Esc
Detect
Definition
The detect tactic is used to identify adversary access to or unauthorized activity on computer networks.
Techniques
There are 78 techniques in this category, Detect.
Name | ID | Definition | Synonyms |
---|---|---|---|
File Analysis | D3-FA | File Analysis is an analytic process to determine a file's status. For example: virus, trojan, benign, malicious, trusted, unauthorized, sensitive, etc. | |
- File Content Analysis | D3-FCOA | Employing a pattern matching algorithm to statically analyze the content of files. | |
- File Hashing | D3-FH | Employing file hash comparisons to detect known malware. | |
- Dynamic Analysis | D3-DA | Executing or opening a file in a synthetic "sandbox" environment to determine if the file is a malicious program or if the file exploits another program such as a document reader. | Malware Detonation , and Malware Sandbox |
- Emulated File Analysis | D3-EFA | Emulating instructions in a file looking for specific patterns. | |
- File Content Rules | D3-FCR | Employing a pattern matching rule language to analyze the content of files. | File Content Signatures , and File Signatures |
Identifier Analysis | D3-ID | Analyzing identifier artifacts such as IP address, domain names, or URL(I)s. | |
- URL Analysis | D3-UA | Determining if a URL is benign or malicious by analyzing the URL or its components. | |
- Identifier Reputation Analysis | D3-IRA | Analyzing the reputation of an identifier. | |
- Domain Name Reputation Analysis | D3-DNRA | Analyzing the reputation of a domain name. | |
- File Hash Reputation Analysis | D3-FHRA | Analyzing the reputation of a file hash. | |
- IP Reputation Analysis | D3-IPRA | Analyzing the reputation of an IP address. | |
- URL Reputation Analysis | D3-URA | Analyzing the reputation of a URL. | |
- Identifier Activity Analysis | D3-IAA | Taking known malicious identifiers and determining if they are present in a system. | |
- Homoglyph Detection | D3-HD | Comparing strings using a variety of techniques to determine if a deceptive or malicious string is being presented to a user. | |
Message Analysis | D3-MA | Analyzing email or instant message content to detect unauthorized activity. | Electronic Message Analysis , and Email Or Messaging Analysis |
- Sender MTA Reputation Analysis | D3-SMRA | Characterizing the reputation of mail transfer agents (MTA) to determine the security risk in emails. | |
- Sender Reputation Analysis | D3-SRA | Ascertaining sender reputation based on information associated with a message (e.g. email/instant messaging). | |
Network Traffic Analysis | D3-NTA | Analyzing intercepted or summarized computer network traffic to detect unauthorized activity. | |
- Relay Pattern Analysis | D3-RPA | The detection of an internal host relaying traffic between the internal network and the external network. | Relay Network Detection |
- Remote Terminal Session Detection | D3-RTSD | Detection of an unauthorized remote live terminal console session by examining network traffic to a network host. | |
- RPC Traffic Analysis | D3-RTA | Monitoring the activity of remote procedure calls in communication traffic to establish standard protocol operations and potential attacker activities. | RPC Protocol Analysis |
- Network Traffic Signature Analysis | D3-NTSA | Analyzing network traffic and compares it to known signatures | |
- Active Certificate Analysis | D3-ACA | Actively collecting PKI certificates by connecting to the server and downloading its server certificates for analysis. | |
- File Carving | D3-FC | Identifying and extracting files from network application protocols through the use of network stream reassembly software. | |
- Inbound Session Volume Analysis | D3-ISVA | Analyzing inbound network session or connection attempt volume. | |
- IPC Traffic Analysis | D3-IPCTA | Analyzing standard inter process communication (IPC) protocols to detect deviations from normal protocol activity. | IPC Analysis |
- Administrative Network Activity Analysis | D3-ANAA | Detection of unauthorized use of administrative network protocols by analyzing network activity against a baseline. | |
- Byte Sequence Emulation | D3-BSE | Analyzing sequences of bytes and determining if they likely represent malicious shellcode. | Shellcode Transmission Detection |
