Skip to content

Set of SIGMA rules (>320) mapped to MITRE ATT&CK tactic and techniques

License

Notifications You must be signed in to change notification settings

mdecrevoisier/SIGMA-detection-rules

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

SIGMA detection rules

Project purpose:

SIGMA detection rules provides a free set of >320 advanced correlation rules to be used for suspicious hunting activities.

How to use the rules:

The SIGMA rules can be used in different ways together with your SIEM:

Microsoft products used:

  • Windows 10
  • Windows Server 2016
  • Active Directory Domain Services (ADDS)
  • Active Directory Certification Services (ADCS / PKI) with online responder (OCSP)
  • SQL Server 2014
  • Windows Defender
  • SYSMON v11 and higher
  • Exchange 2016
  • Internet Information Services (IIS web server)

SIGMA rules content

Att@ck Tactic Att@ck Technique Description Event IDs Threat name / Tool / CVE
Antivirus Antivirus Defender: antivirus not up to date 1151
Antivirus Antivirus Defender: massive malware outbreak detected on multiple hosts 1116
Antivirus Antivirus Defender: massive malwares detected on a single host 1116
TA0001-Initial access T1078.002-Valid accounts-Domain accounts Login denied due to account policy restrictions 4625
TA0001-Initial access T1078.002-Valid accounts-Domain accounts Login failure from a single source with a disabled account 33205
TA0001-Initial access T1078.002-Valid accounts-Domain accounts Login failure from a single source with a disabled account 4624
TA0001-Initial access T1078.002-Valid accounts-Domain accounts Multiple success logins performed to multiple hosts 4624
TA0001-Initial access T1078.002-Valid accounts-Domain accounts Success login on OpenSSH server 4 SSH server
TA0001-Initial access T1078.002-Valid accounts-Domain accounts Success login on OpenSSH server 4624 SSH server
TA0001-Initial access T1078-Valid accounts Login via Azure serial console 4624
TA0001-Initial access T1078-Valid accounts RDP reconnaissance with valid credentials performed to multiple hosts 4624 or 1149
TA0002-Execution T1047-Windows Management Instrumentation Impacket WMIexec process execution 1 or 4688 WMIexec
TA0002-Execution T1053.005-Scheduled Task Interactive shell triggered by scheduled task (at, deprecated) 1 or 4688
TA0002-Execution T1053.005-Scheduled Task Persistent scheduled task with SYSTEM privileges creation 1 or 4688
TA0002-Execution T1053.005-Scheduled Task Remote schedule task creation via named pipes 5145 Atexec
TA0002-Execution T1053.005-Scheduled Task Schedule task fastly created and deleted 4698 and 4699 Atexec
TA0002-Execution T1053.005-Scheduled Task Scheduled task creation 1 or 4688
TA0002-Execution T1059.001-Command and Scripting Interpreter: PowerShell Encoded PowerShell payload deployed 800 or 4103 or 4104
TA0002-Execution T1059.001-Command and Scripting Interpreter: PowerShell Interactive PipeShell over SMB named pipe 800 or 4103 or 4104
TA0002-Execution T1059.001-Command and Scripting Interpreter: PowerShell Payload downloaded via PowerShell 800 or 4103 or 4104
TA0002-Execution T1059.001-Command and Scripting Interpreter: PowerShell Vice Society directory crawling script for data exfiltration 4104
TA0002-Execution T1059.003-Command and Scripting Interpreter: Windows Command Shell CMD shell via serial cable (command) 1 or 4688
TA0002-Execution T1059.003-Windows Command Shell Encoded PowerShell payload deployed via process execution 1 or 4688
TA0002-Execution T1059.003-Windows Command Shell SQL Server payload injectection for reverse shell (MSF) 1 or 4688
TA0002-Execution T1204-User execution Edge abuse for payload download via console 1 or 4688
TA0002-Execution T1204-User execution Edge/Chrome headless feature abuse for payload download 1 or 4688
TA0002-Execution T1569.002-Service Execution PSexec installation detected 1 or 4688
TA0002-Execution T1569.002-Service Execution Service massive failures (native) 7000 or 7009 Tchopper
TA0002-Execution T1569.002-Service Execution Service massive installation (native) 7045 or 4697 Tchopper
TA0002-Execution T1569.002-Service Execution Service massive remote creation via named pipes (native) 5145 Tchopper
TA0003-Persistence T1078.002-Valid accounts-Domain accounts Account renamed to "admin" (or likely) 4781
TA0003-Persistence T1098.xxx-Account manipulation Computer account created with privileges 4741 CVE-2021-42278/42287 & SAM-the-admin
TA0003-Persistence T1098.xxx-Account manipulation Computer account renamed without a trailing $ 4781 CVE-2021-42278/42287 & SAM-the-admin
TA0003-Persistence T1098.xxx-Account manipulation Custom sensitive account password reset 4723 or 4724
TA0003-Persistence T1098.xxx-Account Manipulation High risk domain group membership change 4728 or 4756
