Mapping MITRE ATT&CK with Window Event Log IDs

0

Author/Credits: mdecrevoisier


MITRE [email protected] is known for its Tactics & Techniques. Each and every attack is mapped with MITRE [email protected] ATT&CK stands for adversarial tactics, techniques, and common knowledge. The tactics are a modern way of looking at cyberattacks. Rather than looking at the results of an attack, aka an indicator of compromise (IoC), it identifies tactics that indicate an attack is in progress. Tactics are the “why” of an attack technique. The second “T” in ATT&CK stands for techniques. Each tactic includes a set of techniques that have been seen used by malware and threat actors.

Techniques represent the “how”—how attackers carry out a tactic in practice. The “CK” at the end of ATT&CK stands for common knowledge. This is the documented use of tactics and techniques by adversaries. Essentially, common knowledge is the documentation of procedures. Those familiar with cybersecurity may be familiar with the term “tactics, techniques, and procedures,” or TTP.

Author/Credits: mdecrevoisier

Mapping ATT&CK to Windows Event IDs:

Indicators of attack (IOA) uses security operations to identify risks and map them to the most appropriate attack. In order to address different security scenarios with your SIEM, the table below maps Windows Event ID by tactic and technique.

[email protected] Tactic[email protected] TechniqueDescriptionEvent IDsThreat name / Tool / CVE
AntivirusAntivirusDefender: antivirus not up to date1151
AntivirusAntivirusDefender: massive malware outbreak detected on multiple hosts1116
AntivirusAntivirusDefender: massive malwares detected on a single host1116
TA0001-Initial accessT1078.002-Valid accounts-Domain accountsLogin denied due to account policy restrictions4625
TA0001-Initial accessT1078.002-Valid accounts-Domain accountsLogin failure from a single source with a disabled account33205
TA0001-Initial accessT1078.002-Valid accounts-Domain accountsSuccess login on OpenSSH server4624/4SSH server
TA0001-Initial accessT1078-Valid accountsRDP reconnaissance with valid credentials performed to multiple hosts4624/1149
TA0002-ExecutionT1047-Windows Management InstrumentationImpacket WMIexec process execution4688WMIexec
TA0002-ExecutionT1053.005-Scheduled TaskInteractive shell triggered by scheduled task (at, deprecated)4688
TA0002-ExecutionT1053.005-Scheduled TaskPersistent scheduled task with SYSTEM privileges creation4688
TA0002-ExecutionT1053.005-Scheduled TaskRemote schedule task creation via named pipes5145Atexec
TA0002-ExecutionT1053.005-Scheduled TaskSchedule task created and deleted in a short period of time4698-4699
TA0002-ExecutionT1053.005-Scheduled TaskSchedule task created with suspicious arguments4698Atexec
TA0002-ExecutionT1053.005-Scheduled TaskSchedule task fastly created and deleted4698,4699Atexec
TA0002-ExecutionT1053.005-Scheduled TaskScheduled task creation4688
TA0002-ExecutionT1059.001-Command and Scripting Interpreter: PowerShellEncoded PowerShell payload deployed800/4103/4104
TA0002-ExecutionT1059.001-Command and Scripting Interpreter: PowerShellInteractive PipeShell over SMB named pipe800/4103/4104
TA0002-ExecutionT1059.001-Command and Scripting Interpreter: PowerShellPayload downloaded via PowerShell800/4103/4104
TA0002-ExecutionT1059.003-Windows Command ShellEncoded PowerShell payload deployed via process execution4688
TA0002-ExecutionT1059.003-Windows Command ShellSQL Server payload injectection for reverse shell (MSF)4688
TA0002-ExecutionT1204-User executionEdge abuse for payload download via console4688
TA0002-ExecutionT1204-User executionEdge/Chrome headless feature abuse for payload download4688
TA0002-ExecutionT1569.002-Service ExecutionPSexec installation detected4688