- Certificate Analysis | D3-CA | Analyzing Public Key Infrastructure certificates to detect if they have been misconfigured or spoofed using both network traffic, certificate fields and third-party logs. | |
- Client-server Payload Profiling | D3-CSPP | Comparing client-server request and response payloads to a baseline profile to identify outliers. | |
- Connection Attempt Analysis | D3-CAA | Analyzing failed connections in a network to detect unauthorized activity. | Network Scan Detection |
- DNS Traffic Analysis | D3-DNSTA | Analysis of domain name metadata, including name and DNS records, to determine whether the domain is likely to resolve to an undesirable host. | Domain Name Analysis |
- Per Host Download-Upload Ratio Analysis | D3-PHDURA | Detecting anomalies that indicate malicious activity by comparing the amount of data downloaded versus data uploaded by a host. | |
- Protocol Metadata Anomaly Detection | D3-PMAD | Collecting network communication protocol metadata and identifying statistical outliers. | |
- Network Traffic Community Deviation | D3-NTCD | Establishing baseline communities of network hosts and identifying statistically divergent inter-community communication. | |
- Passive Certificate Analysis | D3-PCA | Collecting host certificates from network traffic or other passive sources like a certificate transparency log and analyzing them for unauthorized activity. | |
Platform Monitoring | D3-PM | Monitoring platform components such as operating systems software, hardware devices, or firmware. | |
- Scheduled Job Analysis | D3-SJA | Analysis of source files, processes, destination files, or destination servers associated with a scheduled job to detect unauthorized use of job scheduling. | Scheduled Job Execution |
- System Daemon Monitoring | D3-SDM | Tracking changes to the state or configuration of critical system level processes. | |
- System File Analysis | D3-SFA | Monitoring system files such as authentication databases, configuration files, system logs, and system executables for modification or tampering. | |
- System Firmware Verification | D3-SFV | Cryptographically verifying installed system firmware integrity. | |
- System Init Config Analysis | D3-SICA | Analysis of any system process startup configuration. | Autorun Analysis , and Startup Analysis |
- User Session Init Config Analysis | D3-USICA | Analyzing modifications to user session config files such as .bashrc or .bash_profile. | User Startup Config Analysis |
- File Integrity Monitoring | D3-FIM | Detecting any suspicious changes to files in a computer system. | |
- Service Binary Verification | D3-SBV | Analyzing changes in service binary files by comparing to a source of truth. | |
- Firmware Behavior Analysis | D3-FBA | Analyzing the behavior of embedded code in firmware and looking for anomalous behavior and suspicious activity. | Firmware Timing Analysis |
- Firmware Embedded Monitoring Code | D3-FEMC | Monitoring code is injected into firmware for integrity monitoring of firmware and firmware data. | |
- Firmware Verification | D3-FV | Cryptographically verifying firmware integrity. | |
- Endpoint Health Beacon | D3-EHB | Monitoring the security status of an endpoint by sending periodic messages with health status, where absence of a response may indicate that the endpoint has been compromised. | Endpoint Health Telemetry |
- Input Device Analysis | D3-IDA | Operating system level mechanisms to prevent abusive input device exploitation. | |
- Memory Boundary Tracking | D3-MBT | Analyzing a call stack for return addresses which point to unexpected memory locations. | |
- Operating System Monitoring | D3-OSM | The operating system software, for D3FEND's purposes, includes the kernel and its process management functions, hardware drivers, initialization or boot logic. It also includes and other key system daemons and their configuration. The monitoring or analysis of these components for unauthorized activity constitute **Operating System Monitoring**. | |
- Peripheral Firmware Verification | D3-PFV | Cryptographically verifying peripheral firmware integrity. | |
Process Analysis | D3-PA | Process Analysis consists of observing a running application process and analyzing it to watch for certain behaviors or conditions which may indicate adversary activity. Analysis can occur inside of the process or through a third-party monitoring application. Examples include monitoring system and privileged calls, monitoring process initiation chains, and memory boundary allocations. | |
