mdecrevoisier / EVTX-to-MITRE-Attack

Set of EVTX samples (>270) mapped to MITRE ATT&CK tactic and techniques to measure your SIEM coverage or developed new use cases.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

EVTX to MITRE ATT@CK

Project purpose

EVTX to MITRE ATT@CK is a Security Information Management System orientated project. It provides >270 Windows IOCs indicators classified per Tactic and Technique in order to address different security scenarios with your SIEM:

  • Measure your security coverage
  • Enhance your detection capacities
  • Identify security gaps or uncovered threats
  • Design new use cases

How to use the IOCs

IOCs are provided in the EVTX format, the standard format established by Microsoft starting Windows Server 2008 and Windows Vista for event logs. Depending on the SIEM solution you utilize, you may need to make your agent (NXLog, Winlogbeat, Splunk UF, ArcSight, WinCollect, Snare, ...) pointing to the EVTX files and send the content to your SIEM in the adequate format.

Microsoft log sources used:

  • Windows 10
  • Windows Server 2012 R2 and higher
  • Active Directory Domain Services (ADDS)
  • Active Directory Certification Services (ADCS / PKI) with online responder (OCSP)
  • SQL Server 2014
  • Windows Defender
  • SYSMON v11 and higher
  • Exchange 2016
  • Internet Information Services (IIS web server) -- planned

Related and/or connected projects:

If you are interesting in external projects arround SIGMA and EVTX analysis, I would like to suggest the following ones:

