MITRE ATT&CK Module
The MITRE ATT&CK Module is a collection of Axon Streaming Analytics rules designed to detect unusual or malicious user activity that is occurring within your organization’s network.
General Data Collection Requirements
When enabling the MITRE ATT&CK Module rules in your environment, be aware of the following considerations regarding data collection:
Detection of many of the adversarial techniques in the MITRE framework requires logging at the endpoint.
Many of the detections require command-line parameter logging.
Endpoint logging solutions must be configured to log the objects (such as processes, directories, and registry entries) cited in the Axon Streaming Analytics Rules.
Logging and Monitoring Configuration
Configure Command Line Parameter Logging
Command line parameter logging must be enabled for several of the Axon Streaming Analytics rules in the MITRE ATT&CK Module. The following instructions explain how to enable command line parameter logging for the MS Windows Event Logging XML - Security and MS Windows Event Logging XML - Sysmon 8/9/10 log source types.
Command Line Parameter Logging for MS Windows Event Logging XML - Security logs
Two group policy settings must be enabled in Microsoft Windows: Audit Process Creation and Include command line in process creation events.
Audit Process Creation. Enable the following setting in Windows Group Policy:
Policy Location: Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Detailed Tracking
Policy Name: Audit Process Creation
Include command line in Process Creation Events. Enable the following setting in Windows Group Policy:
Policy Location: Computer Configuration > Administrative Templates > System > Audit Process Creation
Policy Name: Include command line in process creation events
For more information, see https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing.
Command Line Parameter Logging for MS Windows Event Logging XML - Sysmon logs
Microsoft Sysmon process creation events (Event ID 1) provide extended information about newly-created processes including their command line parameters.
Sysmon is configured via an XML configuration file which specifies include and exclude filters for the names of processes that will be logged.
If Microsoft Sysmon is not deployed in your environment, the following resources can get you started:
The installation files and configuration instructions for Microsoft Sysmon: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
A starter Sysmon configuration file, which includes the process creation logging necessary to trigger the AI Rules from the MITRE ATT&CK Module: https://github.com/LogRhythm-Labs/Microsoft-SysMon-config
Configure PowerShell Logging
PowerShell Script Block logging must be enabled for visibility into the PowerShell commands that are executed.
Turn on PowerShell Script Block Logging. Enable the following setting in Windows Group Policy:
Policy Location: Computer Configuration > Policies > Administrative Templates > Windows Components > Windows PowerShell
Policy Name: Turn on PowerShell Script Block Logging
It is not necessary to enable the “Log script invocation start/stop events” setting. Doing so may increase log volume substantially.
PowerShell events are logged to the Microsoft-Windows-PowerShell/Operational Event Log. Ensure that you have a Log Source configured to collect this log. For more information on PowerShell logging, see https://docs.microsoft.com/en-us/powershell/wmf/5.0/audit_overview.
Configure Registry Monitoring
Registry Monitoring must be deployed and configured for several of the Axon Streaming Analytics rules in the MITRE ATT&CK Module. The following instructions explain how to enable Registry Monitoring logging for the MS Windows Event Logging XML – Security, MS Windows Event Logging XML - Sysmon 8/9/10, and LogRhythm Registry Integrity Monitor log source types.
Registry Monitoring Configuration for MS Windows Event Logging XML - Security logs
Configuring Registry Monitoring for the Windows Security logs is a two-step process: enable the group policy settings for the Audit Registry and configure the Audit settings for the registry keys that you wish to monitor.
Enable Audit Registry. Enable the following setting in Windows Group Policy:
Policy Location: Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Object Access
Policy Name: Audit Registry
Configure the Audit Settings for the registry keys that you wish to monitor
To configure Registry Auditing Settings, follow the guidance at https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-registry
Registry Monitoring Configuration for MS Windows Event Logging XML - Sysmon logs
Microsoft Sysmon registry modification events (Event ID 12, 13 & 14) provide information about registry objects being added, deleted, set or renamed.
Sysmon is configured via an XML configuration file which specifies include and exclude filters for the registry key paths of processes that will be monitored.
If Microsoft Sysmon is not deployed in your environment, the following resources can get you started:
The installation files and configuration instructions for Microsoft Sysmon: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
A starter Sysmon configuration file, which will include the process creation logging necessary to trigger the AI Rules from the MITRE ATT&CK Module: https://github.com/LogRhythm-Labs/Microsoft-SysMon-config
Registry Monitoring Configuration for LogRhythm Registry Integrity Monitor logs
LogRhythm Sysmon includes the Registry Integrity Monitor feature.
For information on the configuration of Registry Integrity Monitor, see the Registry Integrity Monitoring section in the LogRhythm SIEM Help, available under Documentation & Downloads on the LogRhythm Community.
Configure File Monitoring
File Monitoring must be deployed and configured for several of the Axon Streaming Analytics rules in the MITRE ATT&CK Module. The following instructions explain how to enable File Monitoring logging for the MS Windows Event Logging XML – Security, MS Windows Event Logging XML - Sysmon 8/9/10, and LogRhythm File Monitor log source types.
File Monitoring Configuration for MS Windows Event Logging XML - Security logs
Configuring File Monitoring for the Windows Security logs is a two-step process: enable the group policy settings for the Audit File System and configure the Audit settings for the file system paths that you wish to monitor.
Enable Audit File System. Enable the following setting in Windows Group Policy:
Policy Location: Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Object Access
Policy Name: Audit File System
Configure the Audit Settings for the File System paths that you wish to monitor
To configure File System Auditing Settings, follow the guidance at: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-system
File System Monitoring Configuration for MS Windows Event Logging XML - Sysmon logs
Microsoft Sysmon file create events (Event ID 11) provide information about files being added to the file system.
Sysmon is configured via an XML configuration file which specifies include and exclude filters for the file system names and paths that will be monitored.
If Microsoft Sysmon is not deployed in your environment, the following resources can get you started:
The installation files and configuration instructions for Microsoft Sysmon: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
A starter Sysmon configuration file which will include the process creation logging necessary to trigger the AI Rules from the MITRE ATT&CK Module: https://github.com/LogRhythm-Labs/Microsoft-SysMon-config
File System Monitoring Configuration for LogRhythm File Monitor logs
LogRhythm Sysmon includes the File Integrity Monitor feature.
For information on the configuration of File Integrity Monitor, see the File Integrity Monitoring section in the LogRhythm SIEM Help, available under Documentation & Downloads on the LogRhythm Community.
Configure File Creation Time Monitoring
File Creation Time Changed Configuration for MS Windows Event Logging XML - Sysmon logs
Microsoft Sysmon file creation time events (Event ID 2) provide information about file creation times being changed retroactively in the file system.
Sysmon is configured via an XML configuration file which specifies include and exclude filters for the file system names and paths that will be monitored.
If Microsoft Sysmon is not deployed in your environment, the following resources can get you started:
The installation files and configuration instructions for Microsoft Sysmon: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
A starter Sysmon configuration file which will include the process creation logging necessary to trigger the AI Rules from the MITRE ATT&CK Module: https://github.com/LogRhythