Currently viewing SPARTA v1.0. Learn more about the versioning system or see the live site.

TECHNIQUES

D3FEND

Model

D3-AI - Asset Inventory

D3-CI - Configuration Inventory

D3-DI - Data Inventory

D3-SWI - Software Inventory

D3-AVE - Asset Vulnerability Enumeration

D3-NNI - Network Node Inventory

D3-HCI - Hardware Component Inventory

D3-NM - Network Mapping

D3-LLM - Logical Link Mapping

D3-ALLM - Active Logical Link Mapping

D3-PLLM - Passive Logical Link Mapping

D3-NVA - Network Vulnerability Assessment

D3-PLM - Physical Link Mapping

D3-APLM - Active Physical Link Mapping

D3-PPLM - Passive Physical Link Mapping

D3-NTPM - Network Traffic Policy Mapping

D3-OAM - Operational Activity Mapping

D3-AM - Access Modeling

D3-ODM - Operational Dependency Mapping

D3-ORA - Operational Risk Assessment

D3-OM - Organization Mapping

D3-SYSM - System Mapping

D3-DEM - Data Exchange Mapping

D3-SVCDM - Service Dependency Mapping

D3-SYSDM - System Dependency Mapping

D3-SYSVA - System Vulnerability Assessment

Harden

D3-MH - Message Hardening

D3-MAN - Message Authentication

D3-MENCR - Message Encryption

D3-TAAN - Transfer Agent Authentication

D3-CH - Credential Hardening

D3-BAN - Biometric Authentication

D3-CBAN - Certificate-based Authentication

D3-CP - Certificate Pinning

D3-CTS - Credential Transmission Scoping

D3-DTP - Domain Trust Policy

D3-MFA - Multi-factor Authentication

D3-OTP - One-time Password

D3-SPP - Strong Password Policy

D3-UAP - User Account Permissions

D3-CRO - Credential Rotation

D3-PH - Platform Hardening

D3-BA - Bootloader Authentication

D3-DENCR - Disk Encryption

D3-DLIC - Driver Load Integrity Checking

D3-FE - File Encryption

D3-LFP - Local File Permissions

D3-RFS - RF Shielding

D3-SU - Software Update

D3-SCP - System Configuration Permissions

D3-TBI - TPM Boot Integrity

D3-AH - Application Hardening

D3-ACH - Application Configuration Hardening

D3-DCE - Dead Code Elimination

D3-EHPV - Exception Handler Pointer Validation

D3-PAN - Pointer Authentication

D3-PSEP - Process Segment Execution Prevention

D3-SAOR - Segment Address Offset Randomization

D3-SFCV - Stack Frame Canary Validation

Detect

D3-NTA - Network Traffic Analysis

D3-ANAA - Administrative Network Activity Analysis

D3-BSE - Byte Sequence Emulation

D3-CA - Certificate Analysis

D3-ACA - Active Certificate Analysis

D3-PCA - Passive Certificate Analysis

D3-CSPP - Client-server Payload Profiling

D3-CAA - Connection Attempt Analysis

D3-DNSTA - DNS Traffic Analysis

D3-FC - File Carving

D3-ISVA - Inbound Session Volume Analysis

D3-IPCTA - IPC Traffic Analysis

D3-NTCD - Network Traffic Community Deviation

D3-PHDURA - Per Host Download-Upload Ratio Analysis

D3-PMAD - Protocol Metadata Anomaly Detection

D3-RPA - Relay Pattern Analysis

D3-RTSD - Remote Terminal Session Detection

D3-RTA - RPC Traffic Analysis

D3-PM - Platform Monitoring

D3-FBA - Firmware Behavior Analysis

D3-FEMC - Firmware Embedded Monitoring Code

D3-FV - Firmware Verification

D3-PFV - Peripheral Firmware Verification

D3-SFV - System Firmware Verification

D3-OSM - Operating System Monitoring

D3-EHB - Endpoint Health Beacon

D3-IDA - Input Device Analysis

D3-MBT - Memory Boundary Tracking

D3-SJA - Scheduled Job Analysis

D3-SDM - System Daemon Monitoring

D3-SFA - System File Analysis

D3-SBV - Service Binary Verification

D3-SICA - System Init Config Analysis

D3-USICA - User Session Init Config Analysis

D3-PA - Process Analysis

D3-DQSA - Database Query String Analysis

D3-FAPA - File Access Pattern Analysis

D3-IBCA - Indirect Branch Call Analysis

D3-PCSV - Process Code Segment Verification

D3-PSMD - Process Self-Modification Detection

D3-PSA - Process Spawn Analysis

D3-PLA - Process Lineage Analysis

D3-SEA - Script Execution Analysis

D3-SSC - Shadow Stack Comparisons

D3-SCA - System Call Analysis

