Home

Awesome

EVTX to MITRE ATT@CK

Project purpose

EVTX to MITRE ATT@CK is a Security Information Management System orientated project. It provides >270 Windows IOCs indicators classified per Tactic and Technique in order to address different security scenarios with your SIEM:

How to use the IOCs

IOCs are provided in the EVTX format, the standard format established by Microsoft starting Windows Server 2008 and Windows Vista for event logs. Depending on the SIEM solution you utilize, you may need to make your agent (NXLog, Winlogbeat, Splunk UF, ArcSight, WinCollect, Snare, ...) pointing to the EVTX files and send the content to your SIEM in the adequate format.

Microsoft log sources used:

Related and/or connected projects:

If you are interesting in external projects arround SIGMA and EVTX analysis, I would like to suggest the following ones:

IOCs content

ATT@CK TacticATT@CK TechniqueDescriptionEvent IDsThreat name / Tool / CVE
AntivirusAntivirusDefender: antivirus not up to date1151
AntivirusAntivirusDefender: massive malware outbreak detected on multiple hosts1116
AntivirusAntivirusDefender: massive malwares detected on a single host1116
TA0001-Initial accessT1078.002-Valid accounts-Domain accountsLogin denied due to account policy restrictions4625
TA0001-Initial accessT1078.002-Valid accounts-Domain accountsLogin failure from a single source with a disabled account33205
TA0001-Initial accessT1078.002-Valid accounts-Domain accountsSuccess login on OpenSSH server4SSH server
TA0001-Initial accessT1078.002-Valid accounts-Domain accountsSuccess login on OpenSSH server4624SSH server
TA0001-Initial accessT1078-Valid accountsRDP reconnaissance with valid credentials performed to multiple hosts4624 or 1149
TA0002-ExecutionT1047-Windows Management InstrumentationImpacket WMIexec process execution1 or 4688WMIexec
TA0002-ExecutionT1053.005-Scheduled TaskInteractive shell triggered by scheduled task (at, deprecated)1 or 4688
TA0002-ExecutionT1053.005-Scheduled TaskPersistent scheduled task with SYSTEM privileges creation1 or 4688
TA0002-ExecutionT1053.005-Scheduled TaskRemote schedule task creation via named pipes5145Atexec
TA0002-ExecutionT1053.005-Scheduled TaskSchedule task created with suspicious arguments4698Atexec
TA0002-ExecutionT1053.005-Scheduled TaskSchedule task fastly created and deleted4698 and 4699Atexec
TA0002-ExecutionT1053.005-Scheduled TaskScheduled task creation1 or 4688
TA0002-ExecutionT1059.001-Command and Scripting Interpreter: PowerShellEncoded PowerShell payload deployed800 or 4103 or 4104
TA0002-ExecutionT1059.001-Command and Scripting Interpreter: PowerShellInteractive PipeShell over SMB named pipe800 or 4103 or 4104
TA0002-ExecutionT1059.001-Command and Scripting Interpreter: PowerShellPayload downloaded via PowerShell800 or 4103 or 4104
TA0002-ExecutionT1059.003-Windows Command ShellEncoded PowerShell payload deployed via process execution1 or 4688
TA0002-ExecutionT1059.003-Windows Command ShellSQL Server payload injectection for reverse shell (MSF)1 or 4688
TA0002-ExecutionT1204-User executionEdge abuse for payload download via console1 or 4688
TA0002-ExecutionT1204-User executionEdge/Chrome headless feature abuse for payload download1 or 4688
TA0002-ExecutionT1569.002-Service ExecutionPSexec installation detected1 or 4688
TA0002-ExecutionT1569.002-Service ExecutionService massive failures (native)7000 or 7009Tchopper
TA0002-ExecutionT1569.002-Service ExecutionService massive installation (native)7045 or 4697Tchopper
TA0002-ExecutionT1569.002-Service ExecutionService massive remote creation via named pipes (native)5145Tchopper
TA0003-PersistenceT1078.002-Valid accounts-Domain accountsAccount renamed to "admin" (or likely)4781
TA0003-PersistenceT1098.xxx-Account manipulationComputer account created with privileges4741CVE-2021-42278/42287 & SAM-the-admin
TA0003-PersistenceT1098.xxx-Account manipulationComputer account renamed without a trailing $4781CVE-2021-42278/42287 & SAM-the-admin
