Automated commit to rebuild the static site

Signed-off-by: Build and Push Automation Script <>

Author: alexiacrumpton

docs/analytics/CAR-2013-01-002/index.md

@@ -14,6 +14,7 @@ The Sysinternals tool [Autoruns](../sensors/autoruns) checks the registry and fi
 Utilizes the Sysinternals autoruns tool (ignoring validated Microsoft entries). Primarily not a detection analytic by itself but through analysis of results by an analyst can be used for such. Building another analytic on top of this one identifying unusual entries would likely be a beneficial alternative.
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|

docs/analytics/CAR-2013-01-003/index.md

@@ -9,13 +9,14 @@ contributors: MITRE
 applicable_platforms: N/A
 ---
 <br><br>
-[Server Message Block](https://en.wikipedia.org/wiki/Server_Message Block) (SMB) is used by Windows to allow for file, pipe, and printer sharing over port 445/tcp. It allows for enumerating, and reading from and writing to file shares for a remote computer. Although it is heavily used by Windows servers for legitimate purposes and by users for file and printer sharing, many adversaries also use SMB to achieve [Lateral Movement](https://attack.mitre.org/tactics/TA0008). Looking at this activity more closely to obtain an adequate sense of situational awareness may make it possible to detect adversaries moving between hosts in a way that deviates from normal activity. Because SMB traffic is heavy in many environments, this analytic may be difficult to turn into something that can be used to quickly detect an APT. In some cases, it may make more sense to run this analytic in a forensic fashion. Looking through and filtering its output after an intrusion has been discovered may be helpful in identifying the scope of compromise. 
+[Server Message Block](https://en.wikipedia.org/wiki/Server_Message Block) (SMB) is used by Windows to allow for file, pipe, and printer sharing over port 445/tcp. It allows for enumerating, and reading from and writing to file shares for a remote computer. Although it is heavily used by Windows servers for legitimate purposes and by users for file and printer sharing, many adversaries also use SMB to achieve [Lateral Movement](https://attack.mitre.org/tactics/TA0008). Looking at this activity more closely to obtain an adequate sense of situational awareness may make it possible to detect adversaries moving between hosts in a way that deviates from normal activity. Because SMB traffic is heavy in many environments, this analytic may be difficult to turn into something that can be used to quickly detect an APT. In some cases, it may make more sense to run this analytic in a forensic fashion. Looking through and filtering its output after an intrusion has been discovered may be helpful in identifying the scope of compromise.
 
 ### Output Description
 
 The source, destination, content, and time of each event.
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
@@ -45,14 +46,15 @@ The source, destination, content, and time of each event.
 
 #### Pseudocode
 
-Although there may be more native ways to detect detailed SMB events on the host, they can be extracted out of network traffic. With the right protocol decoders, port 445 traffic can be filtered and even the file path (relative to the share) can be retrieved. 
+Although there may be more native ways to detect detailed SMB events on the host, they can be extracted out of network traffic. With the right protocol decoders, port 445 traffic can be filtered and even the file path (relative to the share) can be retrieved.
 
 
 ```
 flow = search Flow:Message
 smb_events = filter flow where (dest_port == "445" and protocol == "smb")
 smb_events.file_name = smb_events.proto_info.file_name
 output smb_write
+
 ```
 
 

docs/analytics/CAR-2013-02-008/index.md

@@ -15,6 +15,7 @@ Logon events are Windows Event Code 4624 for Windows Vista and above, 518 for pr
 Logon types 2, 3, 9 and 10 are of interest. For more details see the Logon Types table on Microsoft's [Audit Logon Events](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc787567(v=ws.10)) page.
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
@@ -47,9 +48,10 @@ Logon types 2, 3, 9 and 10 are of interest. For more details see the Logon Types
 ```
 users_list = search UserSession:Login
 users_grouped = group users_list by hostname
-users_grouped = from users_grouped select min(time) as earliest_time, max(time) as latest_time count(user) as user_count 
+users_grouped = from users_grouped select min(time) as earliest_time, max(time) as latest_time count(user) as user_count
 multiple_logins = filter users_grouped where (latest_time - earliest_time <= 1 hour and user_count > 1)
 output multiple_logins
+
 ```
 
 

docs/analytics/CAR-2013-02-012/index.md

@@ -18,6 +18,7 @@ Certain users will likely appear as being logged into several machines and may n
 User Name, Machines logged into, the earliest and latest times in which users were logged into the host, the type of logon, and logon ID.
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|

docs/analytics/CAR-2013-03-001/index.md

@@ -21,6 +21,7 @@ The sequence of processes that resulted in `reg.exe` being started from a shell.
 -   `reg.exe`
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
@@ -65,6 +66,7 @@ reg = filter processes where (exe == "reg.exe" and parent_exe == "cmd.exe")
 cmd = filter processes where (exe == "cmd.exe" and parent_exe != "explorer.exe"")
 reg_and_cmd = join (reg, cmd) where (reg.ppid == cmd.pid and reg.hostname == cmd.hostname)
 output reg_and_cmd
+
 ```
 
 
@@ -77,6 +79,7 @@ DNIF version of the above pseudocode.
 _fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $Process=regex(.*reg\.exe.*)i AND $ParentProcess=regex(.*cmd\.exe.*)i as #A limit 100
 >>_fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $Process=regex(.*cmd\.exe.*)i NOT $ParentProcess=regex(.*explorer\.exe.*)i as #B limit 100
 >>_checkif sjoin #B.$PPID = #A.$CPID str_compare #B.$SystemName eq #A.$SystemName include
+
 ```
 