TA0003-Persistence T1098.xxx-Account manipulation High risk Exchange group membership change 4728 or 4756 or 4732
TA0003-Persistence T1098.xxx-Account Manipulation High risk local-domain local group membership change 4732
TA0003-Persistence T1098.xxx-Account manipulation High risk Skype/Lync/OCS group membership change 4728 or 4756 or 4732
TA0003-Persistence T1098.xxx-Account manipulation Host delegation settings changed for potential abuse (any protocol) 4742 Rubeus
TA0003-Persistence T1098.xxx-Account manipulation Host delegation settings changed for potential abuse (any service, Kerberos only) 4742 Rubeus
TA0003-Persistence T1098.xxx-Account manipulation Host delegation settings changed for potential abuse (Kerberos only) 4742 Rubeus
TA0003-Persistence T1098.xxx-Account manipulation Kerberos account password reset 4723 or 4724 Golden ticket
TA0003-Persistence T1098.xxx-Account manipulation Low risk Skype/Lync/OCS group membership change 4728 or 4756 or 4732
TA0003-Persistence T1098.xxx-Account manipulation Medium risk Exchange group membership change 4728 or 4756 or 4732
TA0003-Persistence T1098.xxx-Account Manipulation Medium risk local-domain local group membership change 4732
TA0003-Persistence T1098.xxx-Account manipulation Medium risk Skype/Lync/OCS group membership change 4728 or 4756 or 4732
TA0003-Persistence T1098.xxx-Account manipulation Member added to a group (command) 1 or 4688
TA0003-Persistence T1098.xxx-Account manipulation Member added to DNSadmins group for DLL abuse 4732 DNS DLL abuse
TA0003-Persistence T1098.xxx-Account manipulation New admin (or likely) created by a non administrative account 4720
TA0003-Persistence T1098.xxx-Account manipulation SPN modification of a computer account (Directory Services) 5136 DCShadow
TA0003-Persistence T1098.xxx-Account manipulation SPN modification of a computer account 4742
TA0003-Persistence T1098.xxx-Account manipulation SPN modification of a computer account 4742 DCShadow
TA0003-Persistence T1098.xxx-Account manipulation SPN modification of a user account 5136 Kerberoasting
TA0003-Persistence T1098.xxx-Account manipulation SQL Server: Member had new privileges added to a database 33205
TA0003-Persistence T1098.xxx-Account manipulation SQL Server: Member had new privileges added to an instance 33205
TA0003-Persistence T1098.xxx-Account manipulation SQL Server: new member added to a database role 33205
TA0003-Persistence T1098.xxx-Account manipulation SQL Server: new member added to server role 33205
TA0003-Persistence T1098.xxx-Account manipulation User account created and/or set with reversible encryption detected 4738
TA0003-Persistence T1098.xxx-Account manipulation User account marked as "sensitive and cannot be delegated" its had protection removed 4738
TA0003-Persistence T1098.xxx-Account manipulation User account set to not require Kerberos pre-authentication 4738
TA0003-Persistence T1098.xxx-Account manipulation User account set to use Kerberos DES encryption 4738
TA0003-Persistence T1098.xxx-Account manipulation User account with password set to never expire detected 4738
TA0003-Persistence T1098.xxx-Account manipulation User account with password set to not require detected 4738
TA0003-Persistence T1098.xxx-Account manipulation User password change using current hash password - ChangeNTLM 4723 Mimikatz
TA0003-Persistence T1098.xxx-Account manipulation User password change without previous password known - SetNTLM 4724 Mimikatz
TA0003-Persistence T1098.xxx-Account Manipulation User performing massive group membership changes on multiple differents groups 4728 or 4756
TA0003-Persistence T1098-Account Manipulation Computer account set for RBCD delegation 5136
TA0003-Persistence T1098-Account Manipulation Disabled guest or builtin account activated (command) 1 or 4688
TA0003-Persistence T1098-Account Manipulation Disabled guest or builtin account activated 4722
TA0003-Persistence T1098-Account Manipulation SPN added to an account (command) 1 or 4688
TA0003-Persistence T1136.001-Create account-Local account Hidden account creation (with fast deletion) 4720 and 4726
TA0003-Persistence T1136.001-Create account-Local account SQL Server: disabled SA account enabled 33205
TA0003-Persistence T1136.001-Create account-Local account User account created by a computer account 4720
TA0003-Persistence T1136.001-Create account-Local account User creation related to Manic Menagerie (command) 1 or 4688
TA0003-Persistence T1136.002-Create account-Domain account Computer account created by a computer account 4741
TA0003-Persistence T1136.002-Create account-Domain account User account creation disguised in a computer account 4720 or 4781