TA0003-PersistenceT1098.xxx-Account ManipulationHigh risk domain group membership change4728 or 4756
TA0003-PersistenceT1098.xxx-Account manipulationHigh risk Exchange group membership change4728 or 4756 or 4732
TA0003-PersistenceT1098.xxx-Account ManipulationHigh risk local-domain local group membership change4732
TA0003-PersistenceT1098.xxx-Account manipulationHigh risk Skype/Lync/OCS group membership change4728 or 4756 or 4732
TA0003-PersistenceT1098.xxx-Account manipulationHost delegation settings changed for potential abuse (any protocol)4742Rubeus
TA0003-PersistenceT1098.xxx-Account manipulationHost delegation settings changed for potential abuse (any service, Kerberos only)4742Rubeus
TA0003-PersistenceT1098.xxx-Account manipulationHost delegation settings changed for potential abuse (Kerberos only)4742Rubeus
TA0003-PersistenceT1098.xxx-Account manipulationLow risk Skype/Lync/OCS group membership change4728 or 4756 or 4732
TA0003-PersistenceT1098.xxx-Account manipulationMedium risk Exchange group membership change4728 or 4756 or 4732
TA0003-PersistenceT1098.xxx-Account ManipulationMedium risk local-domain local group membership change4732
TA0003-PersistenceT1098.xxx-Account manipulationMedium risk Skype/Lync/OCS group membership change4728 or 4756 or 4732
TA0003-PersistenceT1098.xxx-Account ManipulationMember added and removed from a group by a user account in a short period of time4728/29,4756/57,4732/33
TA0003-PersistenceT1098.xxx-Account ManipulationMember added to a group by the same account4728 or 4756 or 4732
TA0003-PersistenceT1098.xxx-Account manipulationMember added to DNSadmins group for DLL abuse4732DNS DLL abuse
TA0003-PersistenceT1098.xxx-Account manipulationNew admin (or likely) created by a non administrative account4720
TA0003-PersistenceT1098.xxx-Account manipulationSPN modification of a computer account (Directory Services)5136DCShadow
TA0003-PersistenceT1098.xxx-Account manipulationSPN modification of a computer account4742
TA0003-PersistenceT1098.xxx-Account manipulationSPN modification of a computer account4742DCShadow
TA0003-PersistenceT1098.xxx-Account manipulationSPN modification of a user account5136Kerberoasting
TA0003-PersistenceT1098.xxx-Account manipulationSQL Server: new member added to a database role33205
TA0003-PersistenceT1098.xxx-Account manipulationSQL Server: new member added to server role33205
TA0003-PersistenceT1098.xxx-Account manipulationUser account created and/or set with reversible encryption detected4738
TA0003-PersistenceT1098.xxx-Account manipulationUser account marked as "sensitive and cannot be delegated" its had protection removed4738
TA0003-PersistenceT1098.xxx-Account manipulationUser account set to not require Kerberos pre-authentication4738
TA0003-PersistenceT1098.xxx-Account manipulationUser account set to use Kerberos DES encryption4738
TA0003-PersistenceT1098.xxx-Account manipulationUser account with password set to never expire detected4738
TA0003-PersistenceT1098.xxx-Account manipulationUser account with password set to not require detected4738
TA0003-PersistenceT1098.xxx-Account manipulationUser password change using current hash password - ChangeNTLM4723Mimikatz
TA0003-PersistenceT1098.xxx-Account manipulationUser password change without previous password known - SetNTLM4724Mimikatz
TA0003-PersistenceT1098.xxx-Account ManipulationUser performing massive group membership changes on multiple differents groups4728 or 4756
TA0003-PersistenceT1098-Account ManipulationComputer account set for RBCD delegation5136
TA0003-PersistenceT1098-Account ManipulationDisabled guest or builtin account activated4722
TA0003-PersistenceT1098-Account ManipulationSPN added to an account (command)1 or 4688
TA0003-PersistenceT1136.001-Create account-Local accountHidden account creation (with fast deletion)4720 and 4726