IOCs content

ATT@CK Tactic ATT@CK Technique Description Event IDs Threat name / Tool / CVE
Antivirus Antivirus Defender: antivirus not up to date 1151
Antivirus Antivirus Defender: massive malware outbreak detected on multiple hosts 1116
Antivirus Antivirus Defender: massive malwares detected on a single host 1116
TA0001-Initial access T1078.002-Valid accounts-Domain accounts Login denied due to account policy restrictions 4625
TA0001-Initial access T1078.002-Valid accounts-Domain accounts Login failure from a single source with a disabled account 33205
TA0001-Initial access T1078.002-Valid accounts-Domain accounts Success login on OpenSSH server 4 SSH server
TA0001-Initial access T1078.002-Valid accounts-Domain accounts Success login on OpenSSH server 4624 SSH server
TA0001-Initial access T1078-Valid accounts RDP reconnaissance with valid credentials performed to multiple hosts 4624 or 1149
TA0002-Execution T1047-Windows Management Instrumentation Impacket WMIexec process execution 1 or 4688 WMIexec
TA0002-Execution T1053.005-Scheduled Task Interactive shell triggered by scheduled task (at, deprecated) 1 or 4688
TA0002-Execution T1053.005-Scheduled Task Persistent scheduled task with SYSTEM privileges creation 1 or 4688
TA0002-Execution T1053.005-Scheduled Task Remote schedule task creation via named pipes 5145 Atexec
TA0002-Execution T1053.005-Scheduled Task Schedule task created with suspicious arguments 4698 Atexec
TA0002-Execution T1053.005-Scheduled Task Schedule task fastly created and deleted 4698 and 4699 Atexec
TA0002-Execution T1053.005-Scheduled Task Scheduled task creation 1 or 4688
TA0002-Execution T1059.001-Command and Scripting Interpreter: PowerShell Encoded PowerShell payload deployed 800 or 4103 or 4104
TA0002-Execution T1059.001-Command and Scripting Interpreter: PowerShell Interactive PipeShell over SMB named pipe 800 or 4103 or 4104
TA0002-Execution T1059.001-Command and Scripting Interpreter: PowerShell Payload downloaded via PowerShell 800 or 4103 or 4104
TA0002-Execution T1059.003-Windows Command Shell Encoded PowerShell payload deployed via process execution 1 or 4688
TA0002-Execution T1059.003-Windows Command Shell SQL Server payload injectection for reverse shell (MSF) 1 or 4688
TA0002-Execution T1204-User execution Edge abuse for payload download via console 1 or 4688
TA0002-Execution T1204-User execution Edge/Chrome headless feature abuse for payload download 1 or 4688
TA0002-Execution T1569.002-Service Execution PSexec installation detected 1 or 4688
TA0002-Execution T1569.002-Service Execution Service massive failures (native) 7000 or 7009 Tchopper
TA0002-Execution T1569.002-Service Execution Service massive installation (native) 7045 or 4697 Tchopper
TA0002-Execution T1569.002-Service Execution Service massive remote creation via named pipes (native) 5145 Tchopper
TA0003-Persistence T1078.002-Valid accounts-Domain accounts Account renamed to "admin" (or likely) 4781
TA0003-Persistence T1098.xxx-Account manipulation Computer account created with privileges 4741 CVE-2021-42278/42287 & SAM-the-admin
TA0003-Persistence T1098.xxx-Account manipulation Computer account renamed without a trailing $ 4781 CVE-2021-42278/42287 & SAM-the-admin
TA0003-Persistence T1098.xxx-Account Manipulation High risk domain group membership change 4728 or 4756
TA0003-Persistence T1098.xxx-Account manipulation High risk Exchange group membership change 4728 or 4756 or 4732
TA0003-Persistence T1098.xxx-Account Manipulation High risk local-domain local group membership change 4732
TA0003-Persistence T1098.xxx-Account manipulation High risk Skype/Lync/OCS group membership change 4728 or 4756 or 4732
TA0003-Persistence T1098.xxx-Account manipulation Host delegation settings changed for potential abuse (any protocol) 4742 Rubeus
TA0003-Persistence T1098.xxx-Account manipulation Host delegation settings changed for potential abuse (any service, Kerberos only) 4742 Rubeus
TA0003-Persistence T1098.xxx-Account manipulation Host delegation settings changed for potential abuse (Kerberos only) 4742 Rubeus
TA0003-Persistence T1098.xxx-Account manipulation Low risk Skype/Lync/OCS group membership change 4728 or 4756 or 4732
TA0003-Persistence T1098.xxx-Account manipulation Medium risk Exchange group membership change 4728 or 4756 or 4732
TA0003-Persistence T1098.xxx-Account Manipulation Medium risk local-domain local group membership change 4732
TA0003-Persistence T1098.xxx-Account manipulation Medium risk Skype/Lync/OCS group membership change 4728 or 4756 or 4732
