We welcome your feedback about MITRE Engage™ v0.9 Beta: Email us at engage@mitre.org

System Activity Monitoring

Collect system activity logs that can reveal adversary activity.

Capturing system logs can show logins, user and system events, etc. A defender can use such inherent system logging to study and collect first-hand observations about the adversary's actions and tools.

This data can be sent to a centralized collection location for further analysis. Careful planning should be used to guide which system logs are collected and at what level. If the logging level is set too high or too many system logs are collected, the defender may be blinded by the excess data. For example, understanding the adversary's known TTPs will highlight resources the adversary is likely to touch and therefore which system logs are likely to capture adversary activity.

Overall, System Activity Monitoring is essential to maintain situational awareness of adversarial activities in order to ensure operational safety and progress towards operational goals. Careful pre-operational planning should be done to properly instrument the engagement environment. This will ensure that all key network traffic is collected.

Details
ID: EAC0003
Type:  Engagement 
Goals:  Expose
Approaches:  Collection
Whenever an adversary interacts with the environment, their actions reveal vulnerabilities. Defenders can utilize engagement activities to take advantage of such weaknesses.

The following table lists the adversary tactics on the left and the revealed vulnerability on the right that can be exploited by the defender using System Activity Monitoring.

ATT&CK® Tactics Adversary Vulnerability Presented
Credential Access Defense Evasion Privilege Escalation Initial Access Persistence Impact When adversaries interact with network or system resources, they are vulnerable to triggering tripwires or engaging in easily detectable, anomalous behavior.
Lateral Movement When adversaries interact with the environment or personas, they are vulnerable when they collect, observe, or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time.
Command and Control Defense Evasion When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation.
Persistence When adversaries collect manipulated artifacts, they are vulnerable to revealing their presence when using or moving the artifacts elsewhere in the engagement environment.
Credential Access When adversaries use previously stolen information to access or move laterally within an environment, they may reveal previous collection activities.
Persistence When adversaries use easily identifiable techniques, or generate signaturable patterns in data or traffic, they are vulnerable to detection of their activity.