mitre-attack · omkaryc · Mar 28, 2024 · Mar 28, 2024
diff --git a/README.md b/README.md
@@ -1,6 +1,7 @@
 # Welcome to the Cyber Analytics Repository
 
 The MITRE Cyber Analytics Repository (CAR) is a knowledge base of analytics developed by MITRE based on the [MITRE ATT&CK®](https://attack.mitre.org/) adversary model. CAR includes implementations directly targeted at specific tools (e.g., Splunk, EQL) in its analytics. With respect to coverage, CAR is focused on providing a set of validated and well-explained analytics, in particular with regards to their operating theory and rationale.
+changes by omkar.
 
 If you want to start exploring, try viewing the [Full Analytic List](https://car.mitre.org/analytics). Also, check out the ATT&CK Navigator layer that captures the current set of ATT&CK tactics and techniques covered by CAR.
 

diff --git a/docs/analytics/by_technique/index.md b/docs/analytics/by_technique/index.md
@@ -16,10 +16,6 @@ permalink: /analytics/by_technique
        <tr>
             <td rowspan="4"><a href="https://attack.mitre.org/techniques/T1003/">T1003: OS Credential Dumping</a></td>
         </tr>
-       <tr>
-            <td><a href="https://attack.mitre.org/techniques/T1003/003/">T1003.003: NTDS</a></td>
-            <td><ul><li><a href="CAR-2019-08-002">CAR-2019-08-002: Active Directory Dumping via NTDSUtil</a></li><li><a href="CAR-2020-05-001">CAR-2020-05-001: MiniDump of LSASS</a></li></ul></td>
-        </tr>
        <tr>
             <td><a href="https://attack.mitre.org/techniques/T1003/001/">T1003.001: LSASS Memory</a></td>
             <td><ul><li><a href="CAR-2013-07-001">CAR-2013-07-001: Suspicious Arguments</a></li><li><a href="CAR-2019-04-004">CAR-2019-04-004: Credential Dumping via Mimikatz</a></li><li><a href="CAR-2019-07-002">CAR-2019-07-002: Lsass Process Dump via Procdump</a></li><li><a href="CAR-2019-08-001">CAR-2019-08-001: Credential Dumping via Windows Task Manager</a></li><li><a href="CAR-2021-05-011">CAR-2021-05-011: Create Remote Thread into LSASS</a></li></ul></td>
@@ -28,6 +24,10 @@ permalink: /analytics/by_technique
             <td><a href="https://attack.mitre.org/techniques/T1003/002/">T1003.002: Security Account Manager</a></td>
             <td><ul><li><a href="CAR-2013-04-002">CAR-2013-04-002: Quick execution of a series of suspicious commands</a></li></ul></td>
         </tr>
+       <tr>
+            <td><a href="https://attack.mitre.org/techniques/T1003/003/">T1003.003: NTDS</a></td>
+            <td><ul><li><a href="CAR-2019-08-002">CAR-2019-08-002: Active Directory Dumping via NTDSUtil</a></li><li><a href="CAR-2020-05-001">CAR-2020-05-001: MiniDump of LSASS</a></li></ul></td>
+        </tr>
        <tr>
             <td rowspan="1"><a href="https://attack.mitre.org/techniques/T1007/">T1007: System Service Discovery</a></td>
             <td>(N/A - technique only)</td>
@@ -62,14 +62,14 @@ permalink: /analytics/by_technique
             <td><a href="https://attack.mitre.org/techniques/T1021/001/">T1021.001: Remote Desktop Protocol</a></td>
             <td><ul><li><a href="CAR-2013-07-002">CAR-2013-07-002: RDP Connection Detection</a></li><li><a href="CAR-2013-10-001">CAR-2013-10-001: User Login Activity Monitoring</a></li><li><a href="CAR-2016-04-005">CAR-2016-04-005: Remote Desktop Logon</a></li></ul></td>
         </tr>
-       <tr>
-            <td><a href="https://attack.mitre.org/techniques/T1021/002/">T1021.002: SMB/Windows Admin Shares</a></td>
-            <td><ul><li><a href="CAR-2013-01-003">CAR-2013-01-003: SMB Events Monitoring</a></li><li><a href="CAR-2013-04-002">CAR-2013-04-002: Quick execution of a series of suspicious commands</a></li><li><a href="CAR-2013-05-003">CAR-2013-05-003: SMB Write Request</a></li><li><a href="CAR-2013-05-005">CAR-2013-05-005: SMB Copy and Execution</a></li><li><a href="CAR-2014-05-001">CAR-2014-05-001: RPC Activity</a></li></ul></td>