TA0003-Persistence T1098.xxx-Account Manipulation Member added and removed from a group by a user account in a short period of time 4728/29,4756/57,4732/33
TA0003-Persistence T1098.xxx-Account Manipulation Member added to a group by the same account 4728 or 4756 or 4732
TA0003-Persistence T1098.xxx-Account manipulation Member added to DNSadmins group for DLL abuse 4732 DNS DLL abuse
TA0003-Persistence T1098.xxx-Account manipulation New admin (or likely) created by a non administrative account 4720
TA0003-Persistence T1098.xxx-Account manipulation SPN modification of a computer account (Directory Services) 5136 DCShadow
TA0003-Persistence T1098.xxx-Account manipulation SPN modification of a computer account 4742
TA0003-Persistence T1098.xxx-Account manipulation SPN modification of a computer account 4742 DCShadow
TA0003-Persistence T1098.xxx-Account manipulation SPN modification of a user account 5136 Kerberoasting
TA0003-Persistence T1098.xxx-Account manipulation SQL Server: new member added to a database role 33205
TA0003-Persistence T1098.xxx-Account manipulation SQL Server: new member added to server role 33205
TA0003-Persistence T1098.xxx-Account manipulation User account created and/or set with reversible encryption detected 4738
TA0003-Persistence T1098.xxx-Account manipulation User account marked as "sensitive and cannot be delegated" its had protection removed 4738
TA0003-Persistence T1098.xxx-Account manipulation User account set to not require Kerberos pre-authentication 4738
TA0003-Persistence T1098.xxx-Account manipulation User account set to use Kerberos DES encryption 4738
TA0003-Persistence T1098.xxx-Account manipulation User account with password set to never expire detected 4738
TA0003-Persistence T1098.xxx-Account manipulation User account with password set to not require detected 4738
TA0003-Persistence T1098.xxx-Account manipulation User password change using current hash password - ChangeNTLM 4723 Mimikatz
TA0003-Persistence T1098.xxx-Account manipulation User password change without previous password known - SetNTLM 4724 Mimikatz
TA0003-Persistence T1098.xxx-Account Manipulation User performing massive group membership changes on multiple differents groups 4728 or 4756
TA0003-Persistence T1098-Account Manipulation Computer account set for RBCD delegation 5136
TA0003-Persistence T1098-Account Manipulation Disabled guest or builtin account activated 4722
TA0003-Persistence T1098-Account Manipulation SPN added to an account (command) 1 or 4688
TA0003-Persistence T1136.001-Create account-Local account Hidden account creation (with fast deletion) 4720 and 4726
TA0003-Persistence T1136.001-Create account-Local account Local user account created on a single host 4720
TA0003-Persistence T1136.001-Create account-Local account SQL Server: disabled SA account enabled 33205
TA0003-Persistence T1136.002-Create account-Domain account Computer account created and deleted in a short period of time 4741 and 4743
TA0003-Persistence T1136.002-Create account-Domain account User account created and deleted in a short period of time 4720 and 4726
TA0003-Persistence T1136.002-Create account-Domain account User account creation disguised in a computer account 4720 or 4781
TA0003-Persistence T1136-Create account User creation via commandline 1 or 4688
TA0003-Persistence T1505.001-SQL Stored Procedures SQL lateral movement with CLR 15457
TA0003-Persistence T1505.001-SQL Stored Procedures SQL Server xp_cmdshell procedure activated 18457
TA0003-Persistence T1505.001-SQL Stored Procedures SQL Server: sqlcmd & ossql utilities abuse 1 or 4688
TA0003-Persistence T1505.001-SQL Stored Procedures SQL Server: started in single mode for password recovery 1 or 4688
TA0003-Persistence T1505.002-Server Software Component: Transport Agent Exchange transport agent injection via configuration file 11
TA0003-Persistence T1505.002-Server Software Component: Transport Agent Exchange transport agent installation artifacts 1 or 6
TA0003-Persistence T1543.003-Create or Modify System Process-Windows Service Encoded PowerShell payload deployed via service installation 7045 or 4697
TA0003-Persistence T1543.003-Create or Modify System Process-Windows Service Impacket SMBexec service registration (native) 7045 or 4697 SMBexec
TA0003-Persistence T1543.003-Create or Modify System Process-Windows Service Mimikatz service driver installation detected 7045 or 4697 Mimikatz