TA0003-PersistenceT1136.001-Create account-Local accountLocal user account created on a single host4720
TA0003-PersistenceT1136.001-Create account-Local accountSQL Server: disabled SA account enabled33205
TA0003-PersistenceT1136.002-Create account-Domain accountComputer account created and deleted in a short period of time4741 and 4743
TA0003-PersistenceT1136.002-Create account-Domain accountUser account created and deleted in a short period of time4720 and 4726
TA0003-PersistenceT1136.002-Create account-Domain accountUser account creation disguised in a computer account4720 or 4781
TA0003-PersistenceT1136-Create accountUser creation via commandline1 or 4688
TA0003-PersistenceT1505.001-SQL Stored ProceduresSQL lateral movement with CLR15457
TA0003-PersistenceT1505.001-SQL Stored ProceduresSQL Server xp_cmdshell procedure activated18457
TA0003-PersistenceT1505.001-SQL Stored ProceduresSQL Server: sqlcmd & ossql utilities abuse1 or 4688
TA0003-PersistenceT1505.001-SQL Stored ProceduresSQL Server: started in single mode for password recovery1 or 4688
TA0003-PersistenceT1505.002-Server Software Component: Transport AgentExchange transport agent injection via configuration file11
TA0003-PersistenceT1505.002-Server Software Component: Transport AgentExchange transport agent installation artifacts1 or 6
TA0003-PersistenceT1543.003-Create or Modify System Process-Windows ServiceEncoded PowerShell payload deployed via service installation7045 or 4697
TA0003-PersistenceT1543.003-Create or Modify System Process-Windows ServiceImpacket SMBexec service registration (native)7045 or 4697SMBexec
TA0003-PersistenceT1543.003-Create or Modify System Process-Windows ServiceMimikatz service driver installation detected7045 or 4697Mimikatz
TA0003-PersistenceT1543.003-Create or Modify System Process-Windows ServiceService abuse with backdoored "command failure" (PowerShell)800 or 4103 or 4104
TA0003-PersistenceT1543.003-Create or Modify System Process-Windows ServiceService abuse with backdoored "command failure" (registry)1 or 4688
TA0003-PersistenceT1543.003-Create or Modify System Process-Windows ServiceService abuse with backdoored "command failure" (service)1 or 4688
TA0003-PersistenceT1543.003-Create or Modify System Process-Windows ServiceService abuse with malicious ImagePath (PowerShell)800 or 4103 or 4104
TA0003-PersistenceT1543.003-Create or Modify System Process-Windows ServiceService abuse with malicious ImagePath (registry)1 or 4688
TA0003-PersistenceT1543.003-Create or Modify System Process-Windows ServiceService abuse with malicious ImagePath (service)1 or 4688
TA0003-PersistenceT1543.003-Create or Modify System Process-Windows ServiceService created for RDP session hijack7045 or 4697
TA0003-PersistenceT1543.003-Create or Modify System Process-Windows ServiceService creation (command)1 or 4688
TA0003-PersistenceT1543.003-Create or Modify System Process-Windows ServiceService creation (PowerShell)800 or 4103 or 4104
TA0003-PersistenceT1546.003-Windows Management Instrumentation Event SubscriptionSystem crash behavior manipulation (registry)13WMImplant
TA0003-PersistenceT1546.003-Windows Management Instrumentation Event SubscriptionWMI registration (PowerShell)800 or 4103 or 4104
TA0003-PersistenceT1546.003-Windows Management Instrumentation Event SubscriptionWMI registration19 or 20 or 21
TA0003-PersistenceT1546.007-Netsh Helper DLLNetsh helper DLL command abuse1 or 4688
TA0003-PersistenceT1546.007-Netsh Helper DLLNetsh helper DLL registry abuse13
TA0003-PersistenceT1546-Event Triggered ExecutionAdminSDHolder container permissions modified5136
TA0003-PersistenceT1546-Event Triggered ExecutionExtended rights backdoor obfuscation (via localizationDisplayId)5136
TA0003-PersistenceT1547.008-Boot or Logon Autostart Execution: LSASS DriverSecurity package (SSP) loaded into LSA (native)4622
TA0003-PersistenceT1547.009-Boot or Logon Autostart Execution: Shortcut ModificationNTFS hard link creation4664
