271 indexed
D3FENDD3FEND defensive techniques
271 MITRE D3FEND defences across 7 tactics (Model, Harden, Detect, Isolate, Deceive, Evict, Restore). Filter to a tactic or browse the full set. Authored by Adam Lundqvist.
90 in Detect · 271 total
| ID | Title | Summary |
|---|---|---|
| D3-ACA | Active Certificate Analysis | Actively collecting PKI certificates by connecting to the server and downloading its server certificates for analysis. |
| D3-AEM | Application Exception Monitoring | Monitoring the failures of system counters and timers. |
| D3-ANAA | Administrative Network Activity Analysis | Detection of unauthorized use of administrative network protocols by analyzing network activity against a baseline. |
| D3-ANET | Authentication Event Thresholding | Collecting authentication events, creating a baseline user profile, and determining whether authentication events are consistent with the baseline profile. |
| D3-APCA | Application Protocol Command Analysis | Analyzing application protocol level remote commands to detect unauthorized activity. |
| D3-APM | Application Performance Monitoring | Monitoring the count and duration of the application or program cycle. |
| D3-AZET | Authorization Event Thresholding | Collecting authorization events, creating a baseline user profile, and determining whether authorization events are consistent with the baseline profile. |
| D3-BSE | Byte Sequence Emulation | Analyzing sequences of bytes and determining if they likely represent malicious shellcode. |
| D3-CA | Certificate Analysis | Analyzing Public Key Infrastructure certificates to detect if they have been misconfigured or spoofed using both network traffic, certificate fields and third-… |
| D3-CAA | Connection Attempt Analysis | Analyzing failed connections in a network to detect unauthorized activity. |
| D3-CCSA | Credential Compromise Scope Analysis | Determining which credentials may have been compromised by analyzing the user logon history of a particular system. |
| D3-CSPP | Client-server Payload Profiling | Comparing client-server request and response payloads to a baseline profile to identify outliers. |
| D3-DA | Dynamic Analysis | Executing or opening a file in a synthetic "sandbox" environment to determine if the file is a malicious program or if the file exploits another program such a… |
| D3-DAM | Domain Account Monitoring | Monitoring the existence of or changes to Domain User Accounts. |
| D3-DNRA | Domain Name Reputation Analysis | Analyzing the reputation of a domain name. |
| D3-DNSTA | DNS Traffic Analysis | Analysis of domain name metadata, including name and DNS records, to determine whether the domain is likely to resolve to an undesirable host. |
| D3-DQSA | Database Query String Analysis | Analyzing database queries to detect [SQL Injection](https://capec.mitre.org/data/definitions/66.html). |
| D3-EFA | Emulated File Analysis | Emulating instructions in a file looking for specific patterns. |
| D3-EHB | Endpoint Health Beacon | Monitoring the security status of an endpoint by sending periodic messages with health status, where absence of a response may indicate that the endpoint has b… |
| D3-ELM | Electronic Lock Monitoring | Monitoring electronic lock and door hardware states and access events (e.g., locked/unlocked, access granted/denied, door forced/held, tamper) to detect and re… |
| D3-FA | File Analysis | |
| D3-FAPA | File Access Pattern Analysis | Analyzing the files accessed by a process to identify unauthorized activity. |
| D3-FBA | Firmware Behavior Analysis | Analyzing the behavior of embedded code in firmware and looking for anomalous behavior and suspicious activity. |
| D3-FC | File Carving | Identifying and extracting files from network application protocols through the use of network stream reassembly software. |
| D3-FCA | File Creation Analysis | Analyzing the properties of file create system call invocations. |
| D3-FCOA | File Content Analysis | Employing a pattern matching algorithm to statically analyze the content of files. |
| D3-FCR | File Content Rules | Employing a pattern matching rule language to analyze the content of files. |
| D3-FEMC | Firmware Embedded Monitoring Code | Monitoring code is injected into firmware for integrity monitoring of firmware and firmware data. |
| D3-FH | File Hashing | Employing file hash comparisons to detect known malware. |
| D3-FHRA | File Hash Reputation Analysis | Analyzing the reputation of a file hash. |
| D3-FIM | File Integrity Monitoring | Detecting any suspicious changes to files in a computer system. |
| D3-FV | Firmware Verification | Cryptographically verifying firmware integrity. |
| D3-HD | Homoglyph Detection | Comparing strings using a variety of techniques to determine if a deceptive or malicious string is being presented to a user. |
| D3-IAA | Identifier Activity Analysis | Taking known malicious identifiers and determining if they are present in a system. |
| D3-IBCA | Indirect Branch Call Analysis | Analyzing vendor specific branch call recording in order to detect ROP style attacks. |
| D3-ID | Identifier Analysis | |
| D3-IDA | Input Device Analysis | Operating system level mechanisms to prevent abusive input device exploitation. |
| D3-IPCTA | IPC Traffic Analysis | Analyzing standard inter process communication (IPC) protocols to detect deviations from normal protocol activity. |
| D3-IPRA | IP Reputation Analysis | Analyzing the reputation of an IP address. |
| D3-IRA | Identifier Reputation Analysis | Analyzing the reputation of an identifier. |
| D3-ISVA | Inbound Session Volume Analysis | Analyzing inbound network session or connection attempt volume. |
| D3-JFAPA | Job Function Access Pattern Analysis | Detecting anomalies in user access patterns by comparing user access activity to behavioral profiles that categorize users by role such as job title, function,… |
| D3-LAM | Local Account Monitoring | Analyzing local user accounts to detect unauthorized activity. |
| D3-MA | Message Analysis | |
| D3-MBT | Memory Boundary Tracking | Analyzing a call stack for return addresses which point to unexpected memory locations. |