TA0002-ExecutionT1569.002-Service ExecutionService massive failures (native)7000/7009Tchopper
TA0002-ExecutionT1569.002-Service ExecutionService massive installation (native)7045/4697Tchopper
TA0002-ExecutionT1569.002-Service ExecutionService massive remote creation via named pipes (native)5145Tchopper
TA0003-PersistenceT1078.002-Valid accounts-Domain accountsAccount renamed to “admin” (or likely)4781
TA0003-PersistenceT1098.xxx-Account manipulationComputer account created with privileges4741CVE-2021-42278/42287 & SAM-the-admin
TA0003-PersistenceT1098.xxx-Account manipulationComputer account renamed without a trailing $4781CVE-2021-42278/42287 & SAM-the-admin
TA0003-PersistenceT1098.xxx-Account ManipulationHigh risk domain group membership change4728/4756
TA0003-PersistenceT1098.xxx-Account ManipulationHigh risk local-domain local group membership change4732
TA0003-PersistenceT1098.xxx-Account manipulationHost delegation settings changed for potential abuse (any protocol)4742Rubeus
TA0003-PersistenceT1098.xxx-Account manipulationHost delegation settings changed for potential abuse (any service, Kerberos only)4742Rubeus
TA0003-PersistenceT1098.xxx-Account manipulationHost delegation settings changed for potential abuse (Kerberos only)4742Rubeus
TA0003-PersistenceT1098.xxx-Account ManipulationMedium risk local-domain local group membership change4732
TA0003-PersistenceT1098.xxx-Account ManipulationMember added and removed from a group by a user account in a short period of time4728/29,4756/57,4732/33
TA0003-PersistenceT1098.xxx-Account manipulationMember added to a built-in Exchange security group4756
TA0003-PersistenceT1098.xxx-Account ManipulationMember added to a group by the same account4728,4756,4732
TA0003-PersistenceT1098.xxx-Account ManipulationMember added to a local group by a user account4732
TA0003-PersistenceT1098.xxx-Account manipulationMember added to DNSadmin group for DLL abuse4732DNS DLL abuse
TA0003-PersistenceT1098.xxx-Account manipulationNew admin (or likely) created by a non administrative account4720
TA0003-PersistenceT1098.xxx-Account manipulationSPN modification of a computer account (Directory Services)5136DCShadow
TA0003-PersistenceT1098.xxx-Account manipulationSPN modification of a computer account4742
TA0003-PersistenceT1098.xxx-Account manipulationSPN modification of a computer account4742DCShadow
TA0003-PersistenceT1098.xxx-Account manipulationSPN modification of a user account5136Kerberoasting
TA0003-PersistenceT1098.xxx-Account manipulationSQL Server: new member added to a database role33205
TA0003-PersistenceT1098.xxx-Account manipulationSQL Server: new member added to server role33205
TA0003-PersistenceT1098.xxx-Account manipulationUser account created and/or set with reversible encryption detected4738
TA0003-PersistenceT1098.xxx-Account manipulationUser account marked as “sensitive and cannot be delegated” its had protection removed4738
TA0003-PersistenceT1098.xxx-Account manipulationUser account set to not require Kerberos pre-authentication4738
TA0003-PersistenceT1098.xxx-Account manipulationUser account set to use Kerberos DES encryption4738
TA0003-PersistenceT1098.xxx-Account manipulationUser account with password set to never expire detected4738
TA0003-PersistenceT1098.xxx-Account manipulationUser account with password set to not require detected4738
TA0003-PersistenceT1098.xxx-Account manipulationUser password change using current hash password – ChangeNTLM4723Mimikatz
TA0003-PersistenceT1098.xxx-Account manipulationUser password change without previous password known – SetNTLM4724Mimikatz
TA0003-PersistenceT1098.xxx-Account ManipulationUser performing massive group membership changes on multiple differents groups4728,4756