TA0003-PersistenceT1547.009-Boot or Logon Autostart Execution: Shortcut ModificationNTFS symbolic link configuration change1 or 4688
TA0003-PersistenceT1547.009-Boot or Logon Autostart Execution: Shortcut ModificationNTFS symbolic link creation1 or 4688
TA0003-PersistenceT1574.002-DLL Side-LoadingDNS DLL "serverlevelplugindll" command execution1 or 4688DNS DLL abuse
TA0003-PersistenceT1574.002-DLL Side-LoadingFailed DLL loaded by DNS server150DNS DLL abuse
TA0003-PersistenceT1574.002-DLL Side-LoadingSuccess DLL loaded by DNS server770DNS DLL abuse
TA0003-PersistenceT1574.010-Hijack execution flow: service file permissions weaknessService permissions modified (registry)1 or 4688
TA0003-PersistenceT1574.010-Hijack execution flow: service file permissions weaknessService permissions modified (service)1 or 4688
TA0004-Privilege EscalationT1068-Exploitation for Privilege EscalationPrivilege SeMachineAccountPrivilege abuse4673CVE-2021-42278/42287 & SAM-the-admin
TA0004-Privilege EscalationT1134.001- Access Token Manipulation: Token Impersonation/TheftAnonymous login4624 and 4688RottenPotatoNG
TA0004-Privilege EscalationT1134.002- Access Token Manipulation: Create Process with TokenPrivilege escalation via runas (command)4688 and 4648 and 4624
TA0004-Privilege EscalationT1134.002- Access Token Manipulation: Create Process with TokenPrivilege escalation via RunasCS1 or 4688
TA0004-Privilege EscalationT1134.005-Access Token Manipulation: SID-History InjectionSID history value S/F to be added to a domain account4765/4766/4738
TA0004-Privilege EscalationT1134-Access Token ManipulationNew access rights granted to an account by a standard user4717 or 4718
TA0004-Privilege EscalationT1134-Access Token ManipulationUser right granted to an account by a standard user4704
TA0004-Privilege EscalationT1484.001-Domain Policy Modification-Group Policy ModificationModification of a sensitive Group Policy5136
TA0004-Privilege EscalationT1484.002- Domain or Tenant Policy Modification: Trust ModificationNew external trust added4865, 4076
TA0004-Privilege EscalationT1543.003-Create or Modify System Process-Windows ServicePSexec service installation detected7045 or 4697
TA0004-Privilege EscalationT1546.008-Event Triggered Execution: Accessibility FeaturesCMD executed by stickey key and detected via hash1 or 4688Sticky key
TA0004-Privilege EscalationT1546.008-Event Triggered Execution: Accessibility FeaturesSticky key called CMD via command execution1 or 4688Sticky key
TA0004-Privilege EscalationT1546.008-Event Triggered Execution: Accessibility FeaturesSticky key failed sethc replacement by CMD4656Sticky key
TA0004-Privilege EscalationT1546.008-Event Triggered Execution: Accessibility FeaturesSticky key file created from CMD copy11Sticky key
TA0004-Privilege EscalationT1546.008-Event Triggered Execution: Accessibility FeaturesSticky key IFEO command for registry change1 or 4688Sticky key
TA0004-Privilege EscalationT1546.008-Event Triggered Execution: Accessibility FeaturesSticky key IFEO registry changed12 or 12Sticky key
TA0004-Privilege EscalationT1547.010-Port MonitorsPrint spooler privilege escalation via printer added800 or 4103 or 4104PrintNightmare (CVE-2021-1675 / CVE-2021-34527)
TA0004-Privilege EscalationT1574.002-DLL Side-LoadingExternal printer mapped4688 and 4648PrintNightmare (CVE-2021-1675 / CVE-2021-34527)
TA0004-Privilege EscalationT1574.002-DLL Side-LoadingNew external device added6416PrintNightmare (CVE-2021-1675 / CVE-2021-34527)
TA0004-Privilege EscalationT1574.002-DLL Side-LoadingPrinter spool driver from Mimikatz installed808 or 354 or 321PrintNightmare (CVE-2021-1675 / CVE-2021-34527)
TA0004-Privilege EscalationT1574.002-DLL Side-LoadingSpool process spawned a CMD shell1 or 4688PrintNightmare (CVE-2021-1675 / CVE-2021-34527)
TA0005-Defense EvasionT1027-Obfuscated Files or InformationPayload obfuscated transfer via service name1 or 4688Tchopper
