SI-04 Information System Monitoring Tools And Techniques
System and Information Integrity
Low Moderate High
Description
The organization employs tools and techniques to monitor events on the information system, detect attacks, and provide identification of unauthorized use of the system.
Supplemental Guidance
Information system monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, audit record monitoring software, network monitoring software). Monitoring devices are strategically deployed within the information system (e.g., at selected perimeter locations, near server farms supporting critical applications) to collect essential information. Monitoring devices are also deployed at ad hoc locations within the system to track specific transactions. Additionally, these devices are used to track the impact of security changes to the information system. The granularity of the information collected is determined by the organization based upon its monitoring objectives and the capability of the information system to support such activities. Organizations consult appropriate legal counsel with regard to all information system monitoring activities. Organizations heighten the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations, organizational assets, or individuals based on law enforcement information, intelligence information, or other credible sources of information. NIST Special Publication 800-61 provides guidance on detecting attacks through various types of security technologies. NIST Special Publication 800-83 provides guidance on detecting malware-based attacks through malicious code protection software. NIST Special Publication 800-92 provides guidance on monitoring and analyzing computer security event logs. NIST Special Publication 800-94 provides guidance on intrusion detection and prevention. Related security control: AC-08.
Changes from Rev 4
Title changed from 'Information System Monitoring' Control text replaces 'Protect information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion' with 'Analyze detected events and anomalies' and replaces 'Heightens' with 'Adjust' Discussion expanded with references to other controls
MITRE ATT&CK Techniques (375)
ATT&CK v16.1Techniques mitigated by this control, mapped via CTID.
Reconnaissance 4 Initial Access 15 Execution 34 Persistence 79 Privilege Escalation 72 Defense Evasion 131 Credential Access 51 Discovery 9 Lateral Movement 18 Collection 25 Command & Control 36 Exfiltration 14 Impact 19
Show all 375 techniques grouped by tactic
Reconnaissance
Initial Access
T1078 Valid Accounts T1091 Replication Through Removable Media T1133 External Remote Services T1189 Drive-by Compromise T1190 Exploit Public-Facing Application T1195 Supply Chain Compromise T1566 Phishing T1078.001 Default Accounts T1078.002 Domain Accounts T1078.003 Local Accounts T1078.004 Cloud Accounts T1195.001 Compromise Software Dependencies and Development Tools T1566.001 Spearphishing Attachment T1566.002 Spearphishing Link T1566.003 Spearphishing via Service
Execution
