Home

Awesome

SIGMA detection rules

Project purpose:

SIGMA detection rules provides a free set of >320 advanced correlation rules to be used for suspicious hunting activities.

How to use the rules:

The SIGMA rules can be used in different ways together with your SIEM:

Microsoft products used:

SIGMA rules content

Att@ck TacticAtt@ck TechniqueDescriptionEvent IDsThreat name / Tool / CVE
AntivirusAntivirusDefender: antivirus not up to date1151
AntivirusAntivirusDefender: massive malware outbreak detected on multiple hosts1116
AntivirusAntivirusDefender: massive malwares detected on a single host1116
TA0001-Initial accessT1078.002-Valid accounts-Domain accountsLogin denied due to account policy restrictions4625
TA0001-Initial accessT1078.002-Valid accounts-Domain accountsLogin failure from a single source with a disabled account33205
TA0001-Initial accessT1078.002-Valid accounts-Domain accountsLogin failure from a single source with a disabled account4624
TA0001-Initial accessT1078.002-Valid accounts-Domain accountsMultiple success logins performed to multiple hosts4624
TA0001-Initial accessT1078.002-Valid accounts-Domain accountsSuccess login on OpenSSH server4SSH server
TA0001-Initial accessT1078.002-Valid accounts-Domain accountsSuccess login on OpenSSH server4624SSH server
TA0001-Initial accessT1078-Valid accountsLogin via Azure serial console4624
TA0001-Initial accessT1078-Valid accountsRDP reconnaissance with valid credentials performed to multiple hosts4624 or 1149
TA0002-ExecutionT1047-Windows Management InstrumentationImpacket WMIexec process execution1 or 4688WMIexec
TA0002-ExecutionT1053.005-Scheduled TaskInteractive shell triggered by scheduled task (at, deprecated)1 or 4688
TA0002-ExecutionT1053.005-Scheduled TaskPersistent scheduled task with SYSTEM privileges creation1 or 4688
TA0002-ExecutionT1053.005-Scheduled TaskRemote schedule task creation via named pipes5145Atexec
TA0002-ExecutionT1053.005-Scheduled TaskSchedule task fastly created and deleted4698 and 4699Atexec
TA0002-ExecutionT1053.005-Scheduled TaskScheduled task creation1 or 4688
TA0002-ExecutionT1059.001-Command and Scripting Interpreter: PowerShellEncoded PowerShell payload deployed800 or 4103 or 4104
TA0002-ExecutionT1059.001-Command and Scripting Interpreter: PowerShellInteractive PipeShell over SMB named pipe800 or 4103 or 4104
TA0002-ExecutionT1059.001-Command and Scripting Interpreter: PowerShellPayload downloaded via PowerShell800 or 4103 or 4104
TA0002-ExecutionT1059.001-Command and Scripting Interpreter: PowerShellVice Society directory crawling script for data exfiltration4104
TA0002-ExecutionT1059.003-Command and Scripting Interpreter: Windows Command ShellCMD shell via serial cable (command)1 or 4688
TA0002-ExecutionT1059.003-Windows Command ShellEncoded PowerShell payload deployed via process execution1 or 4688
TA0002-ExecutionT1059.003-Windows Command ShellSQL Server payload injectection for reverse shell (MSF)1 or 4688
TA0002-ExecutionT1204-User executionEdge abuse for payload download via console1 or 4688
TA0002-ExecutionT1204-User executionEdge/Chrome headless feature abuse for payload download1 or 4688
TA0002-ExecutionT1569.002-Service ExecutionPSexec installation detected1 or 4688
TA0002-ExecutionT1569.002-Service ExecutionService massive failures (native)7000 or 7009Tchopper
TA0002-ExecutionT1569.002-Service ExecutionService massive installation (native)7045 or 4697Tchopper
TA0002-ExecutionT1569.002-Service ExecutionService massive remote creation via named pipes (native)5145Tchopper
TA0003-PersistenceT1078.002-Valid accounts-Domain accountsAccount renamed to "admin" (or likely)4781
TA0003-PersistenceT1098.xxx-Account manipulationComputer account created with privileges4741CVE-2021-42278/42287 & SAM-the-admin
TA0003-PersistenceT1098.xxx-Account manipulationComputer account renamed without a trailing $4781CVE-2021-42278/42287 & SAM-the-admin
TA0003-PersistenceT1098.xxx-Account manipulationCustom sensitive account password reset4723 or 4724
TA0003-PersistenceT1098.xxx-Account ManipulationHigh risk domain group membership change4728 or 4756
TA0003-PersistenceT1098.xxx-Account manipulationHigh risk Exchange group membership change4728 or 4756 or 4732
TA0003-PersistenceT1098.xxx-Account ManipulationHigh risk local-domain local group membership change4732
TA0003-PersistenceT1098.xxx-Account manipulationHigh risk Skype/Lync/OCS group membership change4728 or 4756 or 4732
TA0003-PersistenceT1098.xxx-Account manipulationHost delegation settings changed for potential abuse (any protocol)4742Rubeus
