-
Notifications
You must be signed in to change notification settings - Fork 9
/
Copy pathMITRE_TECHNIQUES_FROM_SYSMON_EVENT10.xml
134 lines (134 loc) · 4.98 KB
/
MITRE_TECHNIQUES_FROM_SYSMON_EVENT10.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
<group name="windows,sysmon,">
<!-- Sysmon - Event 10: ProcessAccess by $(win.eventdata.sourceimage) -->
<rule id="109101" level="3">
<if_sid>61612</if_sid>
<field name="win.eventdata.RuleName">^technique_id=T1003,technique_name=Credential Dumping$</field>
<description>Sysmon - Event 10: ProcessAccess by $(win.eventdata.sourceimage)</description>
<mitre>
<id>T1003</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event_10,</group>
</rule>
<!-- Sysmon - Event 10: ProcessAccess by $(win.eventdata.sourceimage) -->
<rule id="109102" level="3">
<if_sid>61612</if_sid>
<field name="win.eventdata.RuleName">^technique_id=T1055.001,technique_name=Dynamic-link Library Injection$</field>
<description>Sysmon - Event 10: ProcessAccess by $(win.eventdata.sourceimage)</description>
<mitre>
<id>T1055</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event_10,</group>
</rule>
<!-- Sysmon - Event 10: ProcessAccess by $(win.eventdata.sourceimage) -->
<rule id="109103" level="3">
<if_sid>61612</if_sid>
<field name="win.eventdata.RuleName">^technique_id=T1036,technique_name=Masquerading$</field>
<description>Sysmon - Event 10: ProcessAccess by $(win.eventdata.sourceimage)</description>
<mitre>
<id>T1036</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event_10,</group>
</rule>
<!-- Sysmon - Event 10: ProcessAccess by $(win.eventdata.sourceimage) -->
<rule id="109104" level="3">
<if_sid>61612</if_sid>
<field name="win.eventdata.RuleName">^technique_id=T1059.001,technique_name=PowerShell$</field>
<description>Sysmon - Event 10: ProcessAccess by $(win.eventdata.sourceimage)</description>
<mitre>
<id>T1059</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event_10,</group>
</rule>
<!-- Sysmon - Event 10: ProcessAccess by $(win.eventdata.sourceimage) -->
<rule id="109105" level="3">
<if_sid>61612</if_sid>
<field name="win.eventdata.RuleName">^technique_id=T1055,technique_name=Process Injection$</field>
<description>Sysmon - Event 10: ProcessAccess by $(win.eventdata.sourceimage)</description>
<mitre>
<id>T1055</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event_10,</group>
</rule>
<!-- Sysmon - Event 10: ProcessAccess by $(win.eventdata.sourceimage) -->
<rule id="109106" level="3">
<if_sid>61612</if_sid>
<field name="win.eventdata.RuleName">^technique_id=T1112,technique_name=Modify Registry$</field>
<description>Sysmon - Event 10: ProcessAccess by $(win.eventdata.sourceimage)</description>
<mitre>
<id>T1112</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event_10,</group>
</rule>
<!-- Sysmon - Event 10: ProcessAccess by $(win.eventdata.sourceimage) -->
<rule id="109107" level="3">
<if_sid>61612</if_sid>
<field name="win.eventdata.RuleName">^technique_id=T1003.004,technique_name=LSASS Memory$</field>
<description>Sysmon - Event 10: ProcessAccess by $(win.eventdata.sourceimage)</description>
<mitre>
<id>T1003</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event_10,</group>
</rule>
<!-- Sysmon - Event 10: ProcessAccess by $(win.eventdata.sourceimage) -->
<rule id="109108" level="3">
<if_sid>61612</if_sid>
<field name="win.eventdata.RuleName">^technique_id=T1053,technique_name=Scheduled Task$</field>
<description>Sysmon - Event 10: ProcessAccess by $(win.eventdata.sourceimage)</description>
<mitre>
<id>T1053</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event_10,</group>
</rule>
<!-- Sysmon - Event 10: ProcessAccess by $(win.eventdata.sourceimage) -->
<rule id="109109" level="3">
<if_sid>61612</if_sid>
<field name="win.eventdata.RuleName">^technique_id=T1218.010,technique_name=Regsvr32$</field>
<description>Sysmon - Event 10: ProcessAccess by $(win.eventdata.sourceimage)</description>
<mitre>
<id>T1218</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event_10,</group>
</rule>
<!-- Sysmon - Event 10: ProcessAccess by $(win.eventdata.sourceimage) -->
<rule id="109110" level="3">
<if_sid>61612</if_sid>
<field name="win.eventdata.RuleName">^technique_id=T1073,technique_name=DLL Side-Loading$</field>
<description>Sysmon - Event 10: ProcessAccess by $(win.eventdata.sourceimage)</description>
<mitre>
<id>T1073</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event_10,</group>
</rule>
<!-- Sysmon - Event 10: ProcessAccess by $(win.eventdata.sourceimage) -->
<rule id="109111" level="3">
<if_sid>61612</if_sid>
<field name="win.eventdata.RuleName">^technique_id=T1047,technique_name=Windows Management Instrumentation$</field>
<description>Sysmon - Event 10: ProcessAccess by $(win.eventdata.sourceimage)</description>
<mitre>
<id>T1047</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event_10,</group>
</rule>
<!-- Sysmon - Event 10: ProcessAccess by $(win.eventdata.sourceimage) -->
<rule id="109112" level="3">
<if_sid>61612</if_sid>
<field name="win.eventdata.RuleName">^technique_id=T1137,technique_name=Office Application Startup$</field>
<description>Sysmon - Event 10: ProcessAccess by $(win.eventdata.sourceimage)</description>
<mitre>
<id>T1137</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event_10,</group>
</rule>
</group>