TA0003-Persistence T1543.003-Create or Modify System Process-Windows Service Service abuse with backdoored "command failure" (PowerShell) 800 or 4103 or 4104
TA0003-Persistence T1543.003-Create or Modify System Process-Windows Service Service abuse with backdoored "command failure" (registry) 1 or 4688
TA0003-Persistence T1543.003-Create or Modify System Process-Windows Service Service abuse with backdoored "command failure" (service) 1 or 4688
TA0003-Persistence T1543.003-Create or Modify System Process-Windows Service Service abuse with malicious ImagePath (PowerShell) 800 or 4103 or 4104
TA0003-Persistence T1543.003-Create or Modify System Process-Windows Service Service abuse with malicious ImagePath (registry) 1 or 4688
TA0003-Persistence T1543.003-Create or Modify System Process-Windows Service Service abuse with malicious ImagePath (service) 1 or 4688
TA0003-Persistence T1543.003-Create or Modify System Process-Windows Service Service created for RDP session hijack 7045 or 4697
TA0003-Persistence T1543.003-Create or Modify System Process-Windows Service Service creation (command) 1 or 4688
TA0003-Persistence T1543.003-Create or Modify System Process-Windows Service Service creation (PowerShell) 800 or 4103 or 4104
TA0003-Persistence T1546.003-Windows Management Instrumentation Event Subscription System crash behavior manipulation (registry) 13 WMImplant
TA0003-Persistence T1546.003-Windows Management Instrumentation Event Subscription WMI registration (PowerShell) 800 or 4103 or 4104
TA0003-Persistence T1546.003-Windows Management Instrumentation Event Subscription WMI registration 19 or 20 or 21
TA0003-Persistence T1546.007-Netsh Helper DLL Netsh helper DLL command abuse 1 or 4688
TA0003-Persistence T1546.007-Netsh Helper DLL Netsh helper DLL registry abuse 13
TA0003-Persistence T1546-Event Triggered Execution AdminSDHolder container permissions modified 5136
TA0003-Persistence T1546-Event Triggered Execution Extended rights backdoor obfuscation (via localizationDisplayId) 5136
TA0003-Persistence T1547.008-Boot or Logon Autostart Execution: LSASS Driver Security package (SSP) loaded into LSA (native) 4622
TA0003-Persistence T1547.009-Boot or Logon Autostart Execution: Shortcut Modification NTFS hard link creation 4664
TA0003-Persistence T1547.009-Boot or Logon Autostart Execution: Shortcut Modification NTFS symbolic link configuration change 1 or 4688
TA0003-Persistence T1547.009-Boot or Logon Autostart Execution: Shortcut Modification NTFS symbolic link creation 1 or 4688
TA0003-Persistence T1574.002-DLL Side-Loading DNS DLL "serverlevelplugindll" command execution 1 or 4688 DNS DLL abuse
TA0003-Persistence T1574.002-DLL Side-Loading Failed DLL loaded by DNS server 150 DNS DLL abuse
TA0003-Persistence T1574.002-DLL Side-Loading Success DLL loaded by DNS server 770 DNS DLL abuse
TA0003-Persistence T1574.010-Hijack execution flow: service file permissions weakness Service permissions modified (registry) 1 or 4688
TA0003-Persistence T1574.010-Hijack execution flow: service file permissions weakness Service permissions modified (service) 1 or 4688
TA0004-Privilege Escalation T1068-Exploitation for Privilege Escalation Privilege SeMachineAccountPrivilege abuse 4673 CVE-2021-42278/42287 & SAM-the-admin
TA0004-Privilege Escalation T1134.001- Access Token Manipulation: Token Impersonation/Theft Anonymous login 4624 and 4688 RottenPotatoNG
TA0004-Privilege Escalation T1134.002- Access Token Manipulation: Create Process with Token Privilege escalation via runas (command) 4688 and 4648 and 4624
TA0004-Privilege Escalation T1134.002- Access Token Manipulation: Create Process with Token Privilege escalation via RunasCS 1 or 4688
TA0004-Privilege Escalation T1134.005-Access Token Manipulation: SID-History Injection SID history value S/F to be added to a domain account 4765/4766/4738
TA0004-Privilege Escalation T1134-Access Token Manipulation New access rights granted to an account by a standard user 4717 or 4718
TA0004-Privilege Escalation T1134-Access Token Manipulation User right granted to an account by a standard user 4704
TA0004-Privilege Escalation T1484.001-Domain Policy Modification-Group Policy Modification Modification of a sensitive Group Policy 5136
TA0004-Privilege Escalation T1484.002- Domain or Tenant Policy Modification: Trust Modification New external trust added 4865, 4076
TA0004-Privilege Escalation T1543.003-Create or Modify System Process-Windows Service PSexec service installation detected 7045 or 4697
TA0004-Privilege Escalation T1546.008-Event Triggered Execution: Accessibility Features CMD executed by stickey key and detected via hash 1 or 4688 Sticky key