T1047 Windows Management Instrumentation T1053 Scheduled Task/Job T1059 Command and Scripting Interpreter T1072 Software Deployment Tools T1106 Native API T1129 Shared Modules T1203 Exploitation for Client Execution T1204 User Execution T1559 Inter-Process Communication T1569 System Services T1610 Deploy Container T1648 Serverless Execution T1651 Cloud Administration Command T1053.002 At T1053.003 Cron T1053.005 Scheduled Task T1053.006 Systemd Timers T1059.001 PowerShell T1059.002 AppleScript T1059.003 Windows Command Shell T1059.004 Unix Shell T1059.005 Visual Basic T1059.006 Python T1059.007 JavaScript T1059.008 Network Device CLI T1059.009 Cloud API T1059.010 AutoHotKey & AutoIT T1059.011 Lua T1204.001 Malicious Link T1204.002 Malicious File T1204.003 Malicious Image T1559.002 Dynamic Data Exchange T1559.003 XPC Services T1569.002 Service Execution
Persistence
T1037 Boot or Logon Initialization Scripts T1053 Scheduled Task/Job T1078 Valid Accounts T1098 Account Manipulation T1133 External Remote Services T1136 Create Account T1137 Office Application Startup T1176 Browser Extensions T1197 BITS Jobs T1205 Traffic Signaling T1505 Server Software Component T1525 Implant Internal Image T1543 Create or Modify System Process T1556 Modify Authentication Process T1574 Hijack Execution Flow T1653 Power Settings T1037.002 Login Hook T1037.003 Network Logon Script T1037.004 RC Scripts T1037.005 Startup Items T1053.002 At T1053.003 Cron T1053.005 Scheduled Task T1053.006 Systemd Timers T1078.001 Default Accounts T1078.002 Domain Accounts T1078.003 Local Accounts T1078.004 Cloud Accounts T1098.001 Additional Cloud Credentials T1098.002 Additional Email Delegate Permissions T1098.003 Additional Cloud Roles T1098.004 SSH Authorized Keys T1098.007 Additional Local or Domain Groups T1136.001 Local Account T1136.002 Domain Account T1136.003 Cloud Account T1137.001 Office Template Macros T1205.001 Port Knocking T1205.002 Socket Filters T1505.002 Transport Agent T1505.003 Web Shell T1505.004 IIS Components T1505.005 Terminal Services DLL T1542.004 ROMMONkit T1542.005 TFTP Boot T1543.002 Systemd Service T1546.002 Screensaver T1546.003 Windows Management Instrumentation Event Subscription T1546.004 Unix Shell Configuration Modification T1546.006 LC_LOAD_DYLIB Addition T1546.008 Accessibility Features T1546.013 PowerShell Profile T1546.014 Emond T1546.016 Installer Packages T1547.002 Authentication Package T1547.003 Time Providers T1547.004 Winlogon Helper DLL T1547.005 Security Support Provider T1547.006 Kernel Modules and Extensions T1547.007 Re-opened Applications T1547.008 LSASS Driver T1547.009 Shortcut Modification T1547.012 Print Processors T1547.013 XDG Autostart Entries T1556.001 Domain Controller Authentication T1556.002 Password Filter DLL T1556.003 Pluggable Authentication Modules T1556.004 Network Device Authentication T1556.008 Network Provider DLL T1556.009 Conditional Access Policies T1574.001 DLL Search Order Hijacking T1574.004 Dylib Hijacking T1574.005 Executable Installer File Permissions Weakness T1574.007 Path Interception by PATH Environment Variable T1574.008 Path Interception by Search Order Hijacking T1574.009 Path Interception by Unquoted Path T1574.010 Services File Permissions Weakness T1574.013 KernelCallbackTable T1574.014 AppDomainManager
Privilege Escalation
T1037 Boot or Logon Initialization Scripts T1053 Scheduled Task/Job T1055 Process Injection T1068 Exploitation for Privilege Escalation T1078 Valid Accounts T1098 Account Manipulation T1484 Domain or Tenant Policy Modification T1543 Create or Modify System Process T1548 Abuse Elevation Control Mechanism T1574 Hijack Execution Flow T1611 Escape to Host T1037.002 Login Hook T1037.003 Network Logon Script T1037.004 RC Scripts T1037.005 Startup Items T1053.002 At T1053.003 Cron T1053.005 Scheduled Task T1053.006 Systemd Timers T1055.001 Dynamic-link Library