| D3-MSM | Motion Sensor Monitoring | Monitoring events from motion detectors (e.g., passive IR, microwave, dual-technology) to detect presence or movement within protected areas. |
| D3-NTA | Network Traffic Analysis | |
| D3-NTCD | Network Traffic Community Deviation | Establishing baseline communities of network hosts and identifying statistically divergent inter-community communication. |
| D3-NTSA | Network Traffic Signature Analysis | Analyzing network traffic and compares it to known signatures |
| D3-OMM | Operating Mode Monitoring | Detects operating modes such as Program, Run, Remote, or Stop. |
| D3-OPM | Operational Process Monitoring | Monitoring physical parameters and operator actions related to an operational environment. |
| D3-OSM | Operating System Monitoring | The operating system software, for D3FEND's purposes, includes the kernel and its process management functions, hardware drivers, initialization or boot logic.… |
| D3-PA | Process Analysis | |
| D3-PCA | Passive Certificate Analysis | Collecting host certificates from network traffic or other passive sources like a certificate transparency log and analyzing them for unauthorized activity. |
| D3-PCSV | Process Code Segment Verification | Comparing the "text" or "code" memory segments to a source of truth. |
| D3-PFV | Peripheral Firmware Verification | Cryptographically verifying peripheral firmware integrity. |
| D3-PHAM | Physical Access Monitoring | |
| D3-PHDURA | Per Host Download-Upload Ratio Analysis | Detecting anomalies that indicate malicious activity by comparing the amount of data downloaded versus data uploaded by a host. |
| D3-PLA | Process Lineage Analysis | Identification of suspicious processes executing on an end-point device by examining the ancestry and siblings of a process, and the associated metadata of eac… |
| D3-PM | Platform Monitoring | |
| D3-PMAD | Protocol Metadata Anomaly Detection | Collecting network communication protocol metadata and identifying statistical outliers. |
| D3-PSA | Process Spawn Analysis | Analyzing spawn arguments or attributes of a process to detect processes that are unauthorized. |
| D3-PSM | Proximity Sensor Monitoring | Monitoring events from proximity sensors that indicate a credential or tagged asset is within the sensor’s read range or a defined zone. Common enabling techno… |
| D3-PSMD | Process Self-Modification Detection | Detects processes that modify, change, or replace their own code at runtime. |
| D3-PUM | Platform Uptime Monitoring | Monitor the amount of time since the last power cycle or restart. |
| D3-RAPA | Resource Access Pattern Analysis | Analyzing the resources accessed by a user to identify unauthorized activity. |
| D3-RFUM | Remote Firmware Update Monitoring | Monitoring of remote firmware update commands to identify unauthorized software installations. |
| D3-RPA | Relay Pattern Analysis | The detection of an internal host relaying traffic between the internal network and the external network. |
| D3-RTA | RPC Traffic Analysis | Monitoring the activity of remote procedure calls in communication traffic to establish standard protocol operations and potential attacker activities. |
| D3-RTSD | Remote Terminal Session Detection | Detection of an unauthorized remote live terminal console session by examining network traffic to a network host. |
| D3-SBV | Service Binary Verification | Analyzing changes in service binary files by comparing to a source of truth. |
| D3-SCA | System Call Analysis | Analyzing system calls to determine whether a process is exhibiting unauthorized behavior. |
| D3-SDA | Session Duration Analysis | Analyzing the duration of user sessions in order to detect unauthorized activity. |
| D3-SDM | System Daemon Monitoring | Tracking changes to the state or configuration of critical system level processes. |
| D3-SEA | Script Execution Analysis | Analyzing the execution of a script to detect unauthorized user activity. |
| D3-SFA | System File Analysis | Monitoring system files such as authentication databases, configuration files, system logs, and system executables for modification or tampering. |
| D3-SFV | System Firmware Verification | Cryptographically verifying installed system firmware integrity. |
| D3-SICA | System Init Config Analysis | Analysis of any system process startup configuration. |
| D3-SJA | Scheduled Job Analysis | Analysis of source files, processes, destination files, or destination servers associated with a scheduled job to detect unauthorized use of job scheduling. |
| D3-SMRA | Sender MTA Reputation Analysis | Characterizing the reputation of mail transfer agents (MTA) to determine the security risk in emails. |
| D3-SRA | Sender Reputation Analysis | Ascertaining sender reputation based on information associated with a message (e.g. email/instant messaging). |
| D3-SSC | Shadow Stack Comparisons | Comparing a call stack in system memory with a shadow call stack maintained by the processor to determine unauthorized shellcode activity. |
| D3-UA | URL Analysis | Determining if a URL is benign or malicious by analyzing the URL or its components. |
| D3-UBA | User Behavior Analysis | |
| D3-UDTA | User Data Transfer Analysis | Analyzing the amount of data transferred by a user. |
| D3-UGLPA | User Geolocation Logon Pattern Analysis | Monitoring geolocation data of user logon attempts and comparing it to a baseline user behavior profile to identify anomalies in logon location. |
| D3-URA | URL Reputation Analysis | Analyzing the reputation of a URL. |
| D3-USICA | User Session Init Config Analysis | Analyzing modifications to user session config files such as .bashrc or .bash_profile. |
| D3-VS | Video Surveillance | Monitoring of physical areas via camera video feeds to deter, detect, and investigate unauthorized access and related security events. |
| D3-WSAA | Web Session Activity Analysis | Monitoring changes in user web session behavior by comparing current web session activity to a baseline behavior profile or a catalog of predetermined maliciou… |