TA0004-Privilege Escalation T1546.008-Event Triggered Execution: Accessibility Features Sticky key called CMD via command execution 1 or 4688 Sticky key
TA0004-Privilege Escalation T1546.008-Event Triggered Execution: Accessibility Features Sticky key failed sethc replacement by CMD 4656 Sticky key
TA0004-Privilege Escalation T1546.008-Event Triggered Execution: Accessibility Features Sticky key file created from CMD copy 11 Sticky key
TA0004-Privilege Escalation T1546.008-Event Triggered Execution: Accessibility Features Sticky key IFEO command for registry change 1 or 4688 Sticky key
TA0004-Privilege Escalation T1546.008-Event Triggered Execution: Accessibility Features Sticky key IFEO registry changed 12 or 12 Sticky key
TA0004-Privilege Escalation T1547.010-Port Monitors Print spooler privilege escalation via printer added 800 or 4103 or 4104 PrintNightmare (CVE-2021-1675 / CVE-2021-34527)
TA0004-Privilege Escalation T1574.002-DLL Side-Loading External printer mapped 4688 and 4648 PrintNightmare (CVE-2021-1675 / CVE-2021-34527)
TA0004-Privilege Escalation T1574.002-DLL Side-Loading New external device added 6416 PrintNightmare (CVE-2021-1675 / CVE-2021-34527)
TA0004-Privilege Escalation T1574.002-DLL Side-Loading Printer spool driver from Mimikatz installed 808 or 354 or 321 PrintNightmare (CVE-2021-1675 / CVE-2021-34527)
TA0004-Privilege Escalation T1574.002-DLL Side-Loading Spool process spawned a CMD shell 1 or 4688 PrintNightmare (CVE-2021-1675 / CVE-2021-34527)
TA0005-Defense Evasion T1027-Obfuscated Files or Information Payload obfuscated transfer via service name 1 or 4688 Tchopper
TA0005-Defense Evasion T1070.001-Indicator Removal on Host Event log file(s) cleared 104 or 1102
TA0005-Defense Evasion T1070.001-Indicator Removal on Host Tentative of clearing event log file(s) detected (command) 1 or 4688
TA0005-Defense Evasion T1070.001-Indicator Removal on Host Tentative of clearing event log file(s) detected (PowerShell) 800 or 4103 or 4104
TA0005-Defense Evasion T1070.001-Indicator Removal on Host Tentative of clearing event log file(s) detected (wmi) 1 or 4688
TA0005-Defense Evasion T1070.006-Timestomp System time changed 4616
TA0005-Defense Evasion T1078.002-Valid accounts-Domain accounts Login from a user member of a "special group" detected (special logon) 4964
TA0005-Defense Evasion T1112-Modify registry Impacket SMBexec service registration (registry) 13 SMBexec
TA0005-Defense Evasion T1197-BITS job Command execution related to a suspicious BITS activity detected 1 or 4688
TA0005-Defense Evasion T1197-BITS job Command execution related to a suspicious BITS activity detected 800 or 4103 or 4104
TA0005-Defense Evasion T1197-BITS job High amount of data downloaded via BITS 60
TA0005-Defense Evasion T1207-Rogue domain controller New fake domain controller registration 5137 or 5141 DCShadow
TA0005-Defense Evasion T1207-Rogue domain controller Sensitive attributes accessed 4662 DCShadow
TA0005-Defense Evasion T1222.001-File and Directory Permissions Modification Computer account modifying AD permissions 5136 PrivExchange
TA0005-Defense Evasion T1222.001-File and Directory Permissions Modification Network share permissions changed 5143
TA0005-Defense Evasion T1222.001-File and Directory Permissions Modification OCSP security settings changed 5124(OCSP)
TA0005-Defense Evasion T1222.001-File and Directory Permissions Modification Permissions changed on a GPO 5136
TA0005-Defense Evasion T1222.001-File and Directory Permissions Modification Sensitive GUID related to "Replicate directory changes" detected 4662 DCSync
TA0005-Defense Evasion T1553.003- Subvert Trust Controls: SIP and Trust Provider Hijacking Suspicious SIP or trust provider registration 12 or 12
TA0005-Defense Evasion T1562.001-Impair Defenses: Disable or Modify Tools Unload SYSMON driver 1
TA0005-Defense Evasion T1562.001-Impair Defenses-Disable or modify tools Defender: critical security component disabled (command) 1 or 4688
TA0005-Defense Evasion T1562.001-Impair Defenses-Disable or modify tools Defender: critical security component disabled (PowerShell) 800 or 4103 or 4104
TA0005-Defense Evasion T1562.001-Impair Defenses-Disable or modify tools Defender: default action set to allow any threat (PowerShell) 800 or 4103 or 4104
TA0005-Defense Evasion T1562.001-Impair Defenses-Disable or modify tools Defender: exclusion added (native) 5007