TA0005-Defense EvasionT1070.001-Indicator Removal on HostEvent log file(s) cleared104 or 1102
TA0005-Defense EvasionT1070.001-Indicator Removal on HostTentative of clearing event log file(s) detected (command)1 or 4688
TA0005-Defense EvasionT1070.001-Indicator Removal on HostTentative of clearing event log file(s) detected (PowerShell)800 or 4103 or 4104
TA0005-Defense EvasionT1070.001-Indicator Removal on HostTentative of clearing event log file(s) detected (wmi)1 or 4688
TA0005-Defense EvasionT1070.006-TimestompSystem time changed4616
TA0005-Defense EvasionT1078.002-Valid accounts-Domain accountsLogin from a user member of a "special group" detected (special logon)4964
TA0005-Defense EvasionT1112-Modify registryImpacket SMBexec service registration (registry)13SMBexec
TA0005-Defense EvasionT1197-BITS jobCommand execution related to a suspicious BITS activity detected1 or 4688
TA0005-Defense EvasionT1197-BITS jobCommand execution related to a suspicious BITS activity detected800 or 4103 or 4104
TA0005-Defense EvasionT1197-BITS jobHigh amount of data downloaded via BITS60
TA0005-Defense EvasionT1207-Rogue domain controllerNew fake domain controller registration5137 or 5141DCShadow
TA0005-Defense EvasionT1207-Rogue domain controllerSensitive attributes accessed4662DCShadow
TA0005-Defense EvasionT1222.001-File and Directory Permissions ModificationComputer account modifying AD permissions5136PrivExchange
TA0005-Defense EvasionT1222.001-File and Directory Permissions ModificationNetwork share permissions changed5143
TA0005-Defense EvasionT1222.001-File and Directory Permissions ModificationOCSP security settings changed5124(OCSP)
TA0005-Defense EvasionT1222.001-File and Directory Permissions ModificationPermissions changed on a GPO5136
TA0005-Defense EvasionT1222.001-File and Directory Permissions ModificationSensitive GUID related to "Replicate directory changes" detected4662DCSync
TA0005-Defense EvasionT1553.003- Subvert Trust Controls: SIP and Trust Provider HijackingSuspicious SIP or trust provider registration12 or 12
TA0005-Defense EvasionT1562.001-Impair Defenses: Disable or Modify ToolsUnload SYSMON driver1
TA0005-Defense EvasionT1562.001-Impair Defenses-Disable or modify toolsDefender: critical security component disabled (command)1 or 4688
TA0005-Defense EvasionT1562.001-Impair Defenses-Disable or modify toolsDefender: critical security component disabled (PowerShell)800 or 4103 or 4104
TA0005-Defense EvasionT1562.001-Impair Defenses-Disable or modify toolsDefender: default action set to allow any threat (PowerShell)800 or 4103 or 4104
TA0005-Defense EvasionT1562.001-Impair Defenses-Disable or modify toolsDefender: exclusion added (native)5007
TA0005-Defense EvasionT1562.001-Impair Defenses-Disable or modify toolsDefender: exclusion added (PowerShell)800 or 4103 or 4104
TA0005-Defense EvasionT1562.001-Impair Defenses-Disable or modify toolsDefender: service component status disabled (Registry via Sysmon)13
TA0005-Defense EvasionT1562.001-Impair Defenses-Disable or modify toolsVirtualization disabled (Credential guard)8
TA0005-Defense EvasionT1562.002-Impair Defenses: Disable Windows Event Logging541
TA0005-Defense EvasionT1562.002-Impair Defenses: Disable Windows Event LoggingAudit policy disabled4719
TA0005-Defense EvasionT1562.002-Impair Defenses: Disable Windows Event LoggingDomain policy changed on one or multiple hosts4739
TA0005-Defense EvasionT1562.002-Impair Defenses: Disable Windows Event LoggingMembership of a special group updated4908
TA0005-Defense EvasionT1562.002-Impair Defenses: Disable Windows Event LoggingSQL Server: Audit object deleted33205
TA0005-Defense EvasionT1562.002-Impair Defenses: Disable Windows Event LoggingSQL Server: Audit object disabled33205
TA0005-Defense EvasionT1562.002-Impair Defenses: Disable Windows Event LoggingSQL Server: Audit specifications deleted33205
TA0005-Defense EvasionT1562.002-Impair Defenses: Disable Windows Event LoggingSQL Server: Audit specifications disabled33205
