Vendor: Microsoft
June 14, 2023 · View on GitHub
Product: Sysmon
Use-Case: Compromised Credentials
| Rules | Models | MITRE ATT&CK® TTPs | Event Types | Parsers |
|---|---|---|---|---|
| 85 | 20 | 12 | 5 | 5 |
| Event Type | Rules | Models |
|---|---|---|
| file-delete | T1083 - File and Directory Discovery ↳ FA-UA-UI-F: First file activity from ISP ↳ FA-UA-UC-F: First file activity from country for user ↳ FA-UA-UC-A: Abnormal file activity from country for user ↳ FA-UA-GC-F: First file activity from country for group ↳ FA-UA-GC-A: Abnormal file activity from country for group ↳ FA-UA-OC-F: First file activity from country for organization ↳ FA-UA-OC-A: Abnormal file activity from country for organization ↳ FA-UTi: Abnormal user file activity time ↳ FA-UH-F: First file access from asset for user ↳ FA-UH-A: Abnormal file access from asset for user ↳ FA-OZ-F: First file access from network zone for organization ↳ FA-OZ-A: Abnormal file access from network zone for organization ↳ FA-UZ-F: First file access from network zone for user ↳ FA-UZ-A: Abnormal file access from network zone for user ↳ FA-UA-F: First file access activity for user ↳ FA-UA-A: Abnormal file access activity for user ↳ FA-OU-F: First access to source code files for user in the organization ↳ FA-OU-A: Abnormal access to source code files for user in the organization ↳ FA-OG-F: First access to source code files for user in the peer group ↳ FA-OG-A: Abnormal access to source code files for user in the peer group ↳ FA-UD-F: First file server access for user ↳ FA-UD-A: Abnormal file server access for user ↳ FA-GD-F: First file server access for group ↳ FA-GD-A: Abnormal file server access for group | • FA-GD: File server access per group • FA-UD: File server access per user • FA-OG: Users accessing source code files in the peer group • FA-OU: Users accessing source code files in the organization • FA-UA: File access activities for user • FA-UZ: File accesses from network zone for user • FA-OZ: File accesses from network zone for organization • FA-UH: User file access source host • FA-UTi: File activity time for user • FA-UA-OC: Countries for organization file activities • FA-UA-GC: Countries for peer groups file activities • FA-UA-UC: Countries for user file activity • FA-UA-UI-new: ISP of users during file activity |
| file-write | T1083 - File and Directory Discovery ↳ FA-UA-UI-F: First file activity from ISP ↳ FA-UA-UC-F: First file activity from country for user ↳ FA-UA-UC-A: Abnormal file activity from country for user ↳ FA-UA-GC-F: First file activity from country for group ↳ FA-UA-GC-A: Abnormal file activity from country for group ↳ FA-UA-OC-F: First file activity from country for organization ↳ FA-UA-OC-A: Abnormal file activity from country for organization ↳ FA-UTi: Abnormal user file activity time ↳ FA-UH-F: First file access from asset for user ↳ FA-UH-A: Abnormal file access from asset for user ↳ FA-OZ-F: First file access from network zone for organization ↳ FA-OZ-A: Abnormal file access from network zone for organization ↳ FA-UZ-F: First file access from network zone for user ↳ FA-UZ-A: Abnormal file access from network zone for user ↳ FA-UA-F: First file access activity for user ↳ FA-UA-A: Abnormal file access activity for user ↳ FA-OU-F: First access to source code files for user in the organization ↳ FA-OU-A: Abnormal access to source code files for user in the organization ↳ FA-OG-F: First access to source code files for user in the peer group ↳ FA-OG-A: Abnormal access to source code files for user in the peer group ↳ FA-UD-F: First file server access for user ↳ FA-UD-A: Abnormal file server access for user ↳ FA-GD-F: First file server access for group ↳ FA-GD-A: Abnormal file server access for group T1003.003 - T1003.003 ↳ A-NTDS-Access-F: The NTDS database was accessed from a new location on this asset. ↳ A-NTDS-Access-A: The NTDS database was accessed from a non default location on this asset. ↳ A-NTDS-Access: The NTDS database was accessed from a non default location without 'ntds.dit' in the file path on this asset. ↳ A-NTDS-Shadow-Copy1: The NTDS database changed location to a shadowcopy using 'ntds.dit' and 'harddiskvolumeshadowcopy' in the file path on this asset. ↳ A-NTDS-Shadow-Copy2: The NTDS database changed location to a shadowcopy using 'harddiskvolumeshadowcopy' in the file path on this asset. T1003.002 - T1003.002 ↳ A-ATP-Tool-FGDump: Malicious exe/dll. ↳ A-ATP-Tool-PSTGDump: Malicious pstgdump.exe was run from a temp folder on this asset. | • FA-GD: File server access per group • FA-UD: File server access per user • FA-OG: Users accessing source code files in the peer group • FA-OU: Users accessing source code files in the organization • FA-UA: File access activities for user • FA-UZ: File accesses from network zone for user • FA-OZ: File accesses from network zone for organization • FA-UH: User file access source host • FA-UTi: File activity time for user • FA-UA-OC: Countries for organization file activities • FA-UA-GC: Countries for peer groups file activities • FA-UA-UC: Countries for user file activity • FA-UA-UI-new: ISP of users during file activity • A-NTDS-Access: Models the amount of accesses to paths that are related to NTDS |