TA0005-Defense Evasion T1562.001-Impair Defenses-Disable or modify tools Defender: exclusion added (PowerShell) 800 or 4103 or 4104
TA0005-Defense Evasion T1562.001-Impair Defenses-Disable or modify tools Defender: service component status disabled (Registry via Sysmon) 13
TA0005-Defense Evasion T1562.001-Impair Defenses-Disable or modify tools Virtualization disabled (Credential guard) 8
TA0005-Defense Evasion T1562.002-Impair Defenses: Disable Windows Event Logging 541
TA0005-Defense Evasion T1562.002-Impair Defenses: Disable Windows Event Logging Audit policy disabled 4719
TA0005-Defense Evasion T1562.002-Impair Defenses: Disable Windows Event Logging Domain policy changed on one or multiple hosts 4739
TA0005-Defense Evasion T1562.002-Impair Defenses: Disable Windows Event Logging Membership of a special group updated 4908
TA0005-Defense Evasion T1562.002-Impair Defenses: Disable Windows Event Logging SQL Server: Audit object deleted 33205
TA0005-Defense Evasion T1562.002-Impair Defenses: Disable Windows Event Logging SQL Server: Audit object disabled 33205
TA0005-Defense Evasion T1562.002-Impair Defenses: Disable Windows Event Logging SQL Server: Audit specifications deleted 33205
TA0005-Defense Evasion T1562.002-Impair Defenses: Disable Windows Event Logging SQL Server: Audit specifications disabled 33205
TA0005-Defense Evasion T1562.002-Impair Defenses: Disable Windows Event Logging SQL Server: Database audit specifications deleted 33205
TA0005-Defense Evasion T1562.002-Impair Defenses: Disable Windows Event Logging SQL Server: Database audit specifications disabled 33205
TA0005-Defense Evasion T1562.002-Impair Defenses: Disable Windows Event Logging Tentative of disabling or clearing audit policy by commandline 1 or 4688
TA0005-Defense Evasion T1562.004-Disable or Modify System Firewall Firewall deactivation (cmd) 1 or 4688
TA0005-Defense Evasion T1562.004-Disable or Modify System Firewall Firewall deactivation (firewall) 2003 or 4950
TA0005-Defense Evasion T1562.004-Disable or Modify System Firewall Firewall deactivation (PowerShell) 800 or 4103 or 4104
TA0005-Defense Evasion T1562.004-Disable/modify firewall (rule) Any/any firewall rule created 2004
TA0005-Defense Evasion T1562.004-Disable/modify firewall (rule) Firewall rule created by a suspicious command (netsh.exe, wmiprvse.exe) 2004
TA0005-Defense Evasion T1562.004-Disable/modify firewall (rule) Firewall rule created by a user account 2004
TA0005-Defense Evasion T1562.004-Disable/modify firewall (rule) OpenSSH server firewall configuration (command) 1 or 4688 SSH server
TA0005-Defense Evasion T1562.004-Disable/modify firewall (rule) OpenSSH server firewall configuration (firewall) 2004 SSH server
TA0005-Defense Evasion T1562.004-Disable/modify firewall (rule) OpenSSH server firewall configuration (PowerShell) 800 or 4103 or 4104 SSH server
TA0005-Defense Evasion T1564.006-Hide Artifacts: Run Virtual Instance WSL for Windows installation detected (command) 1 or 4688
TA0006-Credential Access T1003.001-Credential dumping: LSASS LSASS credential dump with LSASSY (kernel) 4656 or 4663
TA0006-Credential Access T1003.001-Credential dumping: LSASS LSASS credential dump with LSASSY (PowerShell) 800 or 4103 or 4104
TA0006-Credential Access T1003.001-Credential dumping: LSASS LSASS credential dump with LSASSY (process) 1 or 4688
TA0006-Credential Access T1003.001-Credential dumping: LSASS LSASS credential dump with LSASSY (share) 5145
TA0006-Credential Access T1003.001-Credential dumping: LSASS LSASS credentials dump via Task Manager (file) 11
TA0006-Credential Access T1003.001-Credential dumping: LSASS LSASS dump indicator via Task Manager access 1 or 4688
TA0006-Credential Access T1003.001-Credential dumping: LSASS LSASS process accessed by a non system account 4656 or 4663
TA0006-Credential Access T1003.001-Credential dumping: LSASS SAM database user credential dump 4661 Mimikatz
TA0006-Credential Access T1003.001-Credential dumping: LSASS Task manager used to dump LSASS process 4663
TA0006-Credential Access T1003.002-Security Account Manager Password dump over SMB ADMIN$ 5145 Secretdump
TA0006-Credential Access T1003.002-Security Account Manager SAM database access during DCshadow 4661 DCShadow
TA0006-Credential Access T1003.003-NTDS IFM created 325 or 327
TA0006-Credential Access T1003.003-NTDS IFM created from command line 1 or 4688
TA0006-Credential Access T1003.003-OS Credential-Dumping NTDS DSRM configuration changed (Reg via command) 1 or 4688
TA0006-Credential Access T1003.003-OS Credential-Dumping NTDS DSRM configuration changed (Reg via PowerShell) 800 or 4103 or 4104