TA0003-Persistence T1136-Create account User creation via commandline 1 or 4688
TA0003-Persistence T1505.001-SQL Stored Procedures SQL lateral movement with CLR 15457
TA0003-Persistence T1505.001-SQL Stored Procedures SQL Server Dedicated Admin Connection (DAC) activity 17199 or 17200 or 17201 or 17202 or 17810
TA0003-Persistence T1505.001-SQL Stored Procedures SQL Server Dedicated Admin Connection (DAC) mode activated 15457
TA0003-Persistence T1505.001-SQL Stored Procedures SQL Server xp_cmdshell procedure activated 18457
TA0003-Persistence T1505.001-SQL Stored Procedures SQL Server: sqlcmd & ossql utilities abuse 1 or 4688
TA0003-Persistence T1505.001-SQL Stored Procedures SQL Server: started in single mode for password recovery 1 or 4688
TA0003-Persistence T1505.002-Server Software Component: Transport Agent Exchange transport agent injection via configuration file 11
TA0003-Persistence T1505.002-Server Software Component: Transport Agent Exchange transport agent installation artifacts (PowerShell) 800 or 4103 or 4104
TA0003-Persistence T1505.002-Server Software Component: Transport Agent Exchange transport agent installation artifacts 1 or 6
TA0003-Persistence T1505.004-Server Software Component: IIS Components Webserver IIS module installed 1 or 4688
TA0003-Persistence T1543.003-Create or Modify System Process-Windows Service Encoded PowerShell payload deployed via service installation 7045 or 4697
TA0003-Persistence T1543.003-Create or Modify System Process-Windows Service Impacket SMBexec service registration (native) 7045 or 4697 SMBexec
TA0003-Persistence T1543.003-Create or Modify System Process-Windows Service Mimikatz service driver installation detected 7045 or 4697 Mimikatz
TA0003-Persistence T1543.003-Create or Modify System Process-Windows Service Service abuse with backdoored "command failure" (PowerShell) 800 or 4103 or 4104
TA0003-Persistence T1543.003-Create or Modify System Process-Windows Service Service abuse with backdoored "command failure" (registry) 1 or 4688
TA0003-Persistence T1543.003-Create or Modify System Process-Windows Service Service abuse with backdoored "command failure" (service) 1 or 4688
TA0003-Persistence T1543.003-Create or Modify System Process-Windows Service Service abuse with malicious ImagePath (PowerShell) 800 or 4103 or 4104
TA0003-Persistence T1543.003-Create or Modify System Process-Windows Service Service abuse with malicious ImagePath (registry) 1 or 4688
TA0003-Persistence T1543.003-Create or Modify System Process-Windows Service Service abuse with malicious ImagePath (service) 1 or 4688
TA0003-Persistence T1543.003-Create or Modify System Process-Windows Service Service created for RDP session hijack 7045 or 4697
TA0003-Persistence T1543.003-Create or Modify System Process-Windows Service Service creation (command) 1 or 4688
TA0003-Persistence T1543.003-Create or Modify System Process-Windows Service Service creation (PowerShell) 800 or 4103 or 4104
TA0003-Persistence T1546.003-Windows Management Instrumentation Event Subscription System crash behavior manipulation (registry) 13 WMImplant
TA0003-Persistence T1546.003-Windows Management Instrumentation Event Subscription WMI registration (PowerShell) 800 or 4103 or 4104
TA0003-Persistence T1546.003-Windows Management Instrumentation Event Subscription WMI registration 19 or 20 or 21
TA0003-Persistence T1546.007-Netsh Helper DLL Netsh helper DLL command abuse 1 or 4688
TA0003-Persistence T1546.007-Netsh Helper DLL Netsh helper DLL registry abuse 13
TA0003-Persistence T1546-Event Triggered Execution AdminSDHolder container permissions modified 5136
TA0003-Persistence T1546-Event Triggered Execution Extended rights backdoor obfuscation (via localizationDisplayId) 5136
TA0003-Persistence T1547.008-Boot or Logon Autostart Execution: LSASS Driver Security package (SSP) loaded into LSA (native) 4622
TA0003-Persistence T1547.008-Boot or Logon Autostart Execution: LSASS Driver win-os-security package (SSP) reference added to registry 1 or 4688
TA0003-Persistence T1547.009-Boot or Logon Autostart Execution: Shortcut Modification NTFS hard link creation 4664
TA0003-Persistence T1547.009-Boot or Logon Autostart Execution: Shortcut Modification NTFS symbolic link configuration change 1 or 4688
TA0003-Persistence T1547.009-Boot or Logon Autostart Execution: Shortcut Modification NTFS symbolic link creation 1 or 4688
TA0003-Persistence T1574.002-DLL Side-Loading DNS DLL "serverlevelplugindll" command execution 1 or 4688 DNS DLL abuse
TA0003-Persistence T1574.002-DLL Side-Loading Failed DLL loaded by DNS server 150 DNS DLL abuse
TA0003-Persistence T1574.002-DLL Side-Loading Success DLL loaded by DNS server 770 DNS DLL abuse
