Level 5: Core to Sub-Technique or Technique
Description: Observables associated with “chokepoints” or “invariant behaviors” of the (sub-)technique, unavoidable by any implementation.
Some ATT&CK techniques produce artifacts that are the same across all implementations of that behavior. These artifacts are considered invariant behaviors, i.e., an essential part of any implementation of the behavior. While identifying these invariant behaviors requires research into all possible implementations of a technique and the observables that are produced, it provides the defender the most robust analytic option, as it forces the adversary to switch to an entirely different technique.
Note
These observables may change if the definition of the technique is modified in a new version of ATT&CK.
Observables
Sub-Technique/Technique |
Observables |
Invariant Behavior |
|---|---|---|
Scheduled Tasks (T1053) |
TargetObject = “HKLM\SOFTWARE\Microsoft\Windows NT\ CurrentVersion\Schedule\TaskCache\Tree” OR “HKLM\ SOFTWARE\Microsoft\Windows NT\CurrentVersion\ Schedule\TaskCache” |
The registry key value is generated whenever a new task is created, regardless of implementation. 1 |
OS Credential Dumping: DCSync (T1003.006) |
RPC Network Protocol - Endpoint (aka, Interface) = drsuapi 2 - Operation (aka, Method) = DRSReplicaSync OR DRSGetNCChanges |
DRSReplicaSync triggers replication from another Domain Controller. 3 DRSGetNCChanges replicates updates from a naming context (NC) on another server. 4 |
References