TA0003-PersistenceT1098-Account ManipulationDisabled guest or builtin account activated4722
TA0003-PersistenceT1098-Account ManipulationSPN added to an account (command)4688/1
TA0003-PersistenceT1136.001-Create account-Local accountHidden account creation (with fast deletion)4720/4726
TA0003-PersistenceT1136.001-Create account-Local accountLocal user account created on a single host4720
TA0003-PersistenceT1136.001-Create account-Local accountSQL Server: disabled SA account enabled33205
TA0003-PersistenceT1136.002-Create account-Domain accountComputer account created and deleted in a short period of time4741/4743
TA0003-PersistenceT1136.002-Create account-Domain accountUser account created and deleted in a short period of time4720/4726
TA0003-PersistenceT1136.002-Create account-Domain accountUser account creation disguised in a computer account4720/4781
TA0003-PersistenceT1136-Create accountUser creation via commandline4688
TA0003-PersistenceT1505.001-SQL Stored ProceduresSQL lateral movement with CLR15457
TA0003-PersistenceT1505.001-SQL Stored ProceduresSQL Server xp_cmdshell procedure activated18457
TA0003-PersistenceT1505.001-SQL Stored ProceduresSQL Server: sqlcmd & ossql utilities abuse4688
TA0003-PersistenceT1505.001-SQL Stored ProceduresSQL Server: started in single mode for password recovery4688
TA0003-PersistenceT1505.002-Server Software Component: Transport AgentExchange transport agent injection via configuration file11
TA0003-PersistenceT1505.002-Server Software Component: Transport AgentExchange transport agent installation artifacts1/6
TA0003-PersistenceT1543.003-Create or Modify System Process-Windows ServiceEncoded PowerShell payload deployed via service installation7045/4697
TA0003-PersistenceT1543.003-Create or Modify System Process-Windows ServiceImpacket SMBexec service registration (native)7045/4697SMBexec
TA0003-PersistenceT1543.003-Create or Modify System Process-Windows ServiceMimikatz service driver installation detected7045/4697Mimikatz
TA0003-PersistenceT1543.003-Create or Modify System Process-Windows ServiceService abuse with backdoored “command failure” (PowerShell)800/4103/4104
TA0003-PersistenceT1543.003-Create or Modify System Process-Windows ServiceService abuse with backdoored “command failure” (registry)4688/1
TA0003-PersistenceT1543.003-Create or Modify System Process-Windows ServiceService abuse with backdoored “command failure” (service)4688/1
TA0003-PersistenceT1543.003-Create or Modify System Process-Windows ServiceService abuse with malicious ImagePath (PowerShell)800/4103/4104
TA0003-PersistenceT1543.003-Create or Modify System Process-Windows ServiceService abuse with malicious ImagePath (registry)4688/1
TA0003-PersistenceT1543.003-Create or Modify System Process-Windows ServiceService abuse with malicious ImagePath (service)4688/1
TA0003-PersistenceT1543.003-Create or Modify System Process-Windows ServiceService created for RDP session hijack7045/4697
TA0003-PersistenceT1543.003-Create or Modify System Process-Windows ServiceService creation (command)4688
TA0003-PersistenceT1543.003-Create or Modify System Process-Windows ServiceService creation (PowerShell)800/4103/4104
TA0003-PersistenceT1546.003-Windows Management Instrumentation Event SubscriptionSystem crash behavior manipulation (registry)13WMImplant
TA0003-PersistenceT1546.003-Windows Management Instrumentation Event SubscriptionWMI registration (PowerShell)800/4103/4104
TA0003-PersistenceT1546.003-Windows Management Instrumentation Event SubscriptionWMI registration19,20,21
TA0003-PersistenceT1546.007-Netsh Helper DLLNetsh helper DLL command abuse4688
TA0003-PersistenceT1546.007-Netsh Helper DLLNetsh helper DLL registry abuse12/13