TA0003-Persistence T1574.010-Hijack execution flow: service file permissions weakness Service permissions modified (PowerShell) 800 or 4103 or 4104
TA0003-Persistence T1574.010-Hijack execution flow: service file permissions weakness Service permissions modified (Reg via PowerShell) 800 or 4103 or 4104
TA0003-Persistence T1574.010-Hijack execution flow: service file permissions weakness Service permissions modified (registry) 1 or 4688
TA0003-Persistence T1574.010-Hijack execution flow: service file permissions weakness Service permissions modified (service) 1 or 4688
TA0004-Privilege Escalation T1068-Exploitation for Privilege Escalation Privilege SeMachineAccountPrivilege abuse 4673 CVE-2021-42278/42287 & SAM-the-admin
TA0004-Privilege Escalation T1134.001- Access Token Manipulation: Token Impersonation/Theft Anonymous login 4624 and 4688 RottenPotatoNG
TA0004-Privilege Escalation T1134.002- Access Token Manipulation: Create Process with Token Privilege escalation via runas (command) 4688 and 4648 and 4624
TA0004-Privilege Escalation T1134.002- Access Token Manipulation: Create Process with Token Privilege escalation via RunasCS 1 or 4688
TA0004-Privilege Escalation T1134-Access Token Manipulation New access rights granted to an account by a standard user 4717 or 4718
TA0004-Privilege Escalation T1134-Access Token Manipulation User right granted to an account by a standard user 4704
TA0004-Privilege Escalation T1484.001-Domain Policy Modification-Group Policy Modification Modification of a sensitive Group Policy 5136
TA0004-Privilege Escalation T1543.003-Create or Modify System Process-Windows Service PSexec service installation detected 7045 or 4697
TA0004-Privilege Escalation T1546.008-Event Triggered Execution: Accessibility Features CMD executed by stickey key and detected via hash 1 or 4688 Sticky key
TA0004-Privilege Escalation T1546.008-Event Triggered Execution: Accessibility Features Sticky key called CMD via command execution 1 or 4688 Sticky key
TA0004-Privilege Escalation T1546.008-Event Triggered Execution: Accessibility Features Sticky key failed sethc replacement by CMD 4656 Sticky key
TA0004-Privilege Escalation T1546.008-Event Triggered Execution: Accessibility Features Sticky key file created from CMD copy 11 Sticky key
TA0004-Privilege Escalation T1546.008-Event Triggered Execution: Accessibility Features Sticky key IFEO command for registry change 1 or 4688 Sticky key
TA0004-Privilege Escalation T1546.008-Event Triggered Execution: Accessibility Features Sticky key IFEO registry changed 12 or 12 Sticky key
TA0004-Privilege Escalation T1546.008-Event Triggered Execution: Accessibility Features Sticky key sethc command for replacement by CMD 1 or 4688 Sticky key
TA0004-Privilege Escalation T1547.010-Port Monitors Print spooler privilege escalation via printer added 800 or 4103 or 4104 PrintNightmare (CVE-2021-1675 / CVE-2021-34527)
TA0004-Privilege Escalation T1574.002-DLL Side-Loading External printer mapped 4688 and 4648 PrintNightmare (CVE-2021-1675 / CVE-2021-34527)
TA0004-Privilege Escalation T1574.002-DLL Side-Loading New external device added 6416 PrintNightmare (CVE-2021-1675 / CVE-2021-34527)
TA0004-Privilege Escalation T1574.002-DLL Side-Loading Printer spool driver from Mimikatz installed 808 or 354 or 321 PrintNightmare (CVE-2021-1675 / CVE-2021-34527)
TA0004-Privilege Escalation T1574.002-DLL Side-Loading Spool process spawned a CMD shell 1 or 4688 PrintNightmare (CVE-2021-1675 / CVE-2021-34527)
TA0005-Defense Evasion T1027-Obfuscated Files or Information Payload obfuscated transfer via service name 1 or 4688 Tchopper
TA0005-Defense Evasion T1036-Masquerading SearchIndex process suspicious activity 1 or 4688
TA0005-Defense Evasion T1070.001-Indicator Removal on Host Event log file(s) cleared 104 or 1102
TA0005-Defense Evasion T1070.001-Indicator Removal on Host Tentative of clearing event log file(s) detected (command) 1 or 4688
TA0005-Defense Evasion T1070.001-Indicator Removal on Host Tentative of clearing event log file(s) detected (PowerShell) 800 or 4103 or 4104
TA0005-Defense Evasion T1070.001-Indicator Removal on Host Tentative of clearing event log file(s) detected (wmi) 1 or 4688
TA0005-Defense Evasion T1070.006-Timestomp System time changed (PowerShell) 800 or 4103 or 4104
TA0005-Defense Evasion T1070.006-Timestomp System time changed 4616
TA0005-Defense Evasion T1078.002-Valid accounts-Domain accounts Login from a user member of a "special group" detected (special logon) 4964
TA0005-Defense Evasion T1112-Modify registry Impacket SMBexec service registration (registry) 13 SMBexec
TA0005-Defense Evasion T1197-BITS job Command execution related to a suspicious BITS activity detected 1 or 4688
TA0005-Defense Evasion T1197-BITS job Command execution related to a suspicious BITS activity detected 800 or 4103 or 4104