TA0005-Defense EvasionT1562.002-Impair Defenses: Disable Windows Event LoggingSQL Server: Database audit specifications deleted33205
TA0005-Defense EvasionT1562.002-Impair Defenses: Disable Windows Event LoggingSQL Server: Database audit specifications disabled33205
TA0005-Defense EvasionT1562.002-Impair Defenses: Disable Windows Event LoggingTentative of disabling or clearing audit policy by commandline1 or 4688
TA0005-Defense EvasionT1562.004-Disable or Modify System FirewallFirewall deactivation (cmd)1 or 4688
TA0005-Defense EvasionT1562.004-Disable or Modify System FirewallFirewall deactivation (firewall)2003 or 4950
TA0005-Defense EvasionT1562.004-Disable or Modify System FirewallFirewall deactivation (PowerShell)800 or 4103 or 4104
TA0005-Defense EvasionT1562.004-Disable/modify firewall (rule)Any/any firewall rule created2004
TA0005-Defense EvasionT1562.004-Disable/modify firewall (rule)Firewall rule created by a suspicious command (netsh.exe, wmiprvse.exe)2004
TA0005-Defense EvasionT1562.004-Disable/modify firewall (rule)Firewall rule created by a user account2004
TA0005-Defense EvasionT1562.004-Disable/modify firewall (rule)OpenSSH server firewall configuration (command)1 or 4688SSH server
TA0005-Defense EvasionT1562.004-Disable/modify firewall (rule)OpenSSH server firewall configuration (firewall)2004SSH server
TA0005-Defense EvasionT1562.004-Disable/modify firewall (rule)OpenSSH server firewall configuration (PowerShell)800 or 4103 or 4104SSH server
TA0005-Defense EvasionT1564.006-Hide Artifacts: Run Virtual InstanceWSL for Windows installation detected (command)1 or 4688
TA0006-Credential AccessT1003.001-Credential dumping: LSASSLSASS credential dump with LSASSY (kernel)4656 or 4663
TA0006-Credential AccessT1003.001-Credential dumping: LSASSLSASS credential dump with LSASSY (PowerShell)800 or 4103 or 4104
TA0006-Credential AccessT1003.001-Credential dumping: LSASSLSASS credential dump with LSASSY (process)1 or 4688
TA0006-Credential AccessT1003.001-Credential dumping: LSASSLSASS credential dump with LSASSY (share)5145
TA0006-Credential AccessT1003.001-Credential dumping: LSASSLSASS credentials dump via Task Manager (file)11
TA0006-Credential AccessT1003.001-Credential dumping: LSASSLSASS dump indicator via Task Manager access1 or 4688
TA0006-Credential AccessT1003.001-Credential dumping: LSASSLSASS process accessed by a non system account4656 or 4663
TA0006-Credential AccessT1003.001-Credential dumping: LSASSSAM database user credential dump4661Mimikatz
TA0006-Credential AccessT1003.001-Credential dumping: LSASSTask manager used to dump LSASS process4663
TA0006-Credential AccessT1003.002-Security Account ManagerPassword dump over SMB ADMIN$5145Secretdump
TA0006-Credential AccessT1003.002-Security Account ManagerSAM database access during DCshadow4661DCShadow
TA0006-Credential AccessT1003.003-NTDSIFM created325 or 327
TA0006-Credential AccessT1003.003-NTDSIFM created from command line1 or 4688
TA0006-Credential AccessT1003.003-OS Credential-Dumping NTDSDSRM configuration changed (Reg via command)1 or 4688
TA0006-Credential AccessT1003.003-OS Credential-Dumping NTDSDSRM configuration changed (Reg via PowerShell)800 or 4103 or 4104
TA0006-Credential AccessT1003.003-OS Credential-Dumping NTDSDSRM password reset4794
TA0006-Credential AccessT1003.006-DCSyncMember added to a Exchange DCsync related group4728 or 4756 or 4732DCSync
TA0006-Credential AccessT1003-Credential dumpingBackdoor introduction via registry permission change through WMI (DAMP)4674DAMP
TA0006-Credential AccessT1003-Credential dumpingDiskshadow abuse1 or 4688
TA0006-Credential AccessT1003-Credential dumpingWdigest authentication enabled (Reg via command)1 or 4688
TA0006-Credential AccessT1003-Credential dumpingWdigest authentication enabled (Reg via Sysmon)12 or 12
TA0006-Credential AccessT1040-Network sniffingWindows native sniffing tool Pktmon usage1 or 4688