TA0003-PersistenceT1098.xxx-Account manipulationHost delegation settings changed for potential abuse (any service, Kerberos only)4742Rubeus
TA0003-PersistenceT1098.xxx-Account manipulationHost delegation settings changed for potential abuse (Kerberos only)4742Rubeus
TA0003-PersistenceT1098.xxx-Account manipulationKerberos account password reset4723 or 4724Golden ticket
TA0003-PersistenceT1098.xxx-Account manipulationLow risk Skype/Lync/OCS group membership change4728 or 4756 or 4732
TA0003-PersistenceT1098.xxx-Account manipulationMedium risk Exchange group membership change4728 or 4756 or 4732
TA0003-PersistenceT1098.xxx-Account ManipulationMedium risk local-domain local group membership change4732
TA0003-PersistenceT1098.xxx-Account manipulationMedium risk Skype/Lync/OCS group membership change4728 or 4756 or 4732
TA0003-PersistenceT1098.xxx-Account manipulationMember added to a group (command)1 or 4688
TA0003-PersistenceT1098.xxx-Account manipulationMember added to DNSadmins group for DLL abuse4732DNS DLL abuse
TA0003-PersistenceT1098.xxx-Account manipulationNew admin (or likely) created by a non administrative account4720
TA0003-PersistenceT1098.xxx-Account manipulationSPN modification of a computer account (Directory Services)5136DCShadow
TA0003-PersistenceT1098.xxx-Account manipulationSPN modification of a computer account4742
TA0003-PersistenceT1098.xxx-Account manipulationSPN modification of a computer account4742DCShadow
TA0003-PersistenceT1098.xxx-Account manipulationSPN modification of a user account5136Kerberoasting
TA0003-PersistenceT1098.xxx-Account manipulationSQL Server: Member had new privileges added to a database33205
TA0003-PersistenceT1098.xxx-Account manipulationSQL Server: Member had new privileges added to an instance33205
TA0003-PersistenceT1098.xxx-Account manipulationSQL Server: new member added to a database role33205
TA0003-PersistenceT1098.xxx-Account manipulationSQL Server: new member added to server role33205
TA0003-PersistenceT1098.xxx-Account manipulationUser account created and/or set with reversible encryption detected4738
TA0003-PersistenceT1098.xxx-Account manipulationUser account marked as "sensitive and cannot be delegated" its had protection removed4738
TA0003-PersistenceT1098.xxx-Account manipulationUser account set to not require Kerberos pre-authentication4738
TA0003-PersistenceT1098.xxx-Account manipulationUser account set to use Kerberos DES encryption4738
TA0003-PersistenceT1098.xxx-Account manipulationUser account with password set to never expire detected4738
TA0003-PersistenceT1098.xxx-Account manipulationUser account with password set to not require detected4738
TA0003-PersistenceT1098.xxx-Account manipulationUser password change using current hash password - ChangeNTLM4723Mimikatz
TA0003-PersistenceT1098.xxx-Account manipulationUser password change without previous password known - SetNTLM4724Mimikatz
TA0003-PersistenceT1098.xxx-Account ManipulationUser performing massive group membership changes on multiple differents groups4728 or 4756
TA0003-PersistenceT1098-Account ManipulationComputer account set for RBCD delegation5136
TA0003-PersistenceT1098-Account ManipulationDisabled guest or builtin account activated (command)1 or 4688
TA0003-PersistenceT1098-Account ManipulationDisabled guest or builtin account activated4722
TA0003-PersistenceT1098-Account ManipulationSPN added to an account (command)1 or 4688
TA0003-PersistenceT1136.001-Create account-Local accountHidden account creation (with fast deletion)4720 and 4726
TA0003-PersistenceT1136.001-Create account-Local accountSQL Server: disabled SA account enabled33205
TA0003-PersistenceT1136.001-Create account-Local accountUser account created by a computer account4720
TA0003-PersistenceT1136.001-Create account-Local accountUser creation related to Manic Menagerie (command)1 or 4688
TA0003-PersistenceT1136.002-Create account-Domain accountComputer account created by a computer account4741
TA0003-PersistenceT1136.002-Create account-Domain accountUser account creation disguised in a computer account4720 or 4781
TA0003-PersistenceT1136-Create accountUser creation via commandline1 or 4688
TA0003-PersistenceT1505.001-SQL Stored ProceduresSQL lateral movement with CLR15457
TA0003-PersistenceT1505.001-SQL Stored ProceduresSQL Server Dedicated Admin Connection (DAC) activity17199 or 17200 or 17201 or 17202 or 17810
TA0003-PersistenceT1505.001-SQL Stored ProceduresSQL Server Dedicated Admin Connection (DAC) mode activated15457