-        </tr>
        <tr>
             <td><a href="https://attack.mitre.org/techniques/T1021/006/">T1021.006: Windows Remote Management</a></td>
             <td><ul><li><a href="CAR-2014-05-001">CAR-2014-05-001: RPC Activity</a></li><li><a href="CAR-2014-11-004">CAR-2014-11-004: Remote PowerShell Sessions</a></li><li><a href="CAR-2014-11-006">CAR-2014-11-006: Windows Remote Management (WinRM)</a></li></ul></td>
         </tr>
+       <tr>
+            <td><a href="https://attack.mitre.org/techniques/T1021/002/">T1021.002: SMB/Windows Admin Shares</a></td>
+            <td><ul><li><a href="CAR-2013-01-003">CAR-2013-01-003: SMB Events Monitoring</a></li><li><a href="CAR-2013-04-002">CAR-2013-04-002: Quick execution of a series of suspicious commands</a></li><li><a href="CAR-2013-05-003">CAR-2013-05-003: SMB Write Request</a></li><li><a href="CAR-2013-05-005">CAR-2013-05-005: SMB Copy and Execution</a></li><li><a href="CAR-2014-05-001">CAR-2014-05-001: RPC Activity</a></li></ul></td>
+        </tr>
        <tr>
             <td><a href="https://attack.mitre.org/techniques/T1021/003/">T1021.003: Distributed Component Object Model</a></td>
             <td><ul><li><a href="CAR-2014-05-001">CAR-2014-05-001: RPC Activity</a></li></ul></td>
@@ -130,14 +130,14 @@ permalink: /analytics/by_technique
        <tr>
             <td rowspan="3"><a href="https://attack.mitre.org/techniques/T1053/">T1053: Scheduled Task/Job</a></td>
         </tr>
-       <tr>
-            <td><a href="https://attack.mitre.org/techniques/T1053/002/">T1053.002: At</a></td>
-            <td><ul><li><a href="CAR-2013-04-002">CAR-2013-04-002: Quick execution of a series of suspicious commands</a></li><li><a href="CAR-2013-05-004">CAR-2013-05-004: Execution with AT</a></li><li><a href="CAR-2015-04-001">CAR-2015-04-001: Remotely Scheduled Tasks via AT</a></li></ul></td>
-        </tr>
        <tr>
             <td><a href="https://attack.mitre.org/techniques/T1053/005/">T1053.005: Scheduled Task</a></td>
             <td><ul><li><a href="CAR-2013-01-002">CAR-2013-01-002: Autorun Differences</a></li><li><a href="CAR-2013-04-002">CAR-2013-04-002: Quick execution of a series of suspicious commands</a></li><li><a href="CAR-2013-08-001">CAR-2013-08-001: Execution with schtasks</a></li><li><a href="CAR-2015-04-002">CAR-2015-04-002: Remotely Scheduled Tasks via Schtasks</a></li><li><a href="CAR-2020-09-001">CAR-2020-09-001: Scheduled Task - FileAccess</a></li><li><a href="CAR-2021-12-001">CAR-2021-12-001: Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths</a></li></ul></td>
         </tr>
+       <tr>
+            <td><a href="https://attack.mitre.org/techniques/T1053/002/">T1053.002: At</a></td>
+            <td><ul><li><a href="CAR-2013-04-002">CAR-2013-04-002: Quick execution of a series of suspicious commands</a></li><li><a href="CAR-2013-05-004">CAR-2013-05-004: Execution with AT</a></li><li><a href="CAR-2015-04-001">CAR-2015-04-001: Remotely Scheduled Tasks via AT</a></li></ul></td>
+        </tr>
        <tr>
             <td rowspan="3"><a href="https://attack.mitre.org/techniques/T1055/">T1055: Process Injection</a></td>
         </tr>
@@ -190,10 +190,6 @@ permalink: /analytics/by_technique
        <tr>
             <td rowspan="4"><a href="https://attack.mitre.org/techniques/T1070/">T1070: Indicator Removal</a></td>
         </tr>
-       <tr>
-            <td><a href="https://attack.mitre.org/techniques/T1070/003/">T1070.003: Clear Command History</a></td>
-            <td><ul><li><a href="CAR-2020-11-005">CAR-2020-11-005: Clear Powershell Console Command History</a></li></ul></td>
-        </tr>
        <tr>
             <td><a href="https://attack.mitre.org/techniques/T1070/001/">T1070.001: Clear Windows Event Logs</a></td>