TA0003-PersistenceT1546-Event Triggered ExecutionAdminSDHolder container permissions modified5136
TA0003-PersistenceT1546-Event Triggered ExecutionlocalizationDisplayId attribute abuse for backdoor introduction5136
TA0003-PersistenceT1547.008-Boot or Logon Autostart Execution: LSASS Driverwin-os-security package (SSP) loaded into LSA (native)4622
TA0003-PersistenceT1574.002-DLL Side-LoadingDNS DLL “serverlevelplugindll” command execution (+registry set)1/13DNS DLL abuse
TA0003-PersistenceT1574.002-DLL Side-LoadingFailed DLL loaded by DNS server150DNS DLL abuse
TA0003-PersistenceT1574.002-DLL Side-LoadingSuccess DLL loaded by DNS server770DNS DLL abuse
TA0003-PersistenceT1574.010-Hijack execution flow: service file permissions weaknessService permissions modified (registry)4688
TA0003-PersistenceT1574.010-Hijack execution flow: service file permissions weaknessService permissions modified (service)4688
TA0004-Privilege EscalationT1068-Exploitation for Privilege EscalationPrivilege SeMachineAccountPrivilege abuse4673CVE-2021-42278/42287 & SAM-the-admin
TA0004-Privilege EscalationT1134.001- Access Token Manipulation: Token Impersonation/TheftAnonymous login4624/4688RottenPotatoNG
TA0004-Privilege EscalationT1134.002- Access Token Manipulation: Create Process with TokenPrivilege escalation via runas (command)4688/4648/4624
TA0004-Privilege EscalationT1134.002- Access Token Manipulation: Create Process with TokenPrivilege escalation via RunasCS4688
TA0004-Privilege EscalationT1134-Access Token ManipulationNew access rights granted to an account by a standard user4717
TA0004-Privilege EscalationT1134-Access Token ManipulationUser right granted to an account by a standard user4704
TA0004-Privilege EscalationT1484.001-Domain Policy Modification-Group Policy ModificationModification of a sensitive Group Policy5136
TA0004-Privilege EscalationT1543.003-Create or Modify System Process-Windows ServicePSexec service installation detected7045/4697
TA0004-Privilege EscalationT1546.008-Event Triggered Execution: Accessibility FeaturesCMD executed by stickey key and detected via hash1Sticky key
TA0004-Privilege EscalationT1546.008-Event Triggered Execution: Accessibility FeaturesSticky key called CMD via command execution4688/1Sticky key
TA0004-Privilege EscalationT1546.008-Event Triggered Execution: Accessibility FeaturesSticky key failed sethc replacement by CMD4656Sticky key
TA0004-Privilege EscalationT1546.008-Event Triggered Execution: Accessibility FeaturesSticky key file created from CMD copy11Sticky key
TA0004-Privilege EscalationT1546.008-Event Triggered Execution: Accessibility FeaturesSticky key IFEO command for registry change4688Sticky key
TA0004-Privilege EscalationT1546.008-Event Triggered Execution: Accessibility FeaturesSticky key IFEO registry changed12/13Sticky key
TA0004-Privilege EscalationT1547.010-Port MonitorsPrint spooler privilege escalation via printer added800/4103/4104PrintNightmare (CVE-2021-1675 / CVE-2021-34527)
TA0004-Privilege EscalationT1574.002-DLL Side-LoadingExternal printer mapped4688/4648PrintNightmare (CVE-2021-1675 / CVE-2021-34527)
TA0004-Privilege EscalationT1574.002-DLL Side-LoadingPrinter spool driver from Mimikatz installed808 / 354 / 321PrintNightmare (CVE-2021-1675 / CVE-2021-34527)
TA0004-Privilege EscalationT1574.002-DLL Side-Loadingproxi6416PrintNightmare (CVE-2021-1675 / CVE-2021-34527)
TA0004-Privilege EscalationT1574.002-DLL Side-LoadingSpool process spawned a CMD shell4688/1PrintNightmare (CVE-2021-1675 / CVE-2021-34527)
TA0005-Defense EvasionT1027-Obfuscated Files or InformationPayload obfuscated transfer via service name4688Tchopper
TA0005-Defense EvasionT1070.001-Indicator Removal on HostEvent log file(s) cleared104/1102