TA0003-PersistenceT1505.001-SQL Stored ProceduresSQL Server xp_cmdshell procedure activated18457
TA0003-PersistenceT1505.001-SQL Stored ProceduresSQL Server: sqlcmd & ossql utilities abuse1 or 4688
TA0003-PersistenceT1505.001-SQL Stored ProceduresSQL Server: started in single mode for password recovery1 or 4688
TA0003-PersistenceT1505.002-Server Software Component: Transport AgentExchange transport agent injection via configuration file11
TA0003-PersistenceT1505.002-Server Software Component: Transport AgentExchange transport agent installation artifacts (PowerShell)800 or 4103 or 4104
TA0003-PersistenceT1505.002-Server Software Component: Transport AgentExchange transport agent installation artifacts1 or 6
TA0003-PersistenceT1505.004-Server Software Component: IIS ComponentsWebserver IIS module installed1 or 4688
TA0003-PersistenceT1543.003-Create or Modify System Process-Windows ServiceEncoded PowerShell payload deployed via service installation7045 or 4697
TA0003-PersistenceT1543.003-Create or Modify System Process-Windows ServiceImpacket SMBexec service registration (native)7045 or 4697SMBexec
TA0003-PersistenceT1543.003-Create or Modify System Process-Windows ServiceMimikatz service driver installation detected7045 or 4697Mimikatz
TA0003-PersistenceT1543.003-Create or Modify System Process-Windows ServiceService abuse with backdoored "command failure" (PowerShell)800 or 4103 or 4104
TA0003-PersistenceT1543.003-Create or Modify System Process-Windows ServiceService abuse with backdoored "command failure" (registry)1 or 4688
TA0003-PersistenceT1543.003-Create or Modify System Process-Windows ServiceService abuse with backdoored "command failure" (service)1 or 4688
TA0003-PersistenceT1543.003-Create or Modify System Process-Windows ServiceService abuse with malicious ImagePath (PowerShell)800 or 4103 or 4104
TA0003-PersistenceT1543.003-Create or Modify System Process-Windows ServiceService abuse with malicious ImagePath (registry)1 or 4688
TA0003-PersistenceT1543.003-Create or Modify System Process-Windows ServiceService abuse with malicious ImagePath (service)1 or 4688
TA0003-PersistenceT1543.003-Create or Modify System Process-Windows ServiceService created for RDP session hijack7045 or 4697
TA0003-PersistenceT1543.003-Create or Modify System Process-Windows ServiceService creation (command)1 or 4688
TA0003-PersistenceT1543.003-Create or Modify System Process-Windows ServiceService creation (PowerShell)800 or 4103 or 4104
TA0003-PersistenceT1546.003-Windows Management Instrumentation Event SubscriptionSystem crash behavior manipulation (registry)13WMImplant
TA0003-PersistenceT1546.003-Windows Management Instrumentation Event SubscriptionWMI registration (PowerShell)800 or 4103 or 4104
TA0003-PersistenceT1546.003-Windows Management Instrumentation Event SubscriptionWMI registration19 or 20 or 21
TA0003-PersistenceT1546.007-Netsh Helper DLLNetsh helper DLL command abuse1 or 4688
TA0003-PersistenceT1546.007-Netsh Helper DLLNetsh helper DLL registry abuse13
TA0003-PersistenceT1546-Event Triggered ExecutionAdminSDHolder container permissions modified5136
TA0003-PersistenceT1546-Event Triggered ExecutionExtended rights backdoor obfuscation (via localizationDisplayId)5136
TA0003-PersistenceT1547.008-Boot or Logon Autostart Execution: LSASS DriverSecurity package (SSP) loaded into LSA (native)4622
TA0003-PersistenceT1547.008-Boot or Logon Autostart Execution: LSASS Driverwin-os-security package (SSP) reference added to registry1 or 4688
TA0003-PersistenceT1547.009-Boot or Logon Autostart Execution: Shortcut ModificationNTFS hard link creation4664
TA0003-PersistenceT1547.009-Boot or Logon Autostart Execution: Shortcut ModificationNTFS symbolic link configuration change1 or 4688
TA0003-PersistenceT1547.009-Boot or Logon Autostart Execution: Shortcut ModificationNTFS symbolic link creation1 or 4688
TA0003-PersistenceT1574.002-DLL Side-LoadingDNS DLL "serverlevelplugindll" command execution1 or 4688DNS DLL abuse
TA0003-PersistenceT1574.002-DLL Side-LoadingFailed DLL loaded by DNS server150DNS DLL abuse
TA0003-PersistenceT1574.002-DLL Side-LoadingSuccess DLL loaded by DNS server770DNS DLL abuse
TA0003-PersistenceT1574.010-Hijack execution flow: service file permissions weaknessService permissions modified (PowerShell)800 or 4103 or 4104
TA0003-PersistenceT1574.010-Hijack execution flow: service file permissions weaknessService permissions modified (Reg via PowerShell)800 or 4103 or 4104
TA0003-PersistenceT1574.010-Hijack execution flow: service file permissions weaknessService permissions modified (registry)1 or 4688
