Automated commit to rebuild the static site

Signed-off-by: Build and Push Automation Script <>

docs/analytics/CAR-2013-01-002/index.md

@@ -14,6 +14,7 @@ The Sysinternals tool [Autoruns](../sensors/autoruns) checks the registry and fi
 Utilizes the Sysinternals autoruns tool (ignoring validated Microsoft entries). Primarily not a detection analytic by itself but through analysis of results by an analyst can be used for such. Building another analytic on top of this one identifying unusual entries would likely be a beneficial alternative.
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|

docs/analytics/CAR-2013-01-003/index.md

@@ -9,13 +9,14 @@ contributors: MITRE
 applicable_platforms: N/A
 ---
 <br><br>
-[Server Message Block](https://en.wikipedia.org/wiki/Server_Message Block) (SMB) is used by Windows to allow for file, pipe, and printer sharing over port 445/tcp. It allows for enumerating, and reading from and writing to file shares for a remote computer. Although it is heavily used by Windows servers for legitimate purposes and by users for file and printer sharing, many adversaries also use SMB to achieve [Lateral Movement](https://attack.mitre.org/tactics/TA0008). Looking at this activity more closely to obtain an adequate sense of situational awareness may make it possible to detect adversaries moving between hosts in a way that deviates from normal activity. Because SMB traffic is heavy in many environments, this analytic may be difficult to turn into something that can be used to quickly detect an APT. In some cases, it may make more sense to run this analytic in a forensic fashion. Looking through and filtering its output after an intrusion has been discovered may be helpful in identifying the scope of compromise. 
+[Server Message Block](https://en.wikipedia.org/wiki/Server_Message Block) (SMB) is used by Windows to allow for file, pipe, and printer sharing over port 445/tcp. It allows for enumerating, and reading from and writing to file shares for a remote computer. Although it is heavily used by Windows servers for legitimate purposes and by users for file and printer sharing, many adversaries also use SMB to achieve [Lateral Movement](https://attack.mitre.org/tactics/TA0008). Looking at this activity more closely to obtain an adequate sense of situational awareness may make it possible to detect adversaries moving between hosts in a way that deviates from normal activity. Because SMB traffic is heavy in many environments, this analytic may be difficult to turn into something that can be used to quickly detect an APT. In some cases, it may make more sense to run this analytic in a forensic fashion. Looking through and filtering its output after an intrusion has been discovered may be helpful in identifying the scope of compromise.
 
 ### Output Description
 
 The source, destination, content, and time of each event.
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
@@ -45,14 +46,15 @@ The source, destination, content, and time of each event.
 
 #### Pseudocode
 
-Although there may be more native ways to detect detailed SMB events on the host, they can be extracted out of network traffic. With the right protocol decoders, port 445 traffic can be filtered and even the file path (relative to the share) can be retrieved. 
+Although there may be more native ways to detect detailed SMB events on the host, they can be extracted out of network traffic. With the right protocol decoders, port 445 traffic can be filtered and even the file path (relative to the share) can be retrieved.
 
 
 ```
 flow = search Flow:Message
 smb_events = filter flow where (dest_port == "445" and protocol == "smb")
 smb_events.file_name = smb_events.proto_info.file_name
 output smb_write
+
 ```
 
 

docs/analytics/CAR-2013-02-008/index.md

@@ -15,6 +15,7 @@ Logon events are Windows Event Code 4624 for Windows Vista and above, 518 for pr
 Logon types 2, 3, 9 and 10 are of interest. For more details see the Logon Types table on Microsoft's [Audit Logon Events](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc787567(v=ws.10)) page.
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
@@ -47,9 +48,10 @@ Logon types 2, 3, 9 and 10 are of interest. For more details see the Logon Types
 ```
 users_list = search UserSession:Login
 users_grouped = group users_list by hostname
-users_grouped = from users_grouped select min(time) as earliest_time, max(time) as latest_time count(user) as user_count 
+users_grouped = from users_grouped select min(time) as earliest_time, max(time) as latest_time count(user) as user_count
 multiple_logins = filter users_grouped where (latest_time - earliest_time <= 1 hour and user_count > 1)
 output multiple_logins
+
 ```
 