TA0005-Defense Evasion T1197-BITS job High amount of data downloaded via BITS 60
TA0005-Defense Evasion T1207-Rogue domain controller New fake domain controller registration 5137 or 5141 DCShadow
TA0005-Defense Evasion T1207-Rogue domain controller Sensitive attributes accessed 4662 DCShadow
TA0005-Defense Evasion T1222.001-File and Directory Permissions Modification Computer account modifying AD permissions 5136 PrivExchange
TA0005-Defense Evasion T1222.001-File and Directory Permissions Modification Network share permissions changed 5143
TA0005-Defense Evasion T1222.001-File and Directory Permissions Modification OCSP security settings changed 5124(OCSP)
TA0005-Defense Evasion T1222.001-File and Directory Permissions Modification Permissions changed on a GPO 5136
TA0005-Defense Evasion T1222.001-File and Directory Permissions Modification Sensitive GUID related to "Replicate directory changes" detected 4662 DCSync
TA0005-Defense Evasion T1553.003- Subvert Trust Controls: SIP and Trust Provider Hijacking Suspicious SIP or trust provider registration 12 or 12
TA0005-Defense Evasion T1553.004-Subvert Trust Controls: Install Root Certificate Certutil root certificat install (command) 1 or 4688
TA0005-Defense Evasion T1562.001-Impair Defenses-Disable or modify tools Defender real time protection failure 3002
TA0005-Defense Evasion T1562.001-Impair Defenses-Disable or modify tools Defender: critical security component disabled (command) 1 or 4688
TA0005-Defense Evasion T1562.001-Impair Defenses-Disable or modify tools Defender: critical security component disabled (PowerShell) 800 or 4103 or 4104
TA0005-Defense Evasion T1562.001-Impair Defenses-Disable or modify tools Defender: default action set to allow any threat (command) 1 or 4688
TA0005-Defense Evasion T1562.001-Impair Defenses-Disable or modify tools Defender: default action set to allow any threat (PowerShell) 800 or 4103 or 4104
TA0005-Defense Evasion T1562.001-Impair Defenses-Disable or modify tools Defender: exclusion added (native) 5007
TA0005-Defense Evasion T1562.001-Impair Defenses-Disable or modify tools Defender: exclusion added (PowerShell) 800 or 4103 or 4104
TA0005-Defense Evasion T1562.001-Impair Defenses-Disable or modify tools Defender: security component disabled (command) 1 or 4688
TA0005-Defense Evasion T1562.001-Impair Defenses-Disable or modify tools Defender: security component disabled (PowerShell) 800 or 4103 or 4104
TA0005-Defense Evasion T1562.001-Impair Defenses-Disable or modify tools Defender: service component status disabled (Registry via Sysmon) 13
TA0005-Defense Evasion T1562.001-Impair Defenses-Disable or modify tools Massive processes termination burst 1 or 4688
TA0005-Defense Evasion T1562.002-Disable Windows Event Logging Event log disabled or size reduced 1 or 4688
TA0005-Defense Evasion T1562.002-Impair Defenses: Disable Windows Event Logging Audit policy disabled 4719
TA0005-Defense Evasion T1562.002-Impair Defenses: Disable Windows Event Logging SQL Server: Audit object deleted 33205
TA0005-Defense Evasion T1562.002-Impair Defenses: Disable Windows Event Logging SQL Server: Audit object disabled 33205
TA0005-Defense Evasion T1562.002-Impair Defenses: Disable Windows Event Logging SQL Server: Audit specifications deleted 33205
TA0005-Defense Evasion T1562.002-Impair Defenses: Disable Windows Event Logging SQL Server: Audit specifications disabled 33205
TA0005-Defense Evasion T1562.002-Impair Defenses: Disable Windows Event Logging SQL Server: Database audit specifications deleted 33205
TA0005-Defense Evasion T1562.002-Impair Defenses: Disable Windows Event Logging SQL Server: Database audit specifications disabled 33205
TA0005-Defense Evasion T1562.002-Impair Defenses: Disable Windows Event Logging Tentative of disabling or clearing audit policy by commandline 1 or 4688
TA0005-Defense Evasion T1562.004-Disable or Modify System Firewall Firewall deactivation (cmd) 1 or 4688
TA0005-Defense Evasion T1562.004-Disable or Modify System Firewall Firewall deactivation (firewall) 2003 or 4950
TA0005-Defense Evasion T1562.004-Disable or Modify System Firewall Firewall deactivation (PowerShell) 800 or 4103 or 4104
TA0005-Defense Evasion T1562.004-Disable/modify firewall (rule) Any/any firewall rule created 2004
TA0005-Defense Evasion T1562.004-Disable/modify firewall (rule) Firewall rule created by a suspicious command (netsh.exe, wmiprvse.exe) 2004
TA0005-Defense Evasion T1562.004-Disable/modify firewall (rule) OpenSSH server firewall configuration (command) 1 or 4688 SSH server
TA0005-Defense Evasion T1562.004-Disable/modify firewall (rule) OpenSSH server firewall configuration (firewall) 2004 SSH server