TA0003-PersistenceT1574.010-Hijack execution flow: service file permissions weaknessService permissions modified (service)1 or 4688
TA0004-Privilege EscalationT1068-Exploitation for Privilege EscalationPrivilege SeMachineAccountPrivilege abuse4673CVE-2021-42278/42287 & SAM-the-admin
TA0004-Privilege EscalationT1134.001- Access Token Manipulation: Token Impersonation/TheftAnonymous login4624 and 4688RottenPotatoNG
TA0004-Privilege EscalationT1134.002- Access Token Manipulation: Create Process with TokenPrivilege escalation via runas (command)4688 and 4648 and 4624
TA0004-Privilege EscalationT1134.002- Access Token Manipulation: Create Process with TokenPrivilege escalation via RunasCS1 or 4688
TA0004-Privilege EscalationT1134-Access Token ManipulationNew access rights granted to an account by a standard user4717 or 4718
TA0004-Privilege EscalationT1134-Access Token ManipulationUser right granted to an account by a standard user4704
TA0004-Privilege EscalationT1484.001-Domain Policy Modification-Group Policy ModificationModification of a sensitive Group Policy5136
TA0004-Privilege EscalationT1543.003-Create or Modify System Process-Windows ServicePSexec service installation detected7045 or 4697
TA0004-Privilege EscalationT1546.008-Event Triggered Execution: Accessibility FeaturesCMD executed by stickey key and detected via hash1 or 4688Sticky key
TA0004-Privilege EscalationT1546.008-Event Triggered Execution: Accessibility FeaturesSticky key called CMD via command execution1 or 4688Sticky key
TA0004-Privilege EscalationT1546.008-Event Triggered Execution: Accessibility FeaturesSticky key failed sethc replacement by CMD4656Sticky key
TA0004-Privilege EscalationT1546.008-Event Triggered Execution: Accessibility FeaturesSticky key file created from CMD copy11Sticky key
TA0004-Privilege EscalationT1546.008-Event Triggered Execution: Accessibility FeaturesSticky key IFEO command for registry change1 or 4688Sticky key
TA0004-Privilege EscalationT1546.008-Event Triggered Execution: Accessibility FeaturesSticky key IFEO registry changed12 or 12Sticky key
TA0004-Privilege EscalationT1546.008-Event Triggered Execution: Accessibility FeaturesSticky key sethc command for replacement by CMD1 or 4688Sticky key
TA0004-Privilege EscalationT1547.010-Port MonitorsPrint spooler privilege escalation via printer added800 or 4103 or 4104PrintNightmare (CVE-2021-1675 / CVE-2021-34527)
TA0004-Privilege EscalationT1574.002-DLL Side-LoadingExternal printer mapped4688 and 4648PrintNightmare (CVE-2021-1675 / CVE-2021-34527)
TA0004-Privilege EscalationT1574.002-DLL Side-LoadingNew external device added6416PrintNightmare (CVE-2021-1675 / CVE-2021-34527)
TA0004-Privilege EscalationT1574.002-DLL Side-LoadingPrinter spool driver from Mimikatz installed808 or 354 or 321PrintNightmare (CVE-2021-1675 / CVE-2021-34527)
TA0004-Privilege EscalationT1574.002-DLL Side-LoadingSpool process spawned a CMD shell1 or 4688PrintNightmare (CVE-2021-1675 / CVE-2021-34527)
TA0005-Defense EvasionT1027-Obfuscated Files or InformationPayload obfuscated transfer via service name1 or 4688Tchopper
TA0005-Defense EvasionT1036-MasqueradingSearchIndex process suspicious activity1 or 4688
TA0005-Defense EvasionT1070.001-Indicator Removal on HostEvent log file(s) cleared104 or 1102
TA0005-Defense EvasionT1070.001-Indicator Removal on HostTentative of clearing event log file(s) detected (command)1 or 4688
TA0005-Defense EvasionT1070.001-Indicator Removal on HostTentative of clearing event log file(s) detected (PowerShell)800 or 4103 or 4104
TA0005-Defense EvasionT1070.001-Indicator Removal on HostTentative of clearing event log file(s) detected (wmi)1 or 4688
TA0005-Defense EvasionT1070.006-TimestompSystem time changed (PowerShell)800 or 4103 or 4104
TA0005-Defense EvasionT1070.006-TimestompSystem time changed4616
TA0005-Defense EvasionT1078.002-Valid accounts-Domain accountsLogin from a user member of a "special group" detected (special logon)4964
TA0005-Defense EvasionT1112-Modify registryImpacket SMBexec service registration (registry)13SMBexec
TA0005-Defense EvasionT1197-BITS jobCommand execution related to a suspicious BITS activity detected1 or 4688
TA0005-Defense EvasionT1197-BITS jobCommand execution related to a suspicious BITS activity detected800 or 4103 or 4104
TA0005-Defense EvasionT1197-BITS jobHigh amount of data downloaded via BITS60
TA0005-Defense EvasionT1207-Rogue domain controllerNew fake domain controller registration5137 or 5141DCShadow