 

docs/analytics/CAR-2013-02-012/index.md

@@ -18,6 +18,7 @@ Certain users will likely appear as being logged into several machines and may n
 User Name, Machines logged into, the earliest and latest times in which users were logged into the host, the type of logon, and logon ID.
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|

docs/analytics/CAR-2013-03-001/index.md

@@ -21,6 +21,7 @@ The sequence of processes that resulted in `reg.exe` being started from a shell.
 -   `reg.exe`
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
@@ -65,6 +66,7 @@ reg = filter processes where (exe == "reg.exe" and parent_exe == "cmd.exe")
 cmd = filter processes where (exe == "cmd.exe" and parent_exe != "explorer.exe"")
 reg_and_cmd = join (reg, cmd) where (reg.ppid == cmd.pid and reg.hostname == cmd.hostname)
 output reg_and_cmd
+
 ```
 
 
@@ -77,6 +79,7 @@ DNIF version of the above pseudocode.
 _fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $Process=regex(.*reg\.exe.*)i AND $ParentProcess=regex(.*cmd\.exe.*)i as #A limit 100
 >>_fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $Process=regex(.*cmd\.exe.*)i NOT $ParentProcess=regex(.*explorer\.exe.*)i as #B limit 100
 >>_checkif sjoin #B.$PPID = #A.$CPID str_compare #B.$SystemName eq #A.$SystemName include
+
 ```
 
 

docs/analytics/CAR-2013-05-003/index.md

@@ -48,6 +48,7 @@ flow = search Flow:Message
 smb_write = filter flow where (dest_port == "445" and protocol == "smb.write")
 smb_write.file_name = smb_write.proto_info.file_name
 output smb_write
+
 ```
 
 

docs/analytics/CAR-2013-07-005/index.md

@@ -14,6 +14,7 @@ Before [exfiltrating data](https://attack.mitre.org/tactics/TA0010) that an adve
 In addition to looking for RAR or 7z program names, command line usage of 7Zip or RAR can be detected with the flag usage of "`\* a \*`". This is helpful, as adversaries may change program names.
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
@@ -48,6 +49,7 @@ This analytic looks for the command line argument `a`, which is used by RAR. How
 processes = search Process:Create
 rar_argument = filter processes where (command_line == "* a *")
 output rar_argument
+
 ```
 
 
@@ -58,6 +60,7 @@ DNIF version of the above pseudocode.
 
 ```
 _fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $Process=regex(.* a .*)i limit 100
+
 ```
 
 
@@ -68,6 +71,7 @@ LogPoint version of the above pseudocode.
 
 ```
 norm_id=WindowsSysmon event_id=1 command="* a *"
+
 ```
 
 

docs/analytics/CAR-2013-08-001/index.md

@@ -47,6 +47,7 @@ Look for instances of `schtasks.exe` running as processes. The `command_line` fi
 process = search Process:Create
 schtasks = filter process where (exe == "schtasks.exe")
 output schtasks
+
 ```
 
 
@@ -57,6 +58,7 @@ DNIF version of the above pseudocode.
 
 ```
 _fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $App=schtasks.exe AND $Process=regex(.*(\/create|\/run|\/query|\/delete|\/change|\/end).*)i limit 100
+
 ```
 
 
@@ -67,6 +69,7 @@ LogPoint version of the above pseudocode.
 
 ```
 norm_id=WindowsSysmon event_id=1 image="*\schtasks.exe" command IN ["*/create*", "*/run*", "*/query*", "*/delete*", "*/change*", "*/end*"]
+
 ```
 
 
@@ -85,6 +88,7 @@ Create a new scheduled task with schtasks.exe and verify the analytic fires when
 * To remove the scheduled task, execute `schtasks /Delete /TN calctask`.
 * The program should respond with “SUCCESS: The scheduled task “calctask” was successfully deleted.”
 
+
 ```
 schtasks /Create /SC ONCE /ST 19:00 /TR C:\Windows\System32\calc.exe /TN calctask
 schtasks /Delete /TN calctask

docs/analytics/CAR-2013-10-001/index.md

@@ -19,6 +19,7 @@ Logon events are Windows Event Code 4624 for Windows Vista and above, 518 for pr
 The time of login events for distinct users on individual systems
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
@@ -50,6 +51,7 @@ logon_events = search User_Session:Login
 filtered_logons = filter logon_events where (
   user NOT IN TOP30(user))
 output filtered_logons
+
 ```
 
 
@@ -61,6 +63,7 @@ Splunk version of the above pseudocode. NOTE - this is liable to be quite noisy
 