- Process Self-Modification Detection | D3-PSMD | Detects processes that modify, change, or replace their own code at runtime. | |
- Process Spawn Analysis | D3-PSA | Analyzing spawn arguments or attributes of a process to detect processes that are unauthorized. | |
- Script Execution Analysis | D3-SEA | Analyzing the execution of a script to detect unauthorized user activity. | |
- Shadow Stack Comparisons | D3-SSC | Comparing a call stack in system memory with a shadow call stack maintained by the processor to determine unauthorized shellcode activity. | |
- System Call Analysis | D3-SCA | Analyzing system calls to determine whether a process is exhibiting unauthorized behavior. | |
- Indirect Branch Call Analysis | D3-IBCA | Analyzing vendor specific branch call recording in order to detect ROP style attacks. | |
- Database Query String Analysis | D3-DQSA | Analyzing database queries to detect [SQL Injection](https://capec.mitre.org/data/definitions/66.html). | |
- File Access Pattern Analysis | D3-FAPA | Analyzing the files accessed by a process to identify unauthorized activity. | |
- File Creation Analysis | D3-FCA | Analyzing the properties of file create system call invocations. | |
- Process Code Segment Verification | D3-PCSV | Comparing the "text" or "code" memory segments to a source of truth. | |
- Process Lineage Analysis | D3-PLA | Identification of suspicious processes executing on an end-point device by examining the ancestry and siblings of a process, and the associated metadata of each node on the tree, such as process execution, duration, and order relative to siblings and ancestors. | Process Tree Analysis |
User Behavior Analysis | D3-UBA | User behavior analytics ("UBA") as defined by Gartner, is a cybersecurity process about detection of insider threats, targeted attacks, and financial fraud. UBA solutions look at patterns of human behavior, and then apply algorithms and statistical analysis to detect meaningful anomalies from those patterns-anomalies that indicate potential threats.' Instead of tracking devices or security events, UBA tracks a system's users. Big data platforms are increasing UBA functionality by allowing them to analyze petabytes worth of data to detect insider threats and advanced persistent threats. | Credential Monitoring , and UBA |
- Resource Access Pattern Analysis | D3-RAPA | Analyzing the resources accessed by a user to identify unauthorized activity. | |
- Session Duration Analysis | D3-SDA | Analyzing the duration of user sessions in order to detect unauthorized activity. | |
- User Data Transfer Analysis | D3-UDTA | Analyzing the amount of data transferred by a user. | |
- User Geolocation Logon Pattern Analysis | D3-UGLPA | Monitoring geolocation data of user logon attempts and comparing it to a baseline user behavior profile to identify anomalies in logon location. | |
- Web Session Activity Analysis | D3-WSAA | Monitoring changes in user web session behavior by comparing current web session activity to a baseline behavior profile or a catalog of predetermined malicious behavior. | |
- Job Function Access Pattern Analysis | D3-JFAPA | Detecting anomalies in user access patterns by comparing user access activity to behavioral profiles that categorize users by role such as job title, function, department. | |
- Local Account Monitoring | D3-LAM | Analyzing local user accounts to detect unauthorized activity. | |
- Authentication Event Thresholding | D3-ANET | Collecting authentication events, creating a baseline user profile, and determining whether authentication events are consistent with the baseline profile. | |
- Authorization Event Thresholding | D3-AZET | Collecting authorization events, creating a baseline user profile, and determining whether authorization events are consistent with the baseline profile. | |
- Credential Compromise Scope Analysis | D3-CCSA | Determining which credentials may have been compromised by analyzing the user logon history of a particular system. | |
- Domain Account Monitoring | D3-DAM | Monitoring the existence of or changes to Domain User Accounts. |
D3FEND™
A knowledge graph of cybersecurity countermeasures