TA0005-Defense EvasionT1207-Rogue domain controllerSensitive attributes accessed4662DCShadow
TA0005-Defense EvasionT1222.001-File and Directory Permissions ModificationComputer account modifying AD permissions5136PrivExchange
TA0005-Defense EvasionT1222.001-File and Directory Permissions ModificationNetwork share permissions changed5143
TA0005-Defense EvasionT1222.001-File and Directory Permissions ModificationOCSP security settings changed5124(OCSP)
TA0005-Defense EvasionT1222.001-File and Directory Permissions ModificationPermissions changed on a GPO5136
TA0005-Defense EvasionT1222.001-File and Directory Permissions ModificationSensitive GUID related to "Replicate directory changes" detected4662DCSync
TA0005-Defense EvasionT1553.003- Subvert Trust Controls: SIP and Trust Provider HijackingSuspicious SIP or trust provider registration12 or 12
TA0005-Defense EvasionT1553.004-Subvert Trust Controls: Install Root CertificateCertutil root certificat install (command)1 or 4688
TA0005-Defense EvasionT1562.001-Impair Defenses-Disable or modify toolsDefender real time protection failure3002
TA0005-Defense EvasionT1562.001-Impair Defenses-Disable or modify toolsDefender: critical security component disabled (command)1 or 4688
TA0005-Defense EvasionT1562.001-Impair Defenses-Disable or modify toolsDefender: critical security component disabled (PowerShell)800 or 4103 or 4104
TA0005-Defense EvasionT1562.001-Impair Defenses-Disable or modify toolsDefender: default action set to allow any threat (command)1 or 4688
TA0005-Defense EvasionT1562.001-Impair Defenses-Disable or modify toolsDefender: default action set to allow any threat (PowerShell)800 or 4103 or 4104
TA0005-Defense EvasionT1562.001-Impair Defenses-Disable or modify toolsDefender: exclusion added (native)5007
TA0005-Defense EvasionT1562.001-Impair Defenses-Disable or modify toolsDefender: exclusion added (PowerShell)800 or 4103 or 4104
TA0005-Defense EvasionT1562.001-Impair Defenses-Disable or modify toolsDefender: security component disabled (command)1 or 4688
TA0005-Defense EvasionT1562.001-Impair Defenses-Disable or modify toolsDefender: security component disabled (PowerShell)800 or 4103 or 4104
TA0005-Defense EvasionT1562.001-Impair Defenses-Disable or modify toolsDefender: service component status disabled (Registry via Sysmon)13
TA0005-Defense EvasionT1562.001-Impair Defenses-Disable or modify toolsMassive processes termination burst1 or 4688
TA0005-Defense EvasionT1562.002-Disable Windows Event LoggingEvent log disabled or size reduced1 or 4688
TA0005-Defense EvasionT1562.002-Impair Defenses: Disable Windows Event LoggingAudit policy disabled4719
TA0005-Defense EvasionT1562.002-Impair Defenses: Disable Windows Event LoggingSQL Server: Audit object deleted33205
TA0005-Defense EvasionT1562.002-Impair Defenses: Disable Windows Event LoggingSQL Server: Audit object disabled33205
TA0005-Defense EvasionT1562.002-Impair Defenses: Disable Windows Event LoggingSQL Server: Audit specifications deleted33205
TA0005-Defense EvasionT1562.002-Impair Defenses: Disable Windows Event LoggingSQL Server: Audit specifications disabled33205
TA0005-Defense EvasionT1562.002-Impair Defenses: Disable Windows Event LoggingSQL Server: Database audit specifications deleted33205
TA0005-Defense EvasionT1562.002-Impair Defenses: Disable Windows Event LoggingSQL Server: Database audit specifications disabled33205
TA0005-Defense EvasionT1562.002-Impair Defenses: Disable Windows Event LoggingTentative of disabling or clearing audit policy by commandline1 or 4688
TA0005-Defense EvasionT1562.004-Disable or Modify System FirewallFirewall deactivation (cmd)1 or 4688
TA0005-Defense EvasionT1562.004-Disable or Modify System FirewallFirewall deactivation (firewall)2003 or 4950
TA0005-Defense EvasionT1562.004-Disable or Modify System FirewallFirewall deactivation (PowerShell)800 or 4103 or 4104
TA0005-Defense EvasionT1562.004-Disable/modify firewall (rule)Any/any firewall rule created2004
TA0005-Defense EvasionT1562.004-Disable/modify firewall (rule)Firewall rule created by a suspicious command (netsh.exe, wmiprvse.exe)2004
TA0005-Defense EvasionT1562.004-Disable/modify firewall (rule)OpenSSH server firewall configuration (command)1 or 4688SSH server
TA0005-Defense EvasionT1562.004-Disable/modify firewall (rule)OpenSSH server firewall configuration (firewall)2004SSH server
TA0005-Defense EvasionT1562.004-Disable/modify firewall (rule)OpenSSH server firewall configuration (PowerShell)800 or 4103 or 4104SSH server
TA0005-Defense EvasionT1562-Impair defenseNTLM downgrade attack13