D3-FCA - File Creation Analysis

D3-MA - Message Analysis

D3-SMRA - Sender MTA Reputation Analysis

D3-SRA - Sender Reputation Analysis

D3-ID - Identifier Analysis

D3-HD - Homoglyph Detection

D3-UA - URL Analysis

D3-IRA - Identifier Reputation Analysis

D3-DNRA - Domain Name Reputation Analysis

D3-FHRA - File Hash Reputation Analysis

D3-IPRA - IP Reputation Analysis

D3-URA - URL Reputation Analysis

D3-IAA - Identifier Activity Analysis

D3-UBA - User Behavior Analysis

D3-ANET - Authentication Event Thresholding

D3-AZET - Authorization Event Thresholding

D3-CCSA - Credential Compromise Scope Analysis

D3-DAM - Domain Account Monitoring

D3-JFAPA - Job Function Access Pattern Analysis

D3-LAM - Local Account Monitoring

D3-RAPA - Resource Access Pattern Analysis

D3-SDA - Session Duration Analysis

D3-UDTA - User Data Transfer Analysis

D3-UGLPA - User Geolocation Logon Pattern Analysis

D3-WSAA - Web Session Activity Analysis

D3-FA - File Analysis

D3-DA - Dynamic Analysis

D3-EFA - Emulated File Analysis

D3-FCR - File Content Rules

D3-FH - File Hashing

Isolate

D3-NI - Network Isolation

D3-BDI - Broadcast Domain Isolation

D3-DNSAL - DNS Allowlisting

D3-DNSDL - DNS Denylisting

D3-FRDDL - Forward Resolution Domain Denylisting

D3-HDDL - Hierarchical Domain Denylisting

D3-HDL - Homoglyph Denylisting

D3-FRIDL - Forward Resolution IP Denylisting

D3-RRDD - Reverse Resolution Domain Denylisting

D3-RRID - Reverse Resolution IP Denylisting

D3-ET - Encrypted Tunnels

D3-NTF - Network Traffic Filtering

D3-ITF - Inbound Traffic Filtering

D3-OTF - Outbound Traffic Filtering

D3-EI - Execution Isolation

D3-EAL - Executable Allowlisting

D3-EDL - Executable Denylisting

D3-HBPI - Hardware-based Process Isolation

D3-IOPR - IO Port Restriction

D3-KBPI - Kernel-based Process Isolation

D3-MAC - Mandatory Access Control

D3-SCF - System Call Filtering

Deceive

D3-DE - Decoy Environment

D3-CHN - Connected Honeynet

D3-IHN - Integrated Honeynet

D3-SHN - Standalone Honeynet

D3-DO - Decoy Object

D3-DF - Decoy File

D3-DNR - Decoy Network Resource

D3-DP - Decoy Persona

D3-DPR - Decoy Public Release

D3-DST - Decoy Session Token

D3-DUC - Decoy User Credential

Evict

D3-FEV - File Eviction

D3-FR - File Removal

D3-ER - Email Removal

D3-CE - Credential Eviction

D3-AL - Account Locking

D3-ANCI - Authentication Cache Invalidation

D3-CR - Credential Revoking

D3-PE - Process Eviction

D3-PT - Process Termination

D3-PS - Process Suspension

Process Analysis

Process Analysis consists of observing a running application process and analyzing it to watch for certain behaviors or conditions which may indicate adversary activity. Analysis can occur inside of the process or through a third-party monitoring application. Examples include monitoring system and privileged calls, monitoring process initiation chains, and memory boundary allocations.

Subclasses ( 11 )

ID	Name
D3-DQSA	Database Query String Analysis
D3-FAPA	File Access Pattern Analysis
D3-IBCA	Indirect Branch Call Analysis
D3-PCSV	Process Code Segment Verification
D3-PSMD	Process Self-Modification Detection
D3-PSA	Process Spawn Analysis
D3-PLA	Process Lineage Analysis
D3-SEA	Script Execution Analysis
D3-SSC	Shadow Stack Comparisons
D3-SCA	System Call Analysis
D3-FCA	File Creation Analysis

ID: D3-PA

Subclasses: D3-DQSA | D3-FAPA | D3-IBCA | D3-PCSV | D3-PSMD | D3-PSA | D3-PLA | D3-SEA | D3-SSC | D3-SCA | D3-FCA

Artifacts: Process Code Segment | Stack Frame | System Call | Process | Create Process | Database Query

ⓘ

Tactic: Detect

Informational References

https://d3fend.mitre.org/technique/d3f:ProcessAnalysis/

Countermeasures

ID		Name	Description	NIST Rev5	D3FEND	ISO 27001

Related SPARTA Techniques and Sub-Techniques

ID		Name	Description

Space Threats Mapped

ID		Description

Sample Requirements

Requirement	Rationale/Additional Guidance/Notes