             <td><ul><li><a href="CAR-2016-04-002">CAR-2016-04-002: User Activity from Clearing Event Logs</a></li><li><a href="CAR-2021-01-003">CAR-2021-01-003: Clearing Windows Logs with Wevtutil</a></li></ul></td>
@@ -202,6 +198,10 @@ permalink: /analytics/by_technique
             <td><a href="https://attack.mitre.org/techniques/T1070/005/">T1070.005: Network Share Connection Removal</a></td>
             <td><ul><li><a href="CAR-2020-11-007">CAR-2020-11-007: Network Share Connection Removal</a></li></ul></td>
         </tr>
+       <tr>
+            <td><a href="https://attack.mitre.org/techniques/T1070/003/">T1070.003: Clear Command History</a></td>
+            <td><ul><li><a href="CAR-2020-11-005">CAR-2020-11-005: Clear Powershell Console Command History</a></li></ul></td>
+        </tr>
        <tr>
             <td rowspan="3"><a href="https://attack.mitre.org/techniques/T1078/">T1078: Valid Accounts</a></td>
         </tr>
@@ -277,14 +277,6 @@ permalink: /analytics/by_technique
        <tr>
             <td rowspan="5"><a href="https://attack.mitre.org/techniques/T1218/">T1218: System Binary Proxy Execution</a></td>
         </tr>
-       <tr>
-            <td><a href="https://attack.mitre.org/techniques/T1218/010/">T1218.010: Regsvr32</a></td>
-            <td><ul><li><a href="CAR-2019-04-002">CAR-2019-04-002: Generic Regsvr32</a></li><li><a href="CAR-2019-04-003">CAR-2019-04-003: Squiblydoo</a></li></ul></td>
-        </tr>
-       <tr>
-            <td><a href="https://attack.mitre.org/techniques/T1218/011/">T1218.011: Rundll32</a></td>
-            <td><ul><li><a href="CAR-2014-03-006">CAR-2014-03-006: RunDLL32.exe monitoring</a></li></ul></td>
-        </tr>
        <tr>
             <td><a href="https://attack.mitre.org/techniques/T1218/001/">T1218.001: Compiled HTML File</a></td>
             <td><ul><li><a href="CAR-2020-11-009">CAR-2020-11-009: Compiled HTML Access</a></li></ul></td>
@@ -293,6 +285,14 @@ permalink: /analytics/by_technique
             <td><a href="https://attack.mitre.org/techniques/T1218/003/">T1218.003: CMSTP</a></td>
             <td><ul><li><a href="CAR-2020-11-010">CAR-2020-11-010: CMSTP</a></li></ul></td>
         </tr>
+       <tr>
+            <td><a href="https://attack.mitre.org/techniques/T1218/011/">T1218.011: Rundll32</a></td>
+            <td><ul><li><a href="CAR-2014-03-006">CAR-2014-03-006: RunDLL32.exe monitoring</a></li></ul></td>
+        </tr>
+       <tr>
+            <td><a href="https://attack.mitre.org/techniques/T1218/010/">T1218.010: Regsvr32</a></td>
+            <td><ul><li><a href="CAR-2019-04-002">CAR-2019-04-002: Generic Regsvr32</a></li><li><a href="CAR-2019-04-003">CAR-2019-04-003: Squiblydoo</a></li></ul></td>
+        </tr>
        <tr>
             <td rowspan="3"><a href="https://attack.mitre.org/techniques/T1222/">T1222: File and Directory Permissions Modification</a></td>
         </tr>
@@ -327,6 +327,10 @@ permalink: /analytics/by_technique
        <tr>
             <td rowspan="7"><a href="https://attack.mitre.org/techniques/T1546/">T1546: Event Triggered Execution</a></td>
         </tr>
+       <tr>
+            <td><a href="https://attack.mitre.org/techniques/T1546/015/">T1546.015: Component Object Model Hijacking</a></td>
+            <td><ul><li><a href="CAR-2020-09-002">CAR-2020-09-002: Component Object Model Hijacking</a></li></ul></td>
+        </tr>
        <tr>
             <td><a href="https://attack.mitre.org/techniques/T1546/001/">T1546.001: Change Default File Association</a></td>
             <td><ul><li><a href="CAR-2013-01-002">CAR-2013-01-002: Autorun Differences</a></li></ul></td>
@@ -347,17 +351,9 @@ permalink: /analytics/by_technique
             <td><a href="https://attack.mitre.org/techniques/T1546/002/">T1546.002: Screensaver</a></td>
             <td><ul><li><a href="CAR-2020-11-011">CAR-2020-11-011: Registry Edit from Screensaver</a></li></ul></td>
         </tr>
-       <tr>