TA0005-Defense EvasionT1564.006-Hide Artifacts: Run Virtual InstanceWSL for Windows installation detected (command)1 or 4688
TA0005-Defense EvasionT1564.006-Hide Artifacts: Run Virtual InstanceWSL for Windows installation detected (native)9
TA0005-Defense EvasionT1564.006-Hide Artifacts: Run Virtual InstanceWSL for Windows installation detected (PowerShell)800 or 4103 or 4104
TA0005-Defense EvasionT564.006-Hide Artifacts: Run Virtual InstanceDefault Windows host name pattern detected in login attempt4624
TA0006-Credential AccessT1003.001-Credential dumping: LSASSLSASS credential dump with LSASSY (kernel)4656 or 4663
TA0006-Credential AccessT1003.001-Credential dumping: LSASSLSASS credential dump with LSASSY (PowerShell)800 or 4103 or 4104
TA0006-Credential AccessT1003.001-Credential dumping: LSASSLSASS credential dump with LSASSY (process)1 or 4688
TA0006-Credential AccessT1003.001-Credential dumping: LSASSLSASS credential dump with LSASSY (share)5145
TA0006-Credential AccessT1003.001-Credential dumping: LSASSLSASS credentials dump via Task Manager (file)11
TA0006-Credential AccessT1003.001-Credential dumping: LSASSLSASS dump indicator via Task Manager access1 or 4688
TA0006-Credential AccessT1003.001-Credential dumping: LSASSLSASS process accessed by a non system account4656 or 4663
TA0006-Credential AccessT1003.001-Credential dumping: LSASSSAM database user credential dump4661Mimikatz
TA0006-Credential AccessT1003.001-Credential dumping: LSASSTask manager used to dump LSASS process4663
TA0006-Credential AccessT1003.002-Security Account ManagerPassword dump over SMB ADMIN$5145Secretdump
TA0006-Credential AccessT1003.002-Security Account ManagerSAM database access during DCshadow4661DCShadow
TA0006-Credential AccessT1003.003-NTDSIFM created325 or 327
TA0006-Credential AccessT1003.003-NTDSIFM created from command line1 or 4688
TA0006-Credential AccessT1003.003-OS Credential-Dumping NTDSDSRM configuration changed (Reg via command)1 or 4688
TA0006-Credential AccessT1003.003-OS Credential-Dumping NTDSDSRM configuration changed (Reg via PowerShell)800 or 4103 or 4104
TA0006-Credential AccessT1003.003-OS Credential-Dumping NTDSDSRM password reset4794
TA0006-Credential AccessT1003.006-DCSyncMember added to a Exchange DCsync related group4728 or 4756 or 4732DCSync
TA0006-Credential AccessT1003.006-DCSyncNetsync attack4624 and 5145NetSync
TA0006-Credential AccessT1003.006-DCSyncReplication privileges granted to perform DCSync attack5136DCSync
TA0006-Credential AccessT1003-Credential dumpingBackdoor introduction via registry permission change through WMI (DAMP)4674DAMP
TA0006-Credential AccessT1003-Credential dumpingDiskshadow abuse1 or 4688
TA0006-Credential AccessT1003-Credential dumpingWdigest authentication enabled (Reg via command)1 or 4688
TA0006-Credential AccessT1003-Credential dumpingWdigest authentication enabled (Reg via Sysmon)12 or 12
TA0006-Credential AccessT1003-OS Credential dumpingGroup Managed Service Accounts password dump4662GoldenGMSA
TA0006-Credential AccessT1040-Network sniffingWindows native sniffing tool Pktmon usage1 or 4688
TA0006-Credential AccessT1110.xxx-Brut forceBruteforce via password reset4723 or 4724
TA0006-Credential AccessT1110.xxx-Brut forceBrutforce enumeration on Windows OpenSSH server with non existing user4625 or 4SSH server
TA0006-Credential AccessT1110.xxx-Brut forceBrutforce on Windows OpenSSH server with valid user4625 or 4SSH server
TA0006-Credential AccessT1110.xxx-Brut forceKerberos brutforce enumeration with existing/unexsting users (Kerbrute)4771 or 4768
TA0006-Credential AccessT1110.xxx-Brut forceKerberos brutforce with not existing users4771 or 4768
TA0006-Credential AccessT1110.xxx-Brut forceLogin failure from a single source with different non existing accounts33205
TA0006-Credential AccessT1110.xxx-Brut forceLogin failure from a single source with different non existing accounts4625
TA0006-Credential AccessT1555.003-Credentials from Password Stores: Credentials from Web BrowsersUser browser credentials dump via network share5145DonPapi, Lazagne
TA0006-Credential AccessT1555.004-Windows Credential ManagerCredentials (protected by DPAPI) dump via network share5145DonPapi, Lazagne
TA0006-Credential AccessT1555.004-Windows Credential ManagerVault credentials were read5382
TA0006-Credential AccessT1555.004-Windows Credential ManagerVault credentials were read800 or 4103 or 4104
TA0006-Credential AccessT1555-Credentials from Password StoresAzure AD Connect credentials dump via network share5145AdConnectDump