TA0006-Credential Access T1003.003-OS Credential-Dumping NTDS DSRM password reset 4794
TA0006-Credential Access T1003.006-DCSync Member added to a Exchange DCsync related group 4728 or 4756 or 4732 DCSync
TA0006-Credential Access T1003-Credential dumping Backdoor introduction via registry permission change through WMI (DAMP) 4674 DAMP
TA0006-Credential Access T1003-Credential dumping Diskshadow abuse 1 or 4688
TA0006-Credential Access T1003-Credential dumping Wdigest authentication enabled (Reg via command) 1 or 4688
TA0006-Credential Access T1003-Credential dumping Wdigest authentication enabled (Reg via Sysmon) 12 or 12
TA0006-Credential Access T1040-Network sniffing Windows native sniffing tool Pktmon usage 1 or 4688
TA0006-Credential Access T1110.xxx-Brut force Brutforce enumeration on Windows OpenSSH server with non existing user 4625 or 4 SSH server
TA0006-Credential Access T1110.xxx-Brut force Brutforce on Windows OpenSSH server with valid user 4625 or 4 SSH server
TA0006-Credential Access T1110.xxx-Brut force Kerberos brutforce enumeration with existing/unexsting users (Kerbrute) 4771 or 4768
TA0006-Credential Access T1110.xxx-Brut force Kerberos brutforce with not existing users 4771 or 4768
TA0006-Credential Access T1110.xxx-Brut force Login failure from a single source with different non existing accounts 33205
TA0006-Credential Access T1552.004-Unsecured Credentials-Private Keys Unknown application accessing certificate private key detected 70(CAPI2) Mimikatz
TA0006-Credential Access T1555.003-Credentials from Password Stores: Credentials from Web Browsers User browser credentials dump via network share 5145 DonPapi, Lazagne
TA0006-Credential Access T1555.004-Windows Credential Manager Credentials (protected by DPAPI) dump via network share 5145 DonPapi, Lazagne
TA0006-Credential Access T1555.004-Windows Credential Manager Vault credentials were read 5382
TA0006-Credential Access T1555-Credentials from Password Stores Suspicious Active Directory DPAPI attributes accessed 4662
TA0006-Credential Access T1555-Credentials from Password Stores User files dump via network share 5145 DonPapi, Lazagne
TA0006-Credential Access T1557.001-MiM:LLMNR/NBT-NS Poisoning and SMB Relay Discovery for print spooler bug abuse via named pipe 5145
TA0006-Credential Access T1558.001-Golden Ticket Kerberos TGS ticket request related to a potential Golden ticket 4769 Golden ticket
TA0006-Credential Access T1558.001-Golden Ticket SMB Admin share accessed with a forged Golden ticket 5140 or 5145 Golden ticket
TA0006-Credential Access T1558.001-Golden Ticket Success login impersonation with forged Golden ticket 4624 Golden ticket
TA0006-Credential Access T1558.003-Kerberoasting KerberOAST ticket (TGS) request detected (low encryption) 4769 Kerberoast
TA0006-Credential Access T1558.004-Steal or Forge Kerberos Tickets: AS-REP Roasting Kerberos AS-REP Roasting ticket request detected 4768 AS-REP Roasting
TA0006-Credential Access T1558-Steal or Forge Kerberos Tickets Kerberos ticket without a trailing $ 4768 or 4769 CVE-2021-42278/42287 & SAM-the-admin
TA0006-Credential Access T1558-Steal or Forge Kerberos Tickets Suspicious Kerberos proxiable ticket 4768 CVE-2021-42278/42287 & SAM-the-admin
TA0007-Discovery T1016-System Network Configuration Discovery Firewall configuration enumerated (command) 1 or 4688
TA0007-Discovery T1016-System Network Configuration Discovery Firewall configuration enumerated (PowerShell) 800 or 4103 or 4104
TA0007-Discovery T1016-System Network Configuration Discovery Tentative of zone transfer from a non DNS server detected 6004 (DNSserver)
TA0007-Discovery T1018-Remote System Discovery DNS hosts file accessed via network share 5145
TA0007-Discovery T1046-Network Service Scanning RDP discovery performed on multiple hosts 131
TA0007-Discovery T1046-Network Service Scanning Suspicious anonymous login 4624
TA0007-Discovery T1069.001-Discovery domain groups Local domain group enumeration via RID brutforce 4661 CrackMapExec
TA0007-Discovery T1069.001-Discovery local groups Remote local group enumeration (SharpeHound) 4799 SharpHound
TA0007-Discovery T1069.002-Discovery domain groups Domain group enumeration 4661 CrackMapExec
TA0007-Discovery T1069.002-Discovery domain groups Honeypot object (container, computer, group, user) enumerated 4662 SharpHound
TA0007-Discovery T1069.002-Discovery domain groups Massive SAM domain users & groups discovery 4661