TA0005-Defense EvasionT1070.001-Indicator Removal on HostTentative of clearing event log file(s) detected (command)4688
TA0005-Defense EvasionT1070.001-Indicator Removal on HostTentative of clearing event log file(s) detected (PowerShell)800/4103/4104
TA0005-Defense EvasionT1070.001-Indicator Removal on HostTentative of clearing event log file(s) detected (wmi)4688
TA0005-Defense EvasionT1070.006-TimestompSystem time changed4616
TA0005-Defense EvasionT1070.xxx-Audit policy disabledAudit policy disabled4719
TA0005-Defense EvasionT1070.xxx-Audit policy disabledDomain policy changed on one or multiple hosts4739
TA0005-Defense EvasionT1070.xxx-Audit policy disabledMembership of a special group updated4908
TA0005-Defense EvasionT1070.xxx-Audit policy disabledSQL Server: Audit object deleted33205
TA0005-Defense EvasionT1070.xxx-Audit policy disabledSQL Server: Audit object disabled33205
TA0005-Defense EvasionT1070.xxx-Audit policy disabledSQL Server: Audit specifications deleted33205
TA0005-Defense EvasionT1070.xxx-Audit policy disabledSQL Server: Audit specifications disabled33205
TA0005-Defense EvasionT1070.xxx-Audit policy disabledSQL Server: Database audit specifications deleted33205
TA0005-Defense EvasionT1070.xxx-Audit policy disabledSQL Server: Database audit specifications disabled33205
TA0005-Defense EvasionT1070.xxx-Audit policy disabledTentative of disabling or clearing audit policy by commandline4688
TA0005-Defense EvasionT1078.002-Valid accounts-Domain accountsLogin from a user member of a “special group” detected (special logon)4964
TA0005-Defense EvasionT1112-Modify registryImpacket SMBexec service registration (registry)13SMBexec
TA0005-Defense EvasionT1197-BITS jobCommand execution related to a suspicious BITS activity detected4688
TA0005-Defense EvasionT1197-BITS jobCommand execution related to a suspicious BITS activity detected800/4103/4104
TA0005-Defense EvasionT1197-BITS jobHigh amount of data downloaded via BITS60
TA0005-Defense EvasionT1207-Rogue domain controllerNew fake domain controller registration5137 / 5141DCShadow
TA0005-Defense EvasionT1207-Rogue domain controllerSensitive attributes accessed4662DCShadow
TA0005-Defense EvasionT1222.001-File and Directory Permissions ModificationComputer account modifying AD permissions5136PrivExchange
TA0005-Defense EvasionT1222.001-File and Directory Permissions ModificationNetwork share permissions changed5143
TA0005-Defense EvasionT1222.001-File and Directory Permissions ModificationOCSP security settings changed5124(OCSP)
TA0005-Defense EvasionT1222.001-File and Directory Permissions ModificationPermissions changed on a GPO5136
TA0005-Defense EvasionT1222.001-File and Directory Permissions ModificationSensitive GUID related to “Replicate directory changes” detected4662DCSync
TA0005-Defense EvasionT1553.003- Subvert Trust Controls: SIP and Trust Provider Hijacking12-13
TA0005-Defense EvasionT1562.001-Impair Defenses-Disable or modify toolsDefender: critical security component disabled (command)4688/1
TA0005-Defense EvasionT1562.001-Impair Defenses-Disable or modify toolsDefender: critical security component disabled (PowerShell)800/4103/4104
TA0005-Defense EvasionT1562.001-Impair Defenses-Disable or modify toolsDefender: default action set to allow any threat (PowerShell)800/4103/4104
TA0005-Defense EvasionT1562.001-Impair Defenses-Disable or modify toolsDefender: exclusion added (native)5007
TA0005-Defense EvasionT1562.001-Impair Defenses-Disable or modify toolsDefender: exclusion added (PowerShell)800/4103/4104
TA0005-Defense EvasionT1562.001-Impair Defenses-Disable or modify toolsDefender: service component status disabled (Registry via Sysmon)13
TA0005-Defense EvasionT1562.004-Disable or Modify System FirewallFirewall deactivation (cmd)4688