 

docs/analytics/CAR-2013-05-003/index.md

@@ -48,6 +48,7 @@ flow = search Flow:Message
 smb_write = filter flow where (dest_port == "445" and protocol == "smb.write")
 smb_write.file_name = smb_write.proto_info.file_name
 output smb_write
+
 ```
 
 

docs/analytics/CAR-2013-07-005/index.md

@@ -14,6 +14,7 @@ Before [exfiltrating data](https://attack.mitre.org/tactics/TA0010) that an adve
 In addition to looking for RAR or 7z program names, command line usage of 7Zip or RAR can be detected with the flag usage of "`\* a \*`". This is helpful, as adversaries may change program names.
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
@@ -48,6 +49,7 @@ This analytic looks for the command line argument `a`, which is used by RAR. How
 processes = search Process:Create
 rar_argument = filter processes where (command_line == "* a *")
 output rar_argument
+
 ```
 
 
@@ -58,6 +60,7 @@ DNIF version of the above pseudocode.
 
 ```
 _fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $Process=regex(.* a .*)i limit 100
+
 ```
 
 
@@ -68,6 +71,7 @@ LogPoint version of the above pseudocode.
 
 ```
 norm_id=WindowsSysmon event_id=1 command="* a *"
+
 ```
 
 

docs/analytics/CAR-2013-08-001/index.md

@@ -47,6 +47,7 @@ Look for instances of `schtasks.exe` running as processes. The `command_line` fi
 process = search Process:Create
 schtasks = filter process where (exe == "schtasks.exe")
 output schtasks
+
 ```
 
 
@@ -57,6 +58,7 @@ DNIF version of the above pseudocode.
 
 ```
 _fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $App=schtasks.exe AND $Process=regex(.*(\/create|\/run|\/query|\/delete|\/change|\/end).*)i limit 100
+
 ```
 
 
@@ -67,6 +69,7 @@ LogPoint version of the above pseudocode.
 
 ```
 norm_id=WindowsSysmon event_id=1 image="*\schtasks.exe" command IN ["*/create*", "*/run*", "*/query*", "*/delete*", "*/change*", "*/end*"]
+
 ```
 
 
@@ -85,6 +88,7 @@ Create a new scheduled task with schtasks.exe and verify the analytic fires when
 * To remove the scheduled task, execute `schtasks /Delete /TN calctask`.
 * The program should respond with “SUCCESS: The scheduled task “calctask” was successfully deleted.”
 
+
 ```
 schtasks /Create /SC ONCE /ST 19:00 /TR C:\Windows\System32\calc.exe /TN calctask
 schtasks /Delete /TN calctask

docs/analytics/CAR-2013-10-001/index.md

@@ -19,6 +19,7 @@ Logon events are Windows Event Code 4624 for Windows Vista and above, 518 for pr
 The time of login events for distinct users on individual systems
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
@@ -50,6 +51,7 @@ logon_events = search User_Session:Login
 filtered_logons = filter logon_events where (
   user NOT IN TOP30(user))
 output filtered_logons
+
 ```
 
 
@@ -61,6 +63,7 @@ Splunk version of the above pseudocode. NOTE - this is liable to be quite noisy
 
 ```
 index=__your_win_event_log_index__ EventCode=4624|search NOT [search index=__your_win_event_log_index__ EventCode=4624|top 30 Account_Name|table Account_Name]
+
 ```
 
 
@@ -75,6 +78,7 @@ _fetch * from event where $LogName=WINDOWS-NXLOG-AUDIT AND $SubSystem=AUTHENTICA
 >>_store in_disk david_test win_top_30 stack_replace
 >>_fetch * from event where $LogName=WINDOWS-NXLOG-AUDIT AND $SubSystem=AUTHENTICATION AND $Action=LOGIN limit 10000
 >>_checkif lookup david_test win_top_30 join $ScopeID = $ScopeID str_compare $User eq $User exclude
+
 ```
 
 

docs/analytics/CAR-2013-10-002/index.md

@@ -18,6 +18,7 @@ Microsoft Windows allows for processes to remotely create threads within other p
 This behavior can be detected by looking for thread creations across processes, and resolving the entry point to determine the function name. If the function is `LoadLibraryA` or `LoadLibraryW`, then the intent of the remote thread is clearly to inject a DLL. When this is the case, the source process must be examined so that it can be ignored when it is both expected and a trusted process.
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
@@ -56,6 +57,7 @@ remote_thread = filter (start_function == "LoadLibraryA" or start_function == "L
 remote_thread = filter (src_image_path != "C:\Path\To\TrustedProgram.exe")
 
 output remote_thread
+
 ```
 
 
@@ -66,6 +68,7 @@ LogPoint version of the above pseudocode.
 
 ```
 norm_id=WindowsSysmon event_id=8 start_function IN ["LoadLibraryA", "LoadLibraryW"] -source_image="C:\Path\To\TrustedProgram.exe"
+
 ```