TA0005-Defense Evasion T1562.004-Disable/modify firewall (rule) OpenSSH server firewall configuration (PowerShell) 800 or 4103 or 4104 SSH server
TA0005-Defense Evasion T1562-Impair defense NTLM downgrade attack 13
TA0005-Defense Evasion T1564.006-Hide Artifacts: Run Virtual Instance WSL for Windows installation detected (command) 1 or 4688
TA0005-Defense Evasion T1564.006-Hide Artifacts: Run Virtual Instance WSL for Windows installation detected (native) 9
TA0005-Defense Evasion T1564.006-Hide Artifacts: Run Virtual Instance WSL for Windows installation detected (PowerShell) 800 or 4103 or 4104
TA0005-Defense Evasion T564.006-Hide Artifacts: Run Virtual Instance Default Windows host name pattern detected in login attempt 4624
TA0006-Credential Access T1003.001-Credential dumping: LSASS LSASS credential dump with LSASSY (kernel) 4656 or 4663
TA0006-Credential Access T1003.001-Credential dumping: LSASS LSASS credential dump with LSASSY (PowerShell) 800 or 4103 or 4104
TA0006-Credential Access T1003.001-Credential dumping: LSASS LSASS credential dump with LSASSY (process) 1 or 4688
TA0006-Credential Access T1003.001-Credential dumping: LSASS LSASS credential dump with LSASSY (share) 5145
TA0006-Credential Access T1003.001-Credential dumping: LSASS LSASS credentials dump via Task Manager (file) 11
TA0006-Credential Access T1003.001-Credential dumping: LSASS LSASS dump indicator via Task Manager access 1 or 4688
TA0006-Credential Access T1003.001-Credential dumping: LSASS LSASS process accessed by a non system account 4656 or 4663
TA0006-Credential Access T1003.001-Credential dumping: LSASS SAM database user credential dump 4661 Mimikatz
TA0006-Credential Access T1003.001-Credential dumping: LSASS Task manager used to dump LSASS process 4663
TA0006-Credential Access T1003.002-Security Account Manager Password dump over SMB ADMIN$ 5145 Secretdump
TA0006-Credential Access T1003.002-Security Account Manager SAM database access during DCshadow 4661 DCShadow
TA0006-Credential Access T1003.003-NTDS IFM created 325 or 327
TA0006-Credential Access T1003.003-NTDS IFM created from command line 1 or 4688
TA0006-Credential Access T1003.003-OS Credential-Dumping NTDS DSRM configuration changed (Reg via command) 1 or 4688
TA0006-Credential Access T1003.003-OS Credential-Dumping NTDS DSRM configuration changed (Reg via PowerShell) 800 or 4103 or 4104
TA0006-Credential Access T1003.003-OS Credential-Dumping NTDS DSRM password reset 4794
TA0006-Credential Access T1003.006-DCSync Member added to a Exchange DCsync related group 4728 or 4756 or 4732 DCSync
TA0006-Credential Access T1003.006-DCSync Netsync attack 4624 and 5145 NetSync
TA0006-Credential Access T1003.006-DCSync Replication privileges granted to perform DCSync attack 5136 DCSync
TA0006-Credential Access T1003-Credential dumping Backdoor introduction via registry permission change through WMI (DAMP) 4674 DAMP
TA0006-Credential Access T1003-Credential dumping Diskshadow abuse 1 or 4688
TA0006-Credential Access T1003-Credential dumping Wdigest authentication enabled (Reg via command) 1 or 4688
TA0006-Credential Access T1003-Credential dumping Wdigest authentication enabled (Reg via Sysmon) 12 or 12
TA0006-Credential Access T1003-OS Credential dumping Group Managed Service Accounts password dump 4662 GoldenGMSA
TA0006-Credential Access T1040-Network sniffing Windows native sniffing tool Pktmon usage 1 or 4688
TA0006-Credential Access T1110.xxx-Brut force Bruteforce via password reset 4723 or 4724
TA0006-Credential Access T1110.xxx-Brut force Brutforce enumeration on Windows OpenSSH server with non existing user 4625 or 4 SSH server
TA0006-Credential Access T1110.xxx-Brut force Brutforce on Windows OpenSSH server with valid user 4625 or 4 SSH server
TA0006-Credential Access T1110.xxx-Brut force Kerberos brutforce enumeration with existing/unexsting users (Kerbrute) 4771 or 4768
TA0006-Credential Access T1110.xxx-Brut force Kerberos brutforce with not existing users 4771 or 4768
TA0006-Credential Access T1110.xxx-Brut force Login failure from a single source with different non existing accounts 33205
TA0006-Credential Access T1110.xxx-Brut force Login failure from a single source with different non existing accounts 4625
TA0006-Credential Access T1555.003-Credentials from Password Stores: Credentials from Web Browsers User browser credentials dump via network share 5145 DonPapi, Lazagne
TA0006-Credential Access T1555.004-Windows Credential Manager Credentials (protected by DPAPI) dump via network share 5145 DonPapi, Lazagne
TA0006-Credential Access T1555.004-Windows Credential Manager Vault credentials were read 5382
TA0006-Credential Access T1555.004-Windows Credential Manager Vault credentials were read 800 or 4103 or 4104
