (T1053)

4: Core to Some Implementations of (Sub-)Technique

AttributeLDAPDisplayName: msDS-KeyCredentialLink (T1556)

3: Core to Pre-Existing Tools

signer (CAR), signature_valid (CAR), mime_type (CAR), link_target (CAR), command line (Sysmon), parent command line (Sysmon), process command line (Windows EID), command_line (CAR), parent_command_line (CAR), integrity level (Sysmon), mandatory label (Windows EID), token elevation type (Windows EID), original file name (Sysmon), access_level (CAR), integrity_level (CAR), login_type (CAR), login_successful (CAR), auth_service (CAR), decision_reason (CAR), method (CAR)

2: Core to Adversary-Brought Tools

Command line (Sysmon), integrity level (Sysmon), parent command line (Sysmon)

1: Ephemeral Values

Hashes (Sysmon), md5_hash (CAR), sha1_hash (CAR), sha256_hash (CAR), target_address (CAR), dest_ip (CAR), src_ip (CAR), dest_port (CAR), src_port (CAR), image (Sysmon), parent image (Sysmon), current directory (Sysmon), extension (CAR), file_name (CAR), file_path (CAR), image_path (CAR), current_working_directory (CAR), exe (CAR), parent_exe (CAR), app_name (CAR), auth_target (CAR), fqdn (CAR), ad_domain (CAR), target_ad_domain (CAR), process GUID (Sysmon), process ID (Sysmon), parent process GUID (Sysmon), parent process ID (Sysmon), Subject SID (Windows), target SID (Windows EID), new process ID (Windows EID), creator process ID (Windows EID), pid (CAR), ppid (CAR), user (Sysmon), logon GUID (Sysmon), logon ID (Sysmon), subject name (Windows EID), subject domain (Windows EID), subject logon ID (Windows EID), target domain (Windows EID), target logon ID (Windows EID), new process name (Windows EID), creator process name (Windows EID), gid (CAR), group (CAR), owner_uid (CAR), owner (CAR), user (CAR), uid (CAR), guid (CAR), hostname (CAR), target_guid (CAR), target_uid (CAR), target_user (CAR), target_user_role (CAR), target_user_type (CAR), target_name (CAR), target_pid (CAR), login_id (CAR), user_agent (CAR), user_role (CAR), contents (CAR), creation_time (CAR), mode (CAR), previous_creation_time (CAR), env_vars (CAR), data (CAR), new_content (CAR), value (CAR), response_time
Event Robustness Categories

Column Name

Sensor Data Observables

Application (A)

Event ID 4698, Event ID 4699, Event ID 4700, Event ID 4701, Event ID 4702, Event ID 1040, Event ID 1042, Event ID 1033

User-Mode (U)

Sysmon ID 1, Sysmon ID 5, Sysmon ID 2, Sysmon ID 10, Sysmon ID 11, Sysmon ID 15, Sysmon ID 23, Sysmon ID 6, Sysmon ID 13, Sysmon ID 14, Sysmon ID 17, Event ID 7045

Kernel-Mode (K)

Event ID 4688, Event ID 4689, Sysmon ID 8, Event ID 4663, Event ID 4656, Sysmon ID 12, Event ID 4660, Event ID 4657, Event ID 5136
Previous Next

© Copyright 2023, Center for Threat-Informed Defense.