| process-alert | TA0002 - TA0002 ↳ EPA-UP-ALERT-F: First security alert for executing this process by the user ↳ EPA-UP-ALERT-A: Abnormal security alert for executing this process by the user ↳ EPA-UP-ALERT-N: Common security alert for executing this process by the user ↳ EPA-UH-Pen-F: Known pentest tool used T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools ↳ A-ALERT-Other: Alert on asset ↳ A-ALERT-Critical: Security Alert on a critical asset ↳ A-ALERT-Log4j: Alert associated with an exploitation or post exploitation as seen with Log4j Vulnerability was detected. | • EPA-UH-Pen: Malicious tools used by user • EPA-UP-ALERT: Processes that triggered alerts for the user |
| process-created | T1003.002 - T1003.002 ↳ A-GRAB-REG-HIVES: Grabbing Sensitive Hives via Reg Utility on this asset ↳ GRAB-REG-HIVES: Grabbing Sensitive Hives via Reg Utility ↳ ATP-PWDump: Malicious exe was run which is a part of credential dumping tool T1003.001 - T1003.001 ↳ A-CreateMiniDump-Hacktool: CreateMiniDump Hacktool detected on this asset. ↳ A-LSASS-Mem-Dump: LSASS Memory Dumping detected on this asset ↳ A-Proc-Dump-Comsvcs: Process Dump via Rundll32 and Comsvcs.dll detected on this asset ↳ A-Sus-Procdump: Suspicious Use of Procdump on this asset. ↳ A-Procdump-Comsvcs-DLL: Process Dump via Comsvcs DLL on this asset ↳ A-PC-Rundll-LsassDump: Rundll32 was run with minidump via commandline on this asset. ↳ A-PC-Procdump-LsassDump: Procdump was executed with lsass dump command line parameters on this asset. ↳ CreateMiniDump-Hacktool: CreateMiniDump Hacktool ↳ LSASS-Mem-Dump: LSASS Memory Dumping ↳ Proc-Dump-Comsvcs: Process Dump via Rundll32 and Comsvcs.dll ↳ Sus-Procdump: Suspicious Use of Procdump ↳ Procdump-Comsvcs-DLL: Process Dump via Comsvcs DLL ↳ PC-Rundll-LsassDump: Rundll32 was run with minidump via commandline ↳ PC-Procdump-LsassDump: Procdump was executed with lsass dump command line parameters. T1218.011 - Signed Binary Proxy Execution: Rundll32 ↳ A-Procdump-Comsvcs-DLL: Process Dump via Comsvcs DLL on this asset ↳ A-PC-Rundll-LsassDump: Rundll32 was run with minidump via commandline on this asset. ↳ Procdump-Comsvcs-DLL: Process Dump via Comsvcs DLL ↳ PC-Rundll-LsassDump: Rundll32 was run with minidump via commandline T1040 - Network Sniffing ↳ A-NSniff-Cred: Potential network sniffing was observed on this asset. ↳ A-EPA-SNIFF: Network sniffing tool has been found running on this asset ↳ A-EPA-OH-SNIFF-F: First time this asset has had an execution of a network sniffing tool ↳ A-EPA-OH-SNIFF-A: Abnormal asset running network sniffing tool ↳ A-EPA-OZ-SNIFF-F: First zone on which network sniffing tool was run ↳ A-EPA-OZ-SNIFF-A: Abnormal zone on which network sniffing tool was run ↳ EPA-SNIFF: Network sniffing tool has been run by this user ↳ EPA-OU-SNIFF-F: First time this user has run a network sniffing tool ↳ EPA-OU-SNIFF-A: Abnormal user has run a network sniffing tool ↳ EPA-OG-SNIFF-F: First time this peer group has run a network sniffing tool ↳ EPA-OG-SNIFF-A: Abnormal peer group running a network sniffing tool ↳ EPA-OH-SNIFF-F: First time this host has run a network sniffing tool ↳ EPA-OH-SNIFF-A: Abnormal host running a network sniffing tool ↳ EPA-OZ-SNIFF-F: First time this network zone on which a networking sniffing tool run. ↳ EPA-OZ-SNIFF-A: Abnormal network zone on which network sniffing tool was run ↳ NSniff-Cred: Potential network sniffing was observed T1003 - OS Credential Dumping ↳ A-CP-Sensitive-Files: Copying sensitive files with credential data on this asset ↳ A-ShadowCP-SymLink: Shadow Copies Access via Symlink on this asset ↳ A-ShadowCP-OSUtilities: Shadow Copies Creation Using Operating Systems Utilities on this asset ↳ Mimikatz-process: A highly dangerous attacker tool, Mimikatz, has been used ↳ CP-Sensitive-Files: Copying sensitive files with credential data ↳ ShadowCP-SymLink: Shadow Copies Access via Symlink ↳ ShadowCP-OSUtilities: Shadow Copies Creation Using Operating Systems Utilities ↳ Cmdkey-Cred-Recon: Cmdkey Cached Credentials Recon T1003.003 - T1003.003 ↳ AD-Diagnostic-Tool: Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) T1555 - Credentials from Password Stores ↳ A-SecX-Tool-Exec: SecurityXploded Tool execution detected on this asset ↳ SecX-Tool-Exec: SecurityXploded Tool execution detected T1016 - System Network Configuration Discovery ↳ WINCMD-Route: 'Route' program used ↳ WINCMD-Netsh: 'Netsh' program used TA0002 - TA0002 ↳ EPA-UH-Pen-F: Known pentest tool used T1003.005 - T1003.005 ↳ A-Cmdkey-Cred-Recon: Cmdkey Cached Credentials Recon on this asset | • EPA-OZ-SNIFF: Network Zones on which network sniffing tools are run • EPA-OH-SNIFF: Hosts that have been found to be running network sniffing tools • EPA-OG-SNIFF: Peer groups that are running network sniffing tools • EPA-OU-SNIFF: Users that are running network sniffing tools • EPA-UH-Pen: Malicious tools used by user |
| process-network | TA0002 - TA0002 ↳ EPA-UH-Pen-F: Known pentest tool used | • EPA-UH-Pen: Malicious tools used by user |