TA0006-Credential Access T1555-Credentials from Password Stores Azure AD Connect credentials dump via network share 5145 AdConnectDump
TA0006-Credential Access T1555-Credentials from Password Stores Suspicious Active Directory DPAPI attributes accessed 4662
TA0006-Credential Access T1555-Credentials from Password Stores User files dump via network share 5145 DonPapi, Lazagne
TA0006-Credential Access T1557.001-MiM:LLMNR/NBT-NS Poisoning and SMB Relay Discovery for print spooler bug abuse via named pipe 5145
TA0006-Credential Access T1557.001-MiM:LLMNR/NBT-NS Poisoning and SMB Relay Exchange server impersonation via PrivExchange relay attack 4624 PrivExchange
TA0006-Credential Access T1558.001-Golden Ticket Kerberos TGS ticket request related to a potential Golden ticket 4769 Golden ticket
TA0006-Credential Access T1558.001-Golden Ticket SMB Admin share accessed with a forged Golden ticket 5140 or 5145 Golden ticket
TA0006-Credential Access T1558.001-Golden Ticket Success login impersonation with forged Golden ticket 4624 Golden ticket
TA0006-Credential Access T1558.003-Kerberoasting KerberOAST ticket (TGS) request detected (low encryption) 4769 Kerberoast
TA0006-Credential Access T1558.004-Steal or Forge Kerberos Tickets: AS-REP Roasting Kerberos AS-REP Roasting ticket request detected 4768 AS-REP Roasting
TA0006-Credential Access T1558-Steal or Forge Kerberos Tickets Kerberos key list attack for credential dumping 4769 Kerberos key list
TA0006-Credential Access T1558-Steal or Forge Kerberos Tickets Kerberos ticket without a trailing $ 4768 or 4769 CVE-2021-42278/42287 & SAM-the-admin
TA0006-Credential Access T1558-Steal or Forge Kerberos Tickets Susipicious Kerberos ticket (TGS) with constrained delegation (S4U2Proxy) 4769
TA0006-Credential Access T1558-Steal or Forge Kerberos Tickets Susipicious Kerberos ticket (TGS) with unconstrained delegation (TrustedForDelegation) 4769
TA0006-Credential Access T1558-Steal or Forge Kerberos Tickets Suspicious Kerberos proxiable ticket 4768 CVE-2021-42278/42287 & SAM-the-admin
TA0007-Discovery T1016-System Network Configuration Discovery Firewall configuration enumerated (command) 1 or 4688
TA0007-Discovery T1016-System Network Configuration Discovery Firewall configuration enumerated (PowerShell) 800 or 4103 or 4104
TA0007-Discovery T1016-System Network Configuration Discovery Tentative of zone transfer from a non DNS server detected 6004 (DNSserver)
TA0007-Discovery T1018-Remote System Discovery DNS hosts file accessed via network share 5145
TA0007-Discovery T1046-Network Service Scanning Multiple anonymous login from a single source 4624
TA0007-Discovery T1046-Network Service Scanning RDP discovery performed on multiple hosts 131
TA0007-Discovery T1046-Network Service Scanning Suspicious anonymous login 4624
TA0007-Discovery T1069.001-Discovery domain groups Local domain group enumeration via RID brutforce 4661 CrackMapExec
TA0007-Discovery T1069.001-Discovery domain groups Local group enumeration via Azure Virtual machine recovery tool. 4799
TA0007-Discovery T1069.001-Discovery local groups Remote local group enumeration (SharpeHound) 4799 SharpHound
TA0007-Discovery T1069.002-Discovery domain groups Domain group enumeration 4661 CrackMapExec
TA0007-Discovery T1069.002-Discovery domain groups Honeypot object (container, computer, group, user) enumerated 4662 SharpHound
TA0007-Discovery T1069.002-Discovery domain groups Massive SAM domain users & groups discovery 4661
TA0007-Discovery T1069.002-Discovery domain groups Sensitive SAM domain user & groups discovery 4661
TA0007-Discovery T1069-Permission Groups Discovery Group discovery via commandline 1 or 4688
TA0007-Discovery T1069-Permission Groups Discovery Group discovery via PowerShell 800 or 4103 or 4104
TA0007-Discovery T1082-System Information Discovery Audit policy settings collection 1 or 4688
TA0007-Discovery T1087.002-Domain Account discovery Active Directory PowerShell module called from a non administrative host 600
TA0007-Discovery T1087.002-Domain Account discovery Single source performing host enumeration over Kerberos ticket (TGS) detected 4769 SharpHound
TA0007-Discovery T1087-Account discovery SPN enumeration (command) 1 or 4688 Kerberoast
TA0007-Discovery T1087-Account discovery SPN enumeration (PowerShell) 800 or 4103 or 4104
TA0007-Discovery T1087-Account discovery User enumeration via commandline 1 or 4688
TA0007-Discovery T1135-Network Share Discovery Host performing advanced named pipes enumeration on different hosts via SMB 5145 SharpHound
TA0007-Discovery T1135-Network Share Discovery Network share discovery and/or connection via commandline 1 or 4688
TA0007-Discovery T1135-Network Share Discovery Network share manipulation via commandline 1 or 4688