 ```
 index=__your_win_event_log_index__ EventCode=4624|search NOT [search index=__your_win_event_log_index__ EventCode=4624|top 30 Account_Name|table Account_Name]
+
 ```
 
 
@@ -75,6 +78,7 @@ _fetch * from event where $LogName=WINDOWS-NXLOG-AUDIT AND $SubSystem=AUTHENTICA
 >>_store in_disk david_test win_top_30 stack_replace
 >>_fetch * from event where $LogName=WINDOWS-NXLOG-AUDIT AND $SubSystem=AUTHENTICATION AND $Action=LOGIN limit 10000
 >>_checkif lookup david_test win_top_30 join $ScopeID = $ScopeID str_compare $User eq $User exclude
+
 ```
 
 

docs/analytics/CAR-2013-10-002/index.md

@@ -18,6 +18,7 @@ Microsoft Windows allows for processes to remotely create threads within other p
 This behavior can be detected by looking for thread creations across processes, and resolving the entry point to determine the function name. If the function is `LoadLibraryA` or `LoadLibraryW`, then the intent of the remote thread is clearly to inject a DLL. When this is the case, the source process must be examined so that it can be ignored when it is both expected and a trusted process.
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
@@ -56,6 +57,7 @@ remote_thread = filter (start_function == "LoadLibraryA" or start_function == "L
 remote_thread = filter (src_image_path != "C:\Path\To\TrustedProgram.exe")
 
 output remote_thread
+
 ```
 
 
@@ -66,6 +68,7 @@ LogPoint version of the above pseudocode.
 
 ```
 norm_id=WindowsSysmon event_id=8 start_function IN ["LoadLibraryA", "LoadLibraryW"] -source_image="C:\Path\To\TrustedProgram.exe"
+
 ```
 
 

docs/analytics/CAR-2014-02-001/index.md

@@ -16,6 +16,7 @@ Adversaries may modify the binary file for an existing service to achieve [Persi
 The Service Name and approximate time in which changes occurred on each host
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
@@ -58,12 +59,13 @@ file_change = search File:Create,Modify
 process = search Process:Create
 service_process = filter processes where (parent_exe == "services.exe")
 modified_service = join (search, filter) where (
- file_change.time < service_process.time and 
+ file_change.time < service_process.time and
  file_change.file_path == service_process.image_path
 )
 
 modified_service = filter modified_service where (modified_service.file_change.image_path not in legitimate_installers)
 output modified_service
+
 ```
 
 

docs/analytics/CAR-2014-03-005/index.md

@@ -9,13 +9,14 @@ contributors: MITRE
 applicable_platforms: Windows
 ---
 <br><br>
-There are several ways to cause code to [execute](https://attack.mitre.org/tactics/TA0002) on a remote host. One of the most common methods is via the Windows [Service Control Manager](https://en.wikipedia.org/wiki/Service_Control_Manager) (SCM), which allows authorized users to remotely create and modify services. Several tools, such as [PsExec](https://attack.mitre.org/software/S0029), use this functionality. 
+There are several ways to cause code to [execute](https://attack.mitre.org/tactics/TA0002) on a remote host. One of the most common methods is via the Windows [Service Control Manager](https://en.wikipedia.org/wiki/Service_Control_Manager) (SCM), which allows authorized users to remotely create and modify services. Several tools, such as [PsExec](https://attack.mitre.org/software/S0029), use this functionality.
 
 When a client remotely communicates with the Service Control Manager, there are two observable behaviors. First, the client connects to the [RPC Endpoint Mapper](../CAR-2014-05-001) over 135/tcp. This handles authentication, and tells the client what port the endpoint—in this case the SCM—is listening on. Then, the client connects directly to the listening port on `services.exe`. If the request is to start an existing service with a known command line, the the SCM process will run the corresponding command.
 
 This compound behavior can be detected by looking for `services.exe` receiving a network connection and immediately spawning a child process.
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
@@ -59,6 +60,7 @@ remote_start = join (flow, service ) where (
  (flow.time < service.time < flow.time + 1 second)
 )
 output remote_start
+
 ```
 
 

docs/analytics/CAR-2014-04-003/index.md

@@ -16,6 +16,7 @@ Powershell can be used to hide monitored command line execution such as:
 -   `sc start`
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
@@ -52,6 +53,7 @@ Look for versions of `PowerShell` that were not launched interactively.
 process = search Process:Create
 powershell = filter process where (exe == "powershell.exe" AND parent_exe != "explorer.exe" )
 output powershell
+
 ```
 