Injection T1055.002 Portable Executable Injection T1055.003 Thread Execution Hijacking T1055.004 Asynchronous Procedure Call T1055.005 Thread Local Storage T1055.008 Ptrace System Calls T1055.009 Proc Memory T1055.011 Extra Window Memory Injection T1055.012 Process Hollowing T1055.013 Process Doppelgänging T1055.014 VDSO Hijacking T1078.001 Default Accounts T1078.002 Domain Accounts T1078.003 Local Accounts T1078.004 Cloud Accounts T1098.001 Additional Cloud Credentials T1098.002 Additional Email Delegate Permissions T1098.003 Additional Cloud Roles T1098.004 SSH Authorized Keys T1098.007 Additional Local or Domain Groups T1543.002 Systemd Service T1546.002 Screensaver T1546.003 Windows Management Instrumentation Event Subscription T1546.004 Unix Shell Configuration Modification T1546.006 LC_LOAD_DYLIB Addition T1546.008 Accessibility Features T1546.013 PowerShell Profile T1546.014 Emond T1546.016 Installer Packages T1547.002 Authentication Package T1547.003 Time Providers T1547.004 Winlogon Helper DLL T1547.005 Security Support Provider T1547.006 Kernel Modules and Extensions T1547.007 Re-opened Applications T1547.008 LSASS Driver T1547.009 Shortcut Modification T1547.012 Print Processors T1547.013 XDG Autostart Entries T1548.001 Setuid and Setgid T1548.002 Bypass User Account Control T1548.003 Sudo and Sudo Caching T1548.004 Elevated Execution with Prompt T1548.006 TCC Manipulation T1574.001 DLL Search Order Hijacking T1574.004 Dylib Hijacking T1574.005 Executable Installer File Permissions Weakness T1574.007 Path Interception by PATH Environment Variable T1574.008 Path Interception by Search Order Hijacking T1574.009 Path Interception by Unquoted Path T1574.010 Services File Permissions Weakness T1574.013 KernelCallbackTable T1574.014 AppDomainManager
Defense Evasion
T1027 Obfuscated Files or Information T1036 Masquerading T1055 Process Injection T1070 Indicator Removal T1078 Valid Accounts T1127 Trusted Developer Utilities Proxy Execution T1197 BITS Jobs T1205 Traffic Signaling T1211 Exploitation for Defense Evasion T1216 System Script Proxy Execution T1218 System Binary Proxy Execution T1220 XSL Script Processing T1221 Template Injection T1222 File and Directory Permissions Modification T1484 Domain or Tenant Policy Modification T1548 Abuse Elevation Control Mechanism T1553 Subvert Trust Controls T1556 Modify Authentication Process T1562 Impair Defenses T1574 Hijack Execution Flow T1578 Modify Cloud Compute Infrastructure T1599 Network Boundary Bridging T1601 Modify System Image T1610 Deploy Container T1612 Build Image on Host T1622 Debugger Evasion T1647 Plist File Modification T1027.002 Software Packing T1027.007 Dynamic API Resolution T1027.008 Stripped Payloads T1027.009 Embedded Payloads T1027.010 Command Obfuscation T1027.011 Fileless Storage T1027.012 LNK Icon Smuggling T1036.001 Invalid Code Signature T1036.003 Rename System Utilities T1036.005 Match Legitimate Name or Location T1036.007 Double File Extension T1036.008 Masquerade File Type T1036.010 Masquerade Account Name T1055.001 Dynamic-link Library Injection T1055.002 Portable Executable Injection T1055.003 Thread Execution Hijacking T1055.004 Asynchronous Procedure Call T1055.005 Thread Local Storage T1055.008 Ptrace System Calls T1055.009 Proc Memory T1055.011 Extra Window Memory Injection T1055.012 Process Hollowing T1055.013 Process Doppelgänging T1055.014 VDSO Hijacking T1070.001 Clear Windows Event Logs T1070.002 Clear Linux or Mac