TA0007-Discovery T1201-Password Policy Discovery Domain password policy enumeration 4661 CrackMapExec
TA0007-Discovery T1201-Password Policy Discovery Password policy discovery via commandline 1 or 4688
TA0007-Discovery T1482-Domain Trust Discovery Active Directory Forest PowerShell class called from a non administrative host 800 or 4103 or 4104
TA0007-Discovery T1518-Software discovery SQL Server database's table enumeration 1 or 4688
TA0008-Lateral Movement T1021.001-Remote Desktop Protocol Denied RDP login with valid credentials 4825
TA0008-Lateral Movement T1021.001-Remote Desktop Protocol DP BlueeKeep connection closed 148 CVE-2019-0708
TA0008-Lateral Movement T1021.002-SMB Windows Admin Shares Admin share accessed via SMB (basic) 5140 or 5145
TA0008-Lateral Movement T1021.002-SMB Windows Admin Shares Impacket WMIexec execution via SMB admin share 5145 WMIexec
TA0008-Lateral Movement T1021.002-SMB Windows Admin Shares Lateral movement by mounting a network share - net use (command) 4688 and 4648
TA0008-Lateral Movement T1021.002-SMB Windows Admin Shares New file share created on a host 5142
TA0008-Lateral Movement T1021.002-SMB Windows Admin Shares Number of oustanding SMB requests increased (command) 1 or 4688
TA0008-Lateral Movement T1021.002-SMB Windows Admin Shares Psexec remote execution via SMB 5145
TA0008-Lateral Movement T1021.002-SMB Windows Admin Shares Remote service creation over SMB 5145
TA0008-Lateral Movement T1021.002-SMB Windows Admin Shares Remote shell execuction via SMB admin share 5145
TA0008-Lateral Movement T1021.002-SMB Windows Admin Shares Shared printer creation 5142 PrintNightmare (CVE-2021-1675 / CVE-2021-34527)
TA0008-Lateral Movement T1021.003-DCOM DCOM lateral movement (via MMC20) 4104
TA0008-Lateral Movement T1021.003-DCOM DCOMexec privilege abuse 4674
TA0008-Lateral Movement T1021.003-DCOM DCOMexec process abuse via MMC 1 or 4688
TA0008-Lateral Movement T1021.004-Remote services: SSH OpenSSH native server feature installation 800 or 4103 or 4104 SSH server
TA0008-Lateral Movement T1021.004-Remote services: SSH OpenSSH server for Windows activation/configuration detected 800 or 4103 or 4104 SSH server
TA0008-Lateral Movement T1021.006-Windows Remote Management WinRM listening service reconnaissance 4656
TA0008-Lateral Movement T1021.006-Windows Remote Management WinRS usage for remote execution 1 or 4688
TA0008-Lateral Movement T1021-Remote Services Honeypot used for lateral movement (failure) 4625
TA0008-Lateral Movement T1021-Remote Services Honeypot used for lateral movement (success) 4624 or 47**
TA0008-Lateral Movement T1550.002-Use Alternate Authentication Material: Pass the Hash LSASS dump via process access 10 Mimikatz
TA0008-Lateral Movement T1550.002-Use Alternate Authentication Material: Pass the Hash Pass-the-hash login 4624 Mimikatz
TA0008-Lateral Movement T1563.002-RDP hijacking RDP session hijack via TSCON abuse command 1 or 4688
TA0009-Collection T1125-Video capture RDP shadow session started (command) 1 or 4688
TA0009-Collection T1125-Video capture RDP shadow session started (native) 20503 or 04 or 08
TA0009-Collection T1125-Video capture RDP shadow session started (registry) 13
TA0011-Command and control Winlogon process contact to C2 (Blacklotus) 3
TA0011-Command and control 1071.004- Application Layer Protocol: DNS DoT activation (command) 1 or 4688
TA0011-Command and control 1071.004- Application Layer Protocol: DNS DoT activation (PowerShell) 800 or 4103 or 4104
TA0011-Command and control T1090-Proxy Proxy configuration changed 5600
TA0011-Command and control T1572-Protocol tunneling RDP tunneling configuration enabled for port forwarding 1 or 4688
TA0011-Command and control T1572-Protocol tunneling RDP tunneling detected 1149
TA0011-Command and control T1572-Protocol tunneling RDP tunneling detected via ngrok 21 or 25 or 1149
TA0040-Impact T1486-Data Encrypted for Impact BitLocker feature configuration (Reg via command) 1 or 4688
TA0040-Impact T1486-Data Encrypted for Impact BitLocker massive feature activation (native) 768
TA0040-Impact T1486-Data Encrypted for Impact BitLocker server feature activation (PowerShell) 800 or 4103 or 4104
TA0040-Impact T1489-Service Stop Massive services termination burst 1 or 4688
TA0040-Impact T1490-Inhibit System Recovery VSS backup deletion (PowerShell) 800 or 4103 or 4104
TA0040-Impact T1490-Inhibit System Recovery VSS backup deletion (WMI) 1 or 4688
TA0040-Impact T1490-Inhibit System Recovery VSS backup deletion 1 or 4688
TA0040-Impact T1490-Inhibit System Recovery Windows native backup deletion 1 or 4688
TA0040-Impact T1490-Inhibit System Recovery Windows native backup size re-configuration 1 or 4688
TA0040-Impact T1565-Data manipulation DNS hosts file modified 11