TA0005-Defense EvasionT1562.004-Disable or Modify System FirewallFirewall deactivation (firewall)2003/4950
TA0005-Defense EvasionT1562.004-Disable or Modify System FirewallFirewall deactivation (PowerShell)800/4103/4104
TA0005-Defense EvasionT1562.004-Disable/modify firewall (rule)Any/any firewall rule created2004
TA0005-Defense EvasionT1562.004-Disable/modify firewall (rule)Firewall rule created by a suspicious command (netsh.exe, wmiprvse.exe)2004
TA0005-Defense EvasionT1562.004-Disable/modify firewall (rule)Firewall rule created by a user account2004
TA0005-Defense EvasionT1562.004-Disable/modify firewall (rule)OpenSSH server firewall configuration (command)4688/1SSH server
TA0005-Defense EvasionT1562.004-Disable/modify firewall (rule)OpenSSH server firewall configuration (firewall)2004SSH server
TA0005-Defense EvasionT1562.004-Disable/modify firewall (rule)OpenSSH server firewall configuration (PowerShell)800/4103/4104SSH server
TA0005-Defense EvasionT1564.006-Hide Artifacts: Run Virtual InstanceWSL for Windows installation detected4688
TA0006-Credential AccessT1003.001-Credential dumping: LSASSLSASS credential dump with LSASSY (kernel)4656/4663
TA0006-Credential AccessT1003.001-Credential dumping: LSASSLSASS credential dump with LSASSY (PowerShell)800/4103/4104
TA0006-Credential AccessT1003.001-Credential dumping: LSASSLSASS credential dump with LSASSY (process)4688/1
TA0006-Credential AccessT1003.001-Credential dumping: LSASSLSASS credential dump with LSASSY (share)5145
TA0006-Credential AccessT1003.001-Credential dumping: LSASSLSASS credentials dump via Task Manager (file)11
TA0006-Credential AccessT1003.001-Credential dumping: LSASSLSASS dump indicator via Task Manager access4688
TA0006-Credential AccessT1003.001-Credential dumping: LSASSLSASS process accessed by a non system account4656/4663
TA0006-Credential AccessT1003.001-Credential dumping: LSASSSAM database user credential dump4661Mimikatz
TA0006-Credential AccessT1003.002-Security Account ManagerPassword dump over SMB ADMIN$5145Secretdump
TA0006-Credential AccessT1003.002-Security Account ManagerSAM database access during DCshadow4661DCShadow
TA0006-Credential AccessT1003.003-NTDSIFM created325/327
TA0006-Credential AccessT1003.003-NTDSIFM created from command line4688
TA0006-Credential AccessT1003.003-OS Credential-Dumping NTDSDSRM configuration changed (Reg via command)4688
TA0006-Credential AccessT1003.003-OS Credential-Dumping NTDSDSRM configuration changed (Reg via PowerShell)800/4103/4104
TA0006-Credential AccessT1003.003-OS Credential-Dumping NTDSDSRM password reset4794
TA0006-Credential AccessT1003.006-DCSyncMember added to a sensitive Exchange security group to perform DCsync attack4756DCSync
TA0006-Credential AccessT1003-Credential dumpingBackdoor introduction via registry permission change through WMI (DAMP)4674DAMP
TA0006-Credential AccessT1003-Credential dumpingDiskshadow abuse4688
TA0006-Credential AccessT1003-Credential dumpingWdigest authentication enabled (Reg via command)4688
TA0006-Credential AccessT1003-Credential dumpingWdigest authentication enabled (Reg via Sysmon)12/13
TA0006-Credential AccessT1040-Network sniffingWindows native sniffing tool Pktmon usage4688
TA0006-Credential AccessT1110.xxx-Brut forceBrutforce enumeration on Windows OpenSSH server with non existing user4625/4SSH server
TA0006-Credential AccessT1110.xxx-Brut forceBrutforce on Windows OpenSSH server with valid user4625/4SSH server
TA0006-Credential AccessT1110.xxx-Brut forceKerberos brutforce enumeration with existing/unexsting users (Kerbrute)4771/4768
TA0006-Credential AccessT1110.xxx-Brut forceKerberos brutforce with not existing users4771/4768