System Logs T1070.003 Clear Command History T1070.007 Clear Network Connection History and Configurations T1070.008 Clear Mailbox Data T1070.009 Clear Persistence T1070.010 Relocate Malware T1078.001 Default Accounts T1078.002 Domain Accounts T1078.003 Local Accounts T1078.004 Cloud Accounts T1127.001 MSBuild T1127.002 ClickOnce T1205.001 Port Knocking T1205.002 Socket Filters T1216.001 PubPrn T1218.001 Compiled HTML File T1218.002 Control Panel T1218.003 CMSTP T1218.004 InstallUtil T1218.005 Mshta T1218.008 Odbcconf T1218.009 Regsvcs/Regasm T1218.010 Regsvr32 T1218.011 Rundll32 T1218.012 Verclsid T1218.013 Mavinject T1218.014 MMC T1218.015 Electron Applications T1222.001 Windows File and Directory Permissions Modification T1222.002 Linux and Mac File and Directory Permissions Modification T1542.004 ROMMONkit T1542.005 TFTP Boot T1548.001 Setuid and Setgid T1548.002 Bypass User Account Control T1548.003 Sudo and Sudo Caching T1548.004 Elevated Execution with Prompt T1548.006 TCC Manipulation T1550.001 Application Access Token T1550.003 Pass the Ticket T1553.001 Gatekeeper Bypass T1553.003 SIP and Trust Provider Hijacking T1553.004 Install Root Certificate T1553.005 Mark-of-the-Web Bypass T1556.001 Domain Controller Authentication T1556.002 Password Filter DLL T1556.003 Pluggable Authentication Modules T1556.004 Network Device Authentication T1556.008 Network Provider DLL T1556.009 Conditional Access Policies T1562.001 Disable or Modify Tools T1562.002 Disable Windows Event Logging T1562.003 Impair Command History Logging T1562.004 Disable or Modify System Firewall T1562.006 Indicator Blocking T1562.010 Downgrade Attack T1562.011 Spoof Security Alerting T1562.012 Disable or Modify Linux Audit System T1564.002 Hidden Users T1564.004 NTFS File Attributes T1564.006 Run Virtual Instance T1564.007 VBA Stomping T1564.008 Email Hiding Rules T1564.009 Resource Forking T1564.010 Process Argument Spoofing T1574.001 DLL Search Order Hijacking T1574.004 Dylib Hijacking T1574.005 Executable Installer File Permissions Weakness T1574.007 Path Interception by PATH Environment Variable T1574.008 Path Interception by Search Order Hijacking T1574.009 Path Interception by Unquoted Path T1574.010 Services File Permissions Weakness T1574.013 KernelCallbackTable T1574.014 AppDomainManager T1578.001 Create Snapshot T1578.002 Create Cloud Instance T1578.003 Delete Cloud Instance T1599.001 Network Address Translation Traversal T1601.001 Patch System Image T1601.002 Downgrade System Image
Credential Access
T1003 OS Credential Dumping T1040 Network Sniffing T1110 Brute Force T1111 Multi-Factor Authentication Interception T1187 Forced Authentication T1212 Exploitation for Credential Access T1528 Steal Application Access Token T1539 Steal Web Session Cookie T1552 Unsecured Credentials T1555 Credentials from Password Stores T1556 Modify Authentication Process T1557 Adversary-in-the-Middle T1558 Steal or Forge Kerberos Tickets T1003.001 LSASS Memory T1003.002 Security Account Manager T1003.003 NTDS T1003.004 LSA Secrets T1003.005 Cached Domain Credentials T1003.006 DCSync T1003.007 Proc Filesystem T1003.008 /etc/passwd and /etc/shadow T1056.002 GUI Input Capture T1110.001 Password Guessing T1110.002 Password Cracking T1110.003 Password Spraying T1110.004 Credential Stuffing T1552.001 Credentials In Files T1552.002 Credentials in Registry T1552.003 Bash History T1552.004 Private Keys T1552.005 Cloud Instance Metadata API T1552.006 Group Policy