TA0006-Credential AccessT1110.xxx-Brut forceBrutforce enumeration on Windows OpenSSH server with non existing user4625 or 4SSH server
TA0006-Credential AccessT1110.xxx-Brut forceBrutforce on Windows OpenSSH server with valid user4625 or 4SSH server
TA0006-Credential AccessT1110.xxx-Brut forceKerberos brutforce enumeration with existing/unexsting users (Kerbrute)4771 or 4768
TA0006-Credential AccessT1110.xxx-Brut forceKerberos brutforce with not existing users4771 or 4768
TA0006-Credential AccessT1110.xxx-Brut forceLogin failure from a single source with different non existing accounts33205
TA0006-Credential AccessT1552.004-Unsecured Credentials-Private KeysUnknown application accessing certificate private key detected70(CAPI2)Mimikatz
TA0006-Credential AccessT1555.003-Credentials from Password Stores: Credentials from Web BrowsersUser browser credentials dump via network share5145DonPapi, Lazagne
TA0006-Credential AccessT1555.004-Windows Credential ManagerCredentials (protected by DPAPI) dump via network share5145DonPapi, Lazagne
TA0006-Credential AccessT1555.004-Windows Credential ManagerVault credentials were read5382
TA0006-Credential AccessT1555-Credentials from Password StoresSuspicious Active Directory DPAPI attributes accessed4662
TA0006-Credential AccessT1555-Credentials from Password StoresUser files dump via network share5145DonPapi, Lazagne
TA0006-Credential AccessT1557.001-MiM:LLMNR/NBT-NS Poisoning and SMB RelayDiscovery for print spooler bug abuse via named pipe5145
TA0006-Credential AccessT1558.001-Golden TicketKerberos TGS ticket request related to a potential Golden ticket4769Golden ticket
TA0006-Credential AccessT1558.001-Golden TicketSMB Admin share accessed with a forged Golden ticket5140 or 5145Golden ticket
TA0006-Credential AccessT1558.001-Golden TicketSuccess login impersonation with forged Golden ticket4624Golden ticket
TA0006-Credential AccessT1558.003-KerberoastingKerberOAST ticket (TGS) request detected (low encryption)4769Kerberoast
TA0006-Credential AccessT1558.004-Steal or Forge Kerberos Tickets: AS-REP RoastingKerberos AS-REP Roasting ticket request detected4768AS-REP Roasting
TA0006-Credential AccessT1558-Steal or Forge Kerberos TicketsKerberos ticket without a trailing $4768 or 4769CVE-2021-42278/42287 & SAM-the-admin
TA0006-Credential AccessT1558-Steal or Forge Kerberos TicketsSuspicious Kerberos proxiable ticket4768CVE-2021-42278/42287 & SAM-the-admin
TA0007-DiscoveryT1016-System Network Configuration DiscoveryFirewall configuration enumerated (command)1 or 4688
TA0007-DiscoveryT1016-System Network Configuration DiscoveryFirewall configuration enumerated (PowerShell)800 or 4103 or 4104
TA0007-DiscoveryT1016-System Network Configuration DiscoveryTentative of zone transfer from a non DNS server detected6004 (DNSserver)
TA0007-DiscoveryT1018-Remote System DiscoveryDNS hosts file accessed via network share5145
TA0007-DiscoveryT1046-Network Service ScanningRDP discovery performed on multiple hosts131
TA0007-DiscoveryT1046-Network Service ScanningSuspicious anonymous login4624
TA0007-DiscoveryT1069.001-Discovery domain groupsLocal domain group enumeration via RID brutforce4661CrackMapExec
TA0007-DiscoveryT1069.001-Discovery local groupsRemote local group enumeration (SharpeHound)4799SharpHound
TA0007-DiscoveryT1069.002-Discovery domain groupsDomain group enumeration4661CrackMapExec
TA0007-DiscoveryT1069.002-Discovery domain groupsHoneypot object (container, computer, group, user) enumerated4662SharpHound
TA0007-DiscoveryT1069.002-Discovery domain groupsMassive SAM domain users & groups discovery4661
TA0007-DiscoveryT1069.002-Discovery domain groupsSensitive SAM domain user & groups discovery4661
TA0007-DiscoveryT1069-Permission Groups DiscoveryGroup discovery via commandline1 or 4688
TA0007-DiscoveryT1069-Permission Groups DiscoveryGroup discovery via PowerShell800 or 4103 or 4104