TA0006-Credential AccessT1110.xxx-Brut forceLogin failure from a single source with different non existing accounts33205
TA0006-Credential AccessT1552.004-Unsecured Credentials-Private KeysUnknown application accessing certificate private key detected70(CAPI2)Mimikatz
TA0006-Credential AccessT1555.003-Credentials from Password Stores: Credentials from Web BrowsersUser browser credentials dump via network share5145DonPapi, Lazagne
TA0006-Credential AccessT1555.004-Windows Credential ManagerCredentials (protected by DPAPI) dump via network share5145DonPapi, Lazagne
TA0006-Credential AccessT1555-Credentials from Password StoresSuspicious Active Directory DPAPI attributes accessed4662
TA0006-Credential AccessT1555-Credentials from Password StoresUser files dump via network share5145DonPapi, Lazagne
TA0006-Credential AccessT1557.001-MiM:LLMNR/NBT-NS Poisoning and SMB RelayDiscovery for print spooler bug abuse via named pipe5145
TA0006-Credential AccessT1558.001-Golden TicketKerberos TGS ticket request related to a potential Golden ticket4769Golden ticket
TA0006-Credential AccessT1558.001-Golden TicketSMB Admin share accessed with a forged Golden ticket5140/5145Golden ticket
TA0006-Credential AccessT1558.001-Golden TicketSuccess login impersonation with forged Golden ticket4624Golden ticket
TA0006-Credential AccessT1558.003-KerberoastingKerberOAST ticket (TGS) request detected (low encryption)4769Kerberoast
TA0006-Credential AccessT1558.004-Steal or Forge Kerberos Tickets: AS-REP RoastingKerberos AS-REP Roasting ticket request detected4768AS-REP Roasting
TA0006-Credential AccessT1558-Steal or Forge Kerberos TicketsKerberos ticket without a trailing $4768-4769CVE-2021-42278/42287 & SAM-the-admin
TA0006-Credential AccessT1558-Steal or Forge Kerberos TicketsSuspicious Kerberos proxiable ticket4768CVE-2021-42278/42287 & SAM-the-admin
TA0007-DiscoveryT1016-System Network Configuration DiscoveryFirewall configuration enumerated (command)4688
TA0007-DiscoveryT1016-System Network Configuration DiscoveryFirewall configuration enumerated (PowerShell)800/4103/4104
TA0007-DiscoveryT1016-System Network Configuration DiscoveryTentative of zone transfer from a non DNS server detected6004(DNSserver)
TA0007-DiscoveryT1018-Remote System DiscoveryDNS hosts file accessed via network share5145
TA0007-DiscoveryT1046-Network Service ScanningRDP discovery performed on multiple hosts4625/131
TA0007-DiscoveryT1046-Network Service ScanningSuspicious anonymous login4624
TA0007-DiscoveryT1069.001-Discovery domain groupsLocal domain group enumeration via RID brutforce4661CrackMapExec
TA0007-DiscoveryT1069.001-Discovery local groupsRemote local administrator group enumerated4799SharpHound
TA0007-DiscoveryT1069.002-Discovery domain groupsDomain group enumeration4661CrackMapExec
TA0007-DiscoveryT1069.002-Discovery domain groupsHoneypot object (container, computer, group, user) enumerated4662SharpHound
TA0007-DiscoveryT1069.002-Discovery domain groupsMassive SAM domain users & groups discovery4661
TA0007-DiscoveryT1069.002-Discovery domain groupsSensitive SAM domain user & groups discovery4661
TA0007-DiscoveryT1069-Permission Groups DiscoveryGroup discovery via commandline4688
TA0007-DiscoveryT1069-Permission Groups DiscoveryGroup discovery via PowerShell800/4103/4104
TA0007-DiscoveryT1082-System Information DiscoveryAudit policy settings collection4688
TA0007-DiscoveryT1087.002-Domain Account discoveryActive Directory PowerShell module called from a non administrative host600
TA0007-DiscoveryT1087.002-Domain Account discoverySingle source performing host enumeration over Kerberos ticket (TGS) detected4769SharpHound
TA0007-DiscoveryT1087-Account discoverySPN enumeration (command)4688/1Kerberoast
TA0007-DiscoveryT1087-Account discoverySPN enumeration (PowerShell)800/4103/4104