TA0006-Credential AccessT1555-Credentials from Password StoresSuspicious Active Directory DPAPI attributes accessed4662
TA0006-Credential AccessT1555-Credentials from Password StoresUser files dump via network share5145DonPapi, Lazagne
TA0006-Credential AccessT1557.001-MiM:LLMNR/NBT-NS Poisoning and SMB RelayDiscovery for print spooler bug abuse via named pipe5145
TA0006-Credential AccessT1557.001-MiM:LLMNR/NBT-NS Poisoning and SMB RelayExchange server impersonation via PrivExchange relay attack4624PrivExchange
TA0006-Credential AccessT1558.001-Golden TicketKerberos TGS ticket request related to a potential Golden ticket4769Golden ticket
TA0006-Credential AccessT1558.001-Golden TicketSMB Admin share accessed with a forged Golden ticket5140 or 5145Golden ticket
TA0006-Credential AccessT1558.001-Golden TicketSuccess login impersonation with forged Golden ticket4624Golden ticket
TA0006-Credential AccessT1558.003-KerberoastingKerberOAST ticket (TGS) request detected (low encryption)4769Kerberoast
TA0006-Credential AccessT1558.004-Steal or Forge Kerberos Tickets: AS-REP RoastingKerberos AS-REP Roasting ticket request detected4768AS-REP Roasting
TA0006-Credential AccessT1558-Steal or Forge Kerberos TicketsKerberos key list attack for credential dumping4769Kerberos key list
TA0006-Credential AccessT1558-Steal or Forge Kerberos TicketsKerberos ticket without a trailing $4768 or 4769CVE-2021-42278/42287 & SAM-the-admin
TA0006-Credential AccessT1558-Steal or Forge Kerberos TicketsSusipicious Kerberos ticket (TGS) with constrained delegation (S4U2Proxy)4769
TA0006-Credential AccessT1558-Steal or Forge Kerberos TicketsSusipicious Kerberos ticket (TGS) with unconstrained delegation (TrustedForDelegation)4769
TA0006-Credential AccessT1558-Steal or Forge Kerberos TicketsSuspicious Kerberos proxiable ticket4768CVE-2021-42278/42287 & SAM-the-admin
TA0007-DiscoveryT1016-System Network Configuration DiscoveryFirewall configuration enumerated (command)1 or 4688
TA0007-DiscoveryT1016-System Network Configuration DiscoveryFirewall configuration enumerated (PowerShell)800 or 4103 or 4104
TA0007-DiscoveryT1016-System Network Configuration DiscoveryTentative of zone transfer from a non DNS server detected6004 (DNSserver)
TA0007-DiscoveryT1018-Remote System DiscoveryDNS hosts file accessed via network share5145
TA0007-DiscoveryT1046-Network Service ScanningMultiple anonymous login from a single source4624
TA0007-DiscoveryT1046-Network Service ScanningRDP discovery performed on multiple hosts131
TA0007-DiscoveryT1046-Network Service ScanningSuspicious anonymous login4624
TA0007-DiscoveryT1069.001-Discovery domain groupsLocal domain group enumeration via RID brutforce4661CrackMapExec
TA0007-DiscoveryT1069.001-Discovery domain groupsLocal group enumeration via Azure Virtual machine recovery tool.4799
TA0007-DiscoveryT1069.001-Discovery local groupsRemote local group enumeration (SharpeHound)4799SharpHound
TA0007-DiscoveryT1069.002-Discovery domain groupsDomain group enumeration4661CrackMapExec
TA0007-DiscoveryT1069.002-Discovery domain groupsHoneypot object (container, computer, group, user) enumerated4662SharpHound
TA0007-DiscoveryT1069.002-Discovery domain groupsMassive SAM domain users & groups discovery4661
TA0007-DiscoveryT1069.002-Discovery domain groupsSensitive SAM domain user & groups discovery4661
TA0007-DiscoveryT1069-Permission Groups DiscoveryGroup discovery via commandline1 or 4688
TA0007-DiscoveryT1069-Permission Groups DiscoveryGroup discovery via PowerShell800 or 4103 or 4104
TA0007-DiscoveryT1082-System Information DiscoveryAudit policy settings collection1 or 4688
TA0007-DiscoveryT1087.002-Domain Account discoveryActive Directory PowerShell module called from a non administrative host600
TA0007-DiscoveryT1087.002-Domain Account discoverySingle source performing host enumeration over Kerberos ticket (TGS) detected4769SharpHound
TA0007-DiscoveryT1087-Account discoverySPN enumeration (command)1 or 4688Kerberoast
TA0007-DiscoveryT1087-Account discoverySPN enumeration (PowerShell)800 or 4103 or 4104
TA0007-DiscoveryT1087-Account discoveryUser enumeration via commandline1 or 4688
TA0007-DiscoveryT1135-Network Share DiscoveryHost performing advanced named pipes enumeration on different hosts via SMB5145SharpHound
TA0007-DiscoveryT1135-Network Share DiscoveryNetwork share discovery and/or connection via commandline1 or 4688
TA0007-DiscoveryT1135-Network Share DiscoveryNetwork share manipulation via commandline1 or 4688
TA0007-DiscoveryT1201-Password Policy DiscoveryDomain password policy enumeration4661CrackMapExec