-            <td><a href="https://attack.mitre.org/techniques/T1546/015/">T1546.015: Component Object Model Hijacking</a></td>
-            <td><ul><li><a href="CAR-2020-09-002">CAR-2020-09-002: Component Object Model Hijacking</a></li></ul></td>
-        </tr>
        <tr>
             <td rowspan="4"><a href="https://attack.mitre.org/techniques/T1547/">T1547: Boot or Logon Autostart Execution</a></td>
         </tr>
-       <tr>
-            <td><a href="https://attack.mitre.org/techniques/T1547/004/">T1547.004: Winlogon Helper DLL</a></td>
-            <td><ul><li><a href="CAR-2013-01-002">CAR-2013-01-002: Autorun Differences</a></li><li><a href="CAR-2021-11-002">CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify</a></li></ul></td>
-        </tr>
        <tr>
             <td><a href="https://attack.mitre.org/techniques/T1547/001/">T1547.001: Registry Run Keys / Startup Folder</a></td>
             <td><ul><li><a href="CAR-2013-01-002">CAR-2013-01-002: Autorun Differences</a></li><li><a href="CAR-2013-03-001">CAR-2013-03-001: Reg.exe called from Command Shell</a></li><li><a href="CAR-2020-05-003">CAR-2020-05-003: Rare LolBAS Command Lines</a></li><li><a href="CAR-2021-12-002">CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key 'Common Startup'</a></li></ul></td>
@@ -366,6 +362,10 @@ permalink: /analytics/by_technique
             <td><a href="https://attack.mitre.org/techniques/T1547/010/">T1547.010: Port Monitors</a></td>
             <td><ul><li><a href="CAR-2013-01-002">CAR-2013-01-002: Autorun Differences</a></li></ul></td>
         </tr>
+       <tr>
+            <td><a href="https://attack.mitre.org/techniques/T1547/004/">T1547.004: Winlogon Helper DLL</a></td>
+            <td><ul><li><a href="CAR-2013-01-002">CAR-2013-01-002: Autorun Differences</a></li><li><a href="CAR-2021-11-002">CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify</a></li></ul></td>
+        </tr>
        <tr>
             <td rowspan="2"><a href="https://attack.mitre.org/techniques/T1548/">T1548: Abuse Elevation Control Mechanism</a></td>
             <td>(N/A - technique only)</td>
@@ -409,14 +409,14 @@ permalink: /analytics/by_technique
        <tr>
             <td rowspan="4"><a href="https://attack.mitre.org/techniques/T1562/">T1562: Impair Defenses</a></td>
         </tr>
-       <tr>
-            <td><a href="https://attack.mitre.org/techniques/T1562/001/">T1562.001: Disable or Modify Tools</a></td>
-            <td><ul><li><a href="CAR-2013-04-002">CAR-2013-04-002: Quick execution of a series of suspicious commands</a></li><li><a href="CAR-2016-04-003">CAR-2016-04-003: User Activity from Stopping Windows Defensive Services</a></li><li><a href="CAR-2021-01-007">CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt</a></li></ul></td>
-        </tr>
        <tr>
             <td><a href="https://attack.mitre.org/techniques/T1562/002/">T1562.002: Disable Windows Event Logging</a></td>
             <td><ul><li><a href="CAR-2022-03-001">CAR-2022-03-001: Disable Windows Event Logging</a></li></ul></td>
         </tr>
+       <tr>
+            <td><a href="https://attack.mitre.org/techniques/T1562/001/">T1562.001: Disable or Modify Tools</a></td>
+            <td><ul><li><a href="CAR-2013-04-002">CAR-2013-04-002: Quick execution of a series of suspicious commands</a></li><li><a href="CAR-2016-04-003">CAR-2016-04-003: User Activity from Stopping Windows Defensive Services</a></li><li><a href="CAR-2021-01-007">CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt</a></li></ul></td>
+        </tr>
        <tr>
             <td><a href="https://attack.mitre.org/techniques/T1562/006/">T1562.006: Indicator Blocking</a></td>
             <td><ul><li><a href="CAR-2013-04-002">CAR-2013-04-002: Quick execution of a series of suspicious commands</a></li><li><a href="CAR-2020-09-003">CAR-2020-09-003: Indicator Blocking - Driver Unloaded</a></li></ul></td>