Preferences T1552.008 Chat Messages T1555.001 Keychain T1555.002 Securityd Memory T1555.004 Windows Credential Manager T1555.005 Password Managers T1556.001 Domain Controller Authentication T1556.002 Password Filter DLL T1556.003 Pluggable Authentication Modules T1556.004 Network Device Authentication T1556.008 Network Provider DLL T1556.009 Conditional Access Policies T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay T1557.002 ARP Cache Poisoning T1557.003 DHCP Spoofing T1557.004 Evil Twin T1558.002 Silver Ticket T1558.003 Kerberoasting T1558.004 AS-REP Roasting T1558.005 Ccache Files
Discovery
Lateral Movement
T1021 Remote Services T1072 Software Deployment Tools T1080 Taint Shared Content T1091 Replication Through Removable Media T1210 Exploitation of Remote Services T1563 Remote Service Session Hijacking T1570 Lateral Tool Transfer T1021.001 Remote Desktop Protocol T1021.002 SMB/Windows Admin Shares T1021.003 Distributed Component Object Model T1021.004 SSH T1021.005 VNC T1021.006 Windows Remote Management T1021.008 Direct Cloud VM Connections T1550.001 Application Access Token T1550.003 Pass the Ticket T1563.001 SSH Hijacking T1563.002 RDP Hijacking
Collection
T1005 Data from Local System T1025 Data from Removable Media T1114 Email Collection T1119 Automated Collection T1185 Browser Session Hijacking T1213 Data from Information Repositories T1530 Data from Cloud Storage T1557 Adversary-in-the-Middle T1560 Archive Collected Data T1602 Data from Configuration Repository T1056.002 GUI Input Capture T1114.001 Local Email Collection T1114.002 Remote Email Collection T1114.003 Email Forwarding Rule T1213.001 Confluence T1213.002 Sharepoint T1213.004 Customer Relationship Management Software T1213.005 Messaging Applications T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay T1557.002 ARP Cache Poisoning T1557.003 DHCP Spoofing T1557.004 Evil Twin T1560.001 Archive via Utility T1602.001 SNMP (MIB Dump) T1602.002 Network Device Configuration Dump
Command & Control
T1001 Data Obfuscation T1008 Fallback Channels T1071 Application Layer Protocol T1090 Proxy T1092 Communication Through Removable Media T1095 Non-Application Layer Protocol T1102 Web Service T1104 Multi-Stage Channels T1105 Ingress Tool Transfer T1132 Data Encoding T1205 Traffic Signaling T1219 Remote Access Software T1568 Dynamic Resolution T1571 Non-Standard Port T1572 Protocol Tunneling T1573 Encrypted Channel T1001.001 Junk Data T1001.002 Steganography T1001.003 Protocol or Service Impersonation T1071.001 Web Protocols T1071.002 File Transfer Protocols T1071.003 Mail Protocols T1071.004 DNS T1071.005 Publish/Subscribe Protocols T1090.001 Internal Proxy T1090.002 External Proxy T1102.001 Dead Drop Resolver T1102.002 Bidirectional Communication T1102.003 One-Way Communication T1132.001 Standard Encoding T1132.002 Non-Standard Encoding T1205.001 Port Knocking T1205.002 Socket Filters T1568.002 Domain Generation Algorithms T1573.001 Symmetric Cryptography T1573.002 Asymmetric Cryptography
Exfiltration
T1011 Exfiltration Over Other Network Medium T1029 Scheduled Transfer T1030 Data Transfer Size Limits T1041 Exfiltration Over C2 Channel T1048 Exfiltration Over Alternative Protocol T1052 Exfiltration Over Physical Medium T1537 Transfer Data to Cloud Account T1567 Exfiltration Over Web Service T1011.001 Exfiltration Over Bluetooth T1020.001 Traffic Duplication T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol T1052.001 Exfiltration over USB