TA0007-DiscoveryT1201-Password Policy DiscoveryPassword policy discovery via commandline1 or 4688
TA0007-DiscoveryT1482-Domain Trust DiscoveryActive Directory Forest PowerShell class called from a non administrative host800 or 4103 or 4104
TA0007-DiscoveryT1518-Software discoverySQL Server database's table enumeration1 or 4688
TA0008-Lateral MovementT1021.001-Remote Desktop ProtocolDenied RDP login with valid credentials4825
TA0008-Lateral MovementT1021.001-Remote Desktop ProtocolDP BlueeKeep connection closed148CVE-2019-0708
TA0008-Lateral MovementT1021.002-SMB Windows Admin SharesAdmin share accessed via SMB (basic)5140 or 5145
TA0008-Lateral MovementT1021.002-SMB Windows Admin SharesImpacket WMIexec execution via SMB admin share5145WMIexec
TA0008-Lateral MovementT1021.002-SMB Windows Admin SharesLateral movement by mounting a network share - net use (command)4688 and 4648
TA0008-Lateral MovementT1021.002-SMB Windows Admin SharesNew file share created on a host5142
TA0008-Lateral MovementT1021.002-SMB Windows Admin SharesNumber of oustanding SMB requests increased (command)1 or 4688
TA0008-Lateral MovementT1021.002-SMB Windows Admin SharesPsexec remote execution via SMB5145
TA0008-Lateral MovementT1021.002-SMB Windows Admin SharesRemote service creation over SMB5145
TA0008-Lateral MovementT1021.002-SMB Windows Admin SharesRemote shell execuction via SMB admin share5145
TA0008-Lateral MovementT1021.002-SMB Windows Admin SharesShared printer creation5142PrintNightmare (CVE-2021-1675 / CVE-2021-34527)
TA0008-Lateral MovementT1021.003-DCOMDCOM lateral movement (via MMC20)4104
TA0008-Lateral MovementT1021.003-DCOMDCOMexec privilege abuse4674
TA0008-Lateral MovementT1021.003-DCOMDCOMexec process abuse via MMC1 or 4688
TA0008-Lateral MovementT1021.004-Remote services: SSHOpenSSH native server feature installation800 or 4103 or 4104SSH server
TA0008-Lateral MovementT1021.004-Remote services: SSHOpenSSH server for Windows activation/configuration detected800 or 4103 or 4104SSH server
TA0008-Lateral MovementT1021.006-Windows Remote ManagementWinRM listening service reconnaissance4656
TA0008-Lateral MovementT1021.006-Windows Remote ManagementWinRS usage for remote execution1 or 4688
TA0008-Lateral MovementT1021-Remote ServicesHoneypot used for lateral movement (failure)4625
TA0008-Lateral MovementT1021-Remote ServicesHoneypot used for lateral movement (success)4624 or 47**
TA0008-Lateral MovementT1550.002-Use Alternate Authentication Material: Pass the HashLSASS dump via process access10Mimikatz
TA0008-Lateral MovementT1550.002-Use Alternate Authentication Material: Pass the HashPass-the-hash login4624Mimikatz
TA0008-Lateral MovementT1563.002-RDP hijackingRDP session hijack via TSCON abuse command1 or 4688
TA0009-CollectionT1125-Video captureRDP shadow session started (command)1 or 4688
TA0009-CollectionT1125-Video captureRDP shadow session started (native)20503 or 04 or 08
TA0009-CollectionT1125-Video captureRDP shadow session started (registry)13
TA0011-Command and controlWinlogon process contact to C2 (Blacklotus)3
TA0011-Command and control1071.004- Application Layer Protocol: DNSDoT activation (command)1 or 4688
TA0011-Command and control1071.004- Application Layer Protocol: DNSDoT activation (PowerShell)800 or 4103 or 4104
TA0011-Command and controlT1090-ProxyProxy configuration changed5600
TA0011-Command and controlT1572-Protocol tunnelingRDP tunneling configuration enabled for port forwarding1 or 4688
TA0011-Command and controlT1572-Protocol tunnelingRDP tunneling detected1149
TA0011-Command and controlT1572-Protocol tunnelingRDP tunneling detected via ngrok21 or 25 or 1149
TA0040-ImpactT1486-Data Encrypted for ImpactBitLocker feature configuration (Reg via command)1 or 4688
TA0040-ImpactT1486-Data Encrypted for ImpactBitLocker massive feature activation (native)768
TA0040-ImpactT1486-Data Encrypted for ImpactBitLocker server feature activation (PowerShell)800 or 4103 or 4104
TA0040-ImpactT1489-Service StopMassive services termination burst1 or 4688
TA0040-ImpactT1490-Inhibit System RecoveryVSS backup deletion (PowerShell)800 or 4103 or 4104
TA0040-ImpactT1490-Inhibit System RecoveryVSS backup deletion (WMI)1 or 4688
TA0040-ImpactT1490-Inhibit System RecoveryVSS backup deletion1 or 4688
TA0040-ImpactT1490-Inhibit System RecoveryWindows native backup deletion1 or 4688
TA0040-ImpactT1490-Inhibit System RecoveryWindows native backup size re-configuration1 or 4688
TA0040-ImpactT1565-Data manipulationDNS hosts file modified11