TA0007-Discovery T1069.002-Discovery domain groups Sensitive SAM domain user & groups discovery 4661
TA0007-Discovery T1069-Permission Groups Discovery Group discovery via commandline 1 or 4688
TA0007-Discovery T1069-Permission Groups Discovery Group discovery via PowerShell 800 or 4103 or 4104
TA0007-Discovery T1082-System Information Discovery Audit policy settings collection 1 or 4688
TA0007-Discovery T1087.002-Domain Account discovery Active Directory PowerShell module called from a non administrative host 600
TA0007-Discovery T1087.002-Domain Account discovery Single source performing host enumeration over Kerberos ticket (TGS) detected 4769 SharpHound
TA0007-Discovery T1087-Account discovery SPN enumeration (command) 1 or 4688 Kerberoast
TA0007-Discovery T1087-Account discovery SPN enumeration (PowerShell) 800 or 4103 or 4104
TA0007-Discovery T1087-Account discovery User enumeration via commandline 1 or 4688
TA0007-Discovery T1135-Network Share Discovery Host performing advanced named pipes enumeration on different hosts via SMB 5145 SharpHound
TA0007-Discovery T1135-Network Share Discovery Network share discovery and/or connection via commandline 1 or 4688
TA0007-Discovery T1135-Network Share Discovery Network share manipulation via commandline 1 or 4688
TA0007-Discovery T1201-Password Policy Discovery Domain password policy enumeration 4661 CrackMapExec
TA0007-Discovery T1201-Password Policy Discovery Password policy discovery via commandline 1 or 4688
TA0007-Discovery T1482-Domain Trust Discovery Active Directory Forest PowerShell class called from a non administrative host 800 or 4103 or 4104
TA0008-Lateral Movement T1021.001-Remote Desktop Protocol Denied RDP login with valid credentials 4825
TA0008-Lateral Movement T1021.002-SMB Windows Admin Shares Admin share accessed via SMB (basic) 5140 or 5145
TA0008-Lateral Movement T1021.002-SMB Windows Admin Shares Impacket WMIexec execution via SMB admin share 5145 WMIexec
TA0008-Lateral Movement T1021.002-SMB Windows Admin Shares Lateral movement by mounting a network share - net use (command) 4688 and 4648
TA0008-Lateral Movement T1021.002-SMB Windows Admin Shares Multiple failed attempt to network share 5140 or 5145
TA0008-Lateral Movement T1021.002-SMB Windows Admin Shares New file share created on a host 5142
TA0008-Lateral Movement T1021.002-SMB Windows Admin Shares Psexec remote execution via SMB 5145
TA0008-Lateral Movement T1021.002-SMB Windows Admin Shares Remote service creation over SMB 5145
TA0008-Lateral Movement T1021.002-SMB Windows Admin Shares Remote shell execuction via SMB admin share 5145
TA0008-Lateral Movement T1021.002-SMB Windows Admin Shares Shared printer creation 5142 PrintNightmare (CVE-2021-1675 / CVE-2021-34527)
TA0008-Lateral Movement T1021.003-DCOM DCOM lateral movement (via MMC20) 4104
TA0008-Lateral Movement T1021.003-DCOM DCOMexec privilege abuse 4674
TA0008-Lateral Movement T1021.003-DCOM DCOMexec process abuse via MMC 1 or 4688
TA0008-Lateral Movement T1021.004-Remote services: SSH OpenSSH native server feature installation 800 or 4103 or 4104 SSH server
TA0008-Lateral Movement T1021.004-Remote services: SSH OpenSSH server for Windows activation/configuration detected 800 or 4103 or 4104 SSH server
TA0008-Lateral Movement T1021.006-Windows Remote Management WinRM listening service reconnaissance 4656
TA0008-Lateral Movement T1550.002-Use Alternate Authentication Material: Pass the Hash LSASS dump via process access 10 Mimikatz
TA0008-Lateral Movement T1550.002-Use Alternate Authentication Material: Pass the Hash Pass-the-hash login 4624 Mimikatz
TA0008-Lateral Movement T1563.002-RDP hijacking RDP session hijack via TSCON abuse command 1 or 4688
TA0009-Collection T1125-Video capture RDP shadow session started (registry) 13
TA0011-Command and control T1090-Proxy Proxy configuration changed 5600
TA0011-Command and control T1572-Protocol tunneling RDP tunneling configuration enabled for port forwarding 1 or 4688
TA0040-Impact T1490-Inhibit System Recovery VSS backup deletion (PowerShell) 800 or 4103 or 4104
TA0040-Impact T1490-Inhibit System Recovery VSS backup deletion (WMI) 1 or 4688
TA0040-Impact T1490-Inhibit System Recovery Windows native backup deletion 1 or 4688
TA0040-Impact T1565-Data manipulation DNS hosts file modified 11
TA0006-Credential Access T1110.xxx-Brut force Local login failure on target 4625

About

Set of EVTX samples (>270) mapped to MITRE ATT&CK tactic and techniques to measure your SIEM coverage or developed new use cases.

License:Creative Commons Zero v1.0 Universal