Skip to content

Latest commit

 

History

History
21 lines (19 loc) · 36.3 KB

ds_vmware_carbon_black_edr.md

File metadata and controls

21 lines (19 loc) · 36.3 KB

Vendor: VMware

Product: Carbon Black EDR

Rules Models MITRE ATT&CK® TTPs Event Types Parsers
643 110 126 11 11
Use-Case Event Types/Parsers MITRE ATT&CK® TTP Content
Account Manipulation process-created
s-process-created-carbonblack
carbonblack-endpoint-process-start
cef-carbonblack-endpoint-process
cef-carbonblack-process-created-3
cef-carbonblack-process-created-1
cef-carbonblack-process-created-2
cef-carbonblack-process-created
 T1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559.002 - T1559.002
  • 15 Rules
  • 6 Models
Audit Tampering process-created
s-process-created-carbonblack
carbonblack-endpoint-process-start
cef-carbonblack-endpoint-process
cef-carbonblack-process-created-3
cef-carbonblack-process-created-1
cef-carbonblack-process-created-2
cef-carbonblack-process-created
 T1059 - Command and Scripting Interperter
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1546.003 - T1546.003
T1562 - Impair Defenses
T1562.006 - T1562.006
  • 7 Rules
Data Leak file-write
cef-carbonblack-file-write-1
cef-carbonblack-file-write-2
cef-carbonblack-file-write-3
cef-carbonblack-file-write-4
cef-carbonblack-file-create
carbonblack-endpoint-process-file
 T1114.001 - T1114.001
  • 1 Rules
Destruction of Data file-delete
carbonblack-endpoint-process-file
 T1070.004 - Indicator Removal on Host: File Deletion
T1485 - Data Destruction
  • 1 Rules
Next Page -->>

MITRE ATT&CK® Framework for Enterprise

Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
External Remote Services

Valid Accounts

Exploit Public Fasing Application

Phishing

 Windows Management Instrumentation

Command and Scripting Interperter

Scheduled Task/Job

Inter-Process Communication

System Services

Exploitation for Client Execution

User Execution

Scheduled Task/Job: Scheduled Task

Command and Scripting Interperter: PowerShell

Scheduled Task/Job: At (Windows)

 Pre-OS Boot

Create Account

Create or Modify System Process

External Remote Services

Valid Accounts

Hijack Execution Flow

Server Software Component: Web Shell

Account Manipulation

BITS Jobs

Create or Modify System Process: Windows Service

Scheduled Task/Job

Server Software Component

Event Triggered Execution

Boot or Logon Autostart Execution

Create Account: Create: Local Account

 Access Token Manipulation: Token Impersonation/Theft

Create or Modify System Process

Valid Accounts

Access Token Manipulation

Exploitation for Privilege Escalation

Hijack Execution Flow

Group Policy Modification

Process Injection

Scheduled Task/Job

Abuse Elevation Control Mechanism

Event Triggered Execution

Boot or Logon Autostart Execution

Process Injection: Dynamic-link Library Injection

Abuse Elevation Control Mechanism: Bypass User Account Control

 Hide Artifacts

Indirect Command Execution

Impair Defenses

Indicator Removal on Host: Clear Windows Event Logs

Group Policy Modification

Trusted Developer Utilities Proxy Execution

Masquerading: Match Legitimate Name or Location

Masquerading: Rename System Utilities

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Obfuscated Files or Information: Compile After Delivery

Obfuscated Files or Information: Indicator Removal from Tools

Hijack Execution Flow: DLL Side-Loading

Indicator Removal on Host: File Deletion

Masquerading

Valid Accounts

Modify Registry

BITS Jobs

Use Alternate Authentication Material

Hide Artifacts: NTFS File Attributes

Indicator Removal on Host

Use Alternate Authentication Material: Pass the Ticket

Pre-OS Boot

File and Directory Permissions Modification

Deobfuscate/Decode Files or Information

Abuse Elevation Control Mechanism

Impair Defenses: Disable or Modify System Firewall

Obfuscated Files or Information

Signed Binary Proxy Execution: Compiled HTML File

Access Token Manipulation

Hijack Execution Flow

Process Injection

Signed Binary Proxy Execution: Msiexec

Signed Binary Proxy Execution

Signed Binary Proxy Execution: Regsvcs/Regasm

Signed Binary Proxy Execution: CMSTP

Signed Binary Proxy Execution: Control Panel

Signed Binary Proxy Execution: InstallUtil

Signed Binary Proxy Execution: Regsvr32

Trusted Developer Utilities Proxy Execution: MSBuild

Signed Binary Proxy Execution: Rundll32

 OS Credential Dumping

Unsecured Credentials

Steal or Forge Kerberos Tickets

Credentials from Password Stores

Steal or Forge Kerberos Tickets: Kerberoasting

Network Sniffing

 Account Discovery

Domain Trust Discovery

System Service Discovery

System Network Connections Discovery

Account Discovery: Local Account

Account Discovery: Domain Account

File and Directory Discovery

Network Sniffing

System Information Discovery

Network Share Discovery

Query Registry

Process Discovery

System Owner/User Discovery

Software Discovery

Remote System Discovery

System Network Configuration Discovery

 Exploitation of Remote Services

Remote Service Session Hijacking

Remote Services

Remote Services: SMB/Windows Admin Shares

Use Alternate Authentication Material

Remote Services: Remote Desktop Protocol

 Screen Capture

Email Collection

Audio Capture

Archive Collected Data

 Protocol Tunneling

Application Layer Protocol: DNS

Application Layer Protocol: File Transfer Protocols

Application Layer Protocol: Web Protocols

Remote Access Software

Dynamic Resolution

Ingress Tool Transfer

Dynamic Resolution: Domain Generation Algorithms

Proxy: Multi-hop Proxy

Application Layer Protocol

Proxy

 Exfiltration Over Alternative Protocol

Exfiltration Over C2 Channel

 Account Access Removal

Data Destruction

Resource Hijacking

Data Encrypted for Impact

Inhibit System Recovery