TA0007-DiscoveryT1082-System Information DiscoveryAudit policy settings collection1 or 4688
TA0007-DiscoveryT1087.002-Domain Account discoveryActive Directory PowerShell module called from a non administrative host600
TA0007-DiscoveryT1087.002-Domain Account discoverySingle source performing host enumeration over Kerberos ticket (TGS) detected4769SharpHound
TA0007-DiscoveryT1087-Account discoverySPN enumeration (command)1 or 4688Kerberoast
TA0007-DiscoveryT1087-Account discoverySPN enumeration (PowerShell)800 or 4103 or 4104
TA0007-DiscoveryT1087-Account discoveryUser enumeration via commandline1 or 4688
TA0007-DiscoveryT1135-Network Share DiscoveryHost performing advanced named pipes enumeration on different hosts via SMB5145SharpHound
TA0007-DiscoveryT1135-Network Share DiscoveryNetwork share discovery and/or connection via commandline1 or 4688
TA0007-DiscoveryT1135-Network Share DiscoveryNetwork share manipulation via commandline1 or 4688
TA0007-DiscoveryT1201-Password Policy DiscoveryDomain password policy enumeration4661CrackMapExec
TA0007-DiscoveryT1201-Password Policy DiscoveryPassword policy discovery via commandline1 or 4688
TA0007-DiscoveryT1482-Domain Trust DiscoveryActive Directory Forest PowerShell class called from a non administrative host800 or 4103 or 4104
TA0008-Lateral MovementT1021.001-Remote Desktop ProtocolDenied RDP login with valid credentials4825
TA0008-Lateral MovementT1021.002-SMB Windows Admin SharesAdmin share accessed via SMB (basic)5140 or 5145
TA0008-Lateral MovementT1021.002-SMB Windows Admin SharesImpacket WMIexec execution via SMB admin share5145WMIexec
TA0008-Lateral MovementT1021.002-SMB Windows Admin SharesLateral movement by mounting a network share - net use (command)4688 and 4648
TA0008-Lateral MovementT1021.002-SMB Windows Admin SharesMultiple failed attempt to network share5140 or 5145
TA0008-Lateral MovementT1021.002-SMB Windows Admin SharesNew file share created on a host5142
TA0008-Lateral MovementT1021.002-SMB Windows Admin SharesPsexec remote execution via SMB5145
TA0008-Lateral MovementT1021.002-SMB Windows Admin SharesRemote service creation over SMB5145
TA0008-Lateral MovementT1021.002-SMB Windows Admin SharesRemote shell execuction via SMB admin share5145
TA0008-Lateral MovementT1021.002-SMB Windows Admin SharesShared printer creation5142PrintNightmare (CVE-2021-1675 / CVE-2021-34527)
TA0008-Lateral MovementT1021.003-DCOMDCOM lateral movement (via MMC20)4104
TA0008-Lateral MovementT1021.003-DCOMDCOMexec privilege abuse4674
TA0008-Lateral MovementT1021.003-DCOMDCOMexec process abuse via MMC1 or 4688
TA0008-Lateral MovementT1021.004-Remote services: SSHOpenSSH native server feature installation800 or 4103 or 4104SSH server
TA0008-Lateral MovementT1021.004-Remote services: SSHOpenSSH server for Windows activation/configuration detected800 or 4103 or 4104SSH server
TA0008-Lateral MovementT1021.006-Windows Remote ManagementWinRM listening service reconnaissance4656
TA0008-Lateral MovementT1550.002-Use Alternate Authentication Material: Pass the HashLSASS dump via process access10Mimikatz
TA0008-Lateral MovementT1550.002-Use Alternate Authentication Material: Pass the HashPass-the-hash login4624Mimikatz
TA0008-Lateral MovementT1563.002-RDP hijackingRDP session hijack via TSCON abuse command1 or 4688
TA0009-CollectionT1125-Video captureRDP shadow session started (registry)13
TA0011-Command and controlT1090-ProxyProxy configuration changed5600
TA0011-Command and controlT1572-Protocol tunnelingRDP tunneling configuration enabled for port forwarding1 or 4688
TA0040-ImpactT1490-Inhibit System RecoveryVSS backup deletion (PowerShell)800 or 4103 or 4104
TA0040-ImpactT1490-Inhibit System RecoveryVSS backup deletion (WMI)1 or 4688
TA0040-ImpactT1490-Inhibit System RecoveryWindows native backup deletion1 or 4688
TA0040-ImpactT1565-Data manipulationDNS hosts file modified11
TA0006-Credential AccessT1110.xxx-Brut forceLocal login failure on target4625