 
@@ -62,6 +64,7 @@ Splunk version of the above pseudocode.
 
 ```
 index=__your_sysmon_index__ EventCode=1 Image="C:\\Windows\\*\\powershell.exe" ParentImage!="C:\\Windows\\explorer.exe"|stats values(CommandLine) as "Command Lines" values(ParentImage) as "Parent Images" by ComputerName
+
 ```
 
 
@@ -73,6 +76,7 @@ EQL version of the above pseudocode.
 ```
 process where subtype.create and
   (process_name == "powershell.exe" and parent_process_name != "explorer.exe")
+
 ```
 
 
@@ -83,6 +87,7 @@ DNIF version of the above pseudocode.
 
 ```
 _fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $App=powershell.exe NOT $ParentProcess=regex(.*explorer.exe.*)i limit 30
+
 ```
 
 
@@ -93,6 +98,7 @@ LogPoint version of the above pseudocode.
 
 ```
 norm_id=WindowsSysmon event_id=1 image="*\powershell.exe" -parent_image="C:\Windows\explorer.exe"
+
 ```
 
 

docs/analytics/CAR-2014-11-002/index.md

@@ -11,7 +11,7 @@ applicable_platforms: Windows
 <br><br>
 Many programs create command prompts as part of their normal operation including malware used by attackers. This analytic attempts to identify suspicious programs spawning `cmd.exe` by looking for programs that do not normally create `cmd.exe`.
 
-While this analytic does not take the user into account, doing so could generate further interesting results. 
+While this analytic does not take the user into account, doing so could generate further interesting results.
 It is very common for some programs to spawn cmd.exe as a subprocess, for example to run batch files or windows commands. However many process don’t routinely launch a command prompt – for example Microsoft Outlook. A command prompt being launched from a process that normally doesn’t launch command prompts could be the result of malicious code being injected into that process, or of an attacker replacing a legitimate program with a malicious one.
 
 
@@ -20,6 +20,7 @@ It is very common for some programs to spawn cmd.exe as a subprocess, for exampl
 The time and host the new process was started as well as its parent
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
@@ -59,6 +60,7 @@ historic_cmd = filter cmd (where timestamp < now - 1 day AND timestamp > now - 1
 current_cmd = filter cmd (where timestamp >= now - 1 day)
 new_cmd = historic_cmd - current_cmd
 output new_cmd
+
 ```
 
 

docs/analytics/CAR-2014-11-003/index.md

@@ -9,11 +9,12 @@ contributors: MITRE
 applicable_platforms: Windows
 ---
 <br><br>
-The Windows Registry location `HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options` allows for parameters to be set for applications during execution. One feature used by malicious actors is the "Debugger" option. When a key has this value enabled, a Debugging command line can be specified. Windows will launch the Debugging command line, and pass the original command line in as an argument. Adversaries can set a Debugger for [Accessibility Applications](https://attack.mitre.org/techniques/T1546/008). The analytic looks for the original command line as an argument to the Debugger. When the strings "sethc.exe", "utilman.exe", "osk.exe", "narrator.exe", and "Magnify.exe" are detected in the arguments, but not as the main executable, it is very likely that a Debugger is set. 
+The Windows Registry location `HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options` allows for parameters to be set for applications during execution. One feature used by malicious actors is the "Debugger" option. When a key has this value enabled, a Debugging command line can be specified. Windows will launch the Debugging command line, and pass the original command line in as an argument. Adversaries can set a Debugger for [Accessibility Applications](https://attack.mitre.org/techniques/T1546/008). The analytic looks for the original command line as an argument to the Debugger. When the strings "sethc.exe", "utilman.exe", "osk.exe", "narrator.exe", and "Magnify.exe" are detected in the arguments, but not as the main executable, it is very likely that a Debugger is set.
 
 This analytic could depend on the possibility of the known strings used as arguments for other applications used in the day-to-day environment. Although the chance of the string "sethc.exe" being used as an argument for another application is unlikely, it still is a possibility.
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
@@ -49,6 +50,7 @@ One simple way to implement this technique is to note that in a default Windows
 process = search Process:Create
 debuggers = filter process where (command_line match "$.* .*(sethc{{pipe}}utilman{{pipe}}osk{{pipe}}narrator{{pipe}}magnify)\.exe")
 output debuggers
+
 ```
 
 
@@ -59,6 +61,7 @@ LogPoint version of the above pseudocode.
 
 ```
 norm_id=WindowsSysmon event_id=1 command IN ["$* *sethc.exe", "$* *utilman.exe", "$* *osk.exe", "$* *narrator.exe", "$* *magnify.exe"]
+
 ```