Impact
T1485 Data Destruction T1486 Data Encrypted for Impact T1489 Service Stop T1490 Inhibit System Recovery T1491 Defacement T1499 Endpoint Denial of Service T1561 Disk Wipe T1565 Data Manipulation T1491.001 Internal Defacement T1491.002 External Defacement T1499.001 OS Exhaustion Flood T1499.002 Service Exhaustion Flood T1499.003 Application Exhaustion Flood T1499.004 Application or System Exploitation T1561.001 Disk Content Wipe T1561.002 Disk Structure Wipe T1565.001 Stored Data Manipulation T1565.002 Transmitted Data Manipulation T1565.003 Runtime Data Manipulation
Compliance Mappings
ISO 27001:2022
9.1A.8.12A.8.16
ISO 27002:2022
5.258.128.16
COBIT 2019
DSS01DSS05MEA01
CIS Controls v8
CIS 1.4CIS 10CIS 10.7CIS 13CIS 13.1CIS 13.10CIS 13.11CIS 13.2CIS 13.3CIS 13.6CIS 13.7CIS 13.8CIS 3.13CIS 8.7CIS 8.9
NIST CSF 2.0
DE.AE-02DE.AE-03DE.AE-04DE.AE-06DE.CM-01DE.CM-03DE.CM-06DE.CM-09ID.IM-03RS.AN-03
SOC 2 TSC
CC6.6CC6.6-POF2CC7.2CC7.2-POF1CC7.3
PCI DSS v4.0.1
10.410.711.211.511.6
CSA CCM v4
IVS-09LOG-03LOG-05LOG-13UEM-11
CSA AICM v1
AIS-12I&S-09LOG-03LOG-05LOG-13LOG-14MDS-05TVM-11TVM-13UEM-11
FINOS CCC
CCC-C08
ISO 42001:2023
A.6.2.6
IEC 62443
3-3 SR 6.2
PRA Operational Resilience
SS2/21-7.1
MAS TRM
1112
APRA CPS 234
Para 22-23
BSI IT-Grundschutz
DER.1
ANSSI
Hygiene.29Hygiene.39SecNumCloud.13.7
FINMA Circular 2023/1
IV.C(66)IV.C(67)IV.C(68)IV.C(69)
OSFI B-13
B-13.3.3
EU GDPR
Art.32(1)(b)Art.32(1)(d)
EU DORA
Art.10(1)Art.10(2)
BIO2
5.258.128.16
RBI CSF
Annex1.4Annex1.13Annex1.16Annex1.20
FISC Security Guidelines
FISC.O2FISC.O4
LGPD + BCB 4893
BCB.Art.3BCB.Art.6BCB.Art.7BCB.PIXLGPD.Art.46
HKMA TM-E-1
TME1.10.1TME1.11.3TME1.5.2TME1.7.3TME1.7.5
MLPS 2.0
8.1.10.58.1.3.38.1.4.48.1.4.58.1.5.48.28.38.48.5
DNB Good Practice
DNB.16.1DNB.19.1
EU CRA
CRA.I.2dCRA.I.2iCRA.I.2l
SWIFT CSCF
SWIFT.2.9SWIFT.6.1SWIFT.6.4SWIFT.6.5A
SAMA CSF
3.33.6
NCA ECC
2-122-42-55-1
UAE IA
T11T7
CBB TM
TM-12TM-13TM-8
Qatar NIA
IMOS
CBUAE
CR-3CR-7
CBE CSF
CD-1CTO-6CTO-7CTO-8
SA JS2
JS2-7.2JS2-7.3JS2-7.6JS2-8.4
CBN CSF
Part2.2Part3.3Part3.5Part4
BoG CISD
CISD-VICISD-VII
POPIA
s19
BoM CTRM
3.24.14.25.1
IOSCO Cyber Resilience
DET-1DET-2DET-3DET-4
BCBS 239
Principle 10
CPMI-IOSCO PFMI
CG.DEPFMI.P17
FFIEC IS
II.C.12II.C.16II.C.9II.DIII.AIII.BIII.C
NYDFS 500
500.14500.2500.6
HIPAA Security Rule
§164.308(a)(1)(ii)(D)§164.308(a)(5)(ii)(B)§164.308(a)(5)(ii)(C)§164.308(a)(6)(ii)
ECB CROE
CROE.2.3.5CROE.2.4
EBA ICT Guidelines
3.4.53.5(c)3.8(c)
SEBI CSCRF
DE.CMDE.DPPR.NSRS.ANSOC
BOT Cyber Resilience
Ch2.6Ch3.1Ch8.2
CMMC 2.0
AUSI
NERC CIP
CIP-007-6CIP-015-1
10 CFR 73.54
RG5.71-A-AURG5.71-A-SI
TSA Pipeline SD
SD-2 Sec C
FERC CIP Orders
Order 881
DOE C2M2 v2.1
SITUATION
API 1164
Sec 9
AWIA
AWWA Sec 4AWWA Sec 5
IAEA NSS 17-T
Sec 5.5
PCI PTS v6
IJL
CBEST
CBEST.5
TIBER-EU
TIBER.BT
Common Criteria
CC Part 2 — FAU
ISAE 3402
Clause 4
Solvency II
EIOPA-ICT-4.9
Lloyd's Minimum Standards
MS2.1MS8.10MS8.12MS8.5
NAIC Insurance Data Security
44-audit4-monitoring4B5
PRA SS1/23
P5.2P5.3
FCA SYSC 13
SYSC 13.7.5
HITRUST CSF v11
09.c09.e09.g11.a11.c
FDA Cybersecurity Guidance
MON-3PU-3SA-5
ISO 27799
12.216.2
NHS DSPT
NDG-9.3NDG-9.5NDG-9.9
OWASP MASVS v2.1
MASVS-RESILIENCE-4
CCSS v9.0
1.02.82.04.22.04.3
MiCA
Art.68(1)Art.62(5)Art.62(8)Art.88(1)Art.92(1)
Basel SCO60
SCO60.13SCO60.51SCO60.55SCO60.64SCO60.65SCO60.72
BSSC Standards
NOS-06TIS-05GSP-12
SEC Custody (Digital Assets)
SEC-CD-11SEC-CD-16
ISO 17799 (legacy)
10.6.210.10.110.10.210.10.4
COBIT 4.1 (legacy)
PO2.4DS5.5DS5.10