TA0007-DiscoveryT1087-Account discoveryUser enumeration via commandline4688
TA0007-DiscoveryT1135-Network Share DiscoveryHost performing advanced named pipes enumeration on different hosts via SMB5145SharpHound
TA0007-DiscoveryT1135-Network Share DiscoveryNetwork share discovery and/or connection via commandline4688
TA0007-DiscoveryT1135-Network Share DiscoveryNetwork share manipulation via commandline4688
TA0007-DiscoveryT1201-Password Policy DiscoveryDomain password policy enumeration4661CrackMapExec
TA0007-DiscoveryT1201-Password Policy DiscoveryPassword policy discovery via commandline4688
TA0007-DiscoveryT1482-Domain Trust DiscoveryActive Directory Forest PowerShell class called from a non administrative host800/4103/4104
TA0008-Lateral MovementT1021.001-Remote Desktop ProtocolDenied RDP login with valid credentials4825
TA0008-Lateral MovementT1021.002-SMB Windows Admin SharesAdmin share accessed via SMB (basic)5140/5145
TA0008-Lateral MovementT1021.002-SMB Windows Admin SharesImpacket WMIexec execution via SMB admin share5145WMIexec
TA0008-Lateral MovementT1021.002-SMB Windows Admin SharesLateral movement by mounting a network share – net use (command)4688/4648
TA0008-Lateral MovementT1021.002-SMB Windows Admin SharesMultiple failed attempt to network share5140/5145
TA0008-Lateral MovementT1021.002-SMB Windows Admin SharesNew file share created on a host5142
TA0008-Lateral MovementT1021.002-SMB Windows Admin SharesPsexec remote execution via SMB5145
TA0008-Lateral MovementT1021.002-SMB Windows Admin SharesRemote service creation over SMB5145
TA0008-Lateral MovementT1021.002-SMB Windows Admin SharesRemote shell execuction via SMB admin share5145
TA0008-Lateral MovementT1021.002-SMB Windows Admin SharesShared printer creation5142PrintNightmare (CVE-2021-1675 / CVE-2021-34527)
TA0008-Lateral MovementT1021.003-DCOMDCOM lateral movement (via MMC20)4104
TA0008-Lateral MovementT1021.003-DCOMDCOMexec privilege abuse4674
TA0008-Lateral MovementT1021.003-DCOMDCOMexec process abuse via MMC4688
TA0008-Lateral MovementT1021.004-Remote services: SSHOpenSSH native server feature installation800/4103/4104SSH server
TA0008-Lateral MovementT1021.004-Remote services: SSHOpenSSH server for Windows activation/configuration detected800/4103/4104SSH server
TA0008-Lateral MovementT1021.006-Windows Remote ManagementWinRM listening service reconnaissance4656
TA0008-Lateral MovementT1550.002-Use Alternate Authentication Material: Pass the HashLSASS dump via process access10Mimikatz
TA0008-Lateral MovementT1550.002-Use Alternate Authentication Material: Pass the HashPass-the-hash login4624Mimikatz
TA0008-Lateral MovementT1563.002-RDP hijackingRDP session hijack via TSCON abuse command4688
TA0009-CollectionT1125-Video captureRDP shadow session started (registry)13
TA0011-Command and controlT1572-Protocol tunnelingRDP tunneling configuration enabled for port forwarding4688
TA0040-ImpactT1490-Inhibit System RecoveryVSS backup deletion (PowerShell)800/4103/4104
TA0040-ImpactT1490-Inhibit System RecoveryVSS backup deletion (WMI)4688
TA0040-ImpactT1490-Inhibit System RecoveryWindows native backup deletion4688
TA0040-ImpactT1565-Data manipulationDNS hosts file modified11

Conclusion:

The above techniques are related to windows attacks and mapped with Windows Event ID. We will be updating the cheatsheet regularly. Happy Hunting!!!

Source: https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack


Previous articleDetecting and Preventing F5 Big-IP Critical Vulnerability – CVE-2022-1388
Next articleUkraine CERT-UA Reports a phishing campaign conducted by Armageddon APT
Ambitious Blue Teamer; Enthused Security Analyst

LEAVE A REPLY

Please enter your comment!
Please enter your name here