adpare
73 lines
4.1 KiB
JSON
73 lines
4.1 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--959a1bcd-6e57-441d-85ab-bf4d96bf8121",
|
|
"spec_version": "2.0",
|
|
"objects": [
|
|
{
|
|
"type": "x-mitre-analytic",
|
|
"id": "x-mitre-analytic--6b3b3e92-bef7-4977-9895-29036bab29f1",
|
|
"created": "2025-10-21T15:10:28.402Z",
|
|
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
|
"external_references": [
|
|
{
|
|
"source_name": "mitre-attack",
|
|
"url": "https://attack.mitre.org/detectionstrategies/DET0765#AN1897",
|
|
"external_id": "AN1897"
|
|
}
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
|
|
],
|
|
"modified": "2025-10-21T15:10:28.402Z",
|
|
"name": "Analytic 1897",
|
|
"description": "Monitor for changes made to files that may stop or disable services on a system to render those services unavailable to legitimate users.\nMonitor executed commands and arguments that may stop or disable services on a system to render those services unavailable to legitimate users.\nRemote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. For example, ChangeServiceConfigW may be used by an adversary to prevent services from starting. For added context on adversary procedures and background see [Service Stop](https://attack.mitre.org/techniques/T1489).\nMonitor processes and command-line arguments to see if critical processes are terminated or stop running. For added context on adversary procedures and background see [Service Stop](https://attack.mitre.org/techniques/T1489).\nAlterations to the service binary path or the service startup type changed to disabled may be suspicious.\nMonitor for changes made to Windows registry keys and/or values that may stop or disable services on a system to render those services unavailable to legitimate users.\nMonitor for newly executed processes that may stop or disable services on a system to render those services unavailable to legitimate users.",
|
|
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
|
"x_mitre_version": "1.0",
|
|
"x_mitre_attack_spec_version": "3.3.0",
|
|
"x_mitre_domains": [
|
|
"ics-attack"
|
|
],
|
|
"x_mitre_platforms": [
|
|
"None"
|
|
],
|
|
"x_mitre_log_source_references": [
|
|
{
|
|
"x_mitre_data_component_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8",
|
|
"name": "File",
|
|
"channel": "None"
|
|
},
|
|
{
|
|
"x_mitre_data_component_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0",
|
|
"name": "Command",
|
|
"channel": "None"
|
|
},
|
|
{
|
|
"x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
|
|
"name": "Process",
|
|
"channel": "None"
|
|
},
|
|
{
|
|
"x_mitre_data_component_ref": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f",
|
|
"name": "Process",
|
|
"channel": "None"
|
|
},
|
|
{
|
|
"x_mitre_data_component_ref": "x-mitre-data-component--74fa567d-bc90-425c-8a41-3c703abb221c",
|
|
"name": "Service",
|
|
"channel": "None"
|
|
},
|
|
{
|
|
"x_mitre_data_component_ref": "x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170",
|
|
"name": "Windows Registry",
|
|
"channel": "None"
|
|
},
|
|
{
|
|
"x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
|
|
"name": "Process",
|
|
"channel": "None"
|
|
}
|
|
],
|
|
"x_mitre_deprecated": false
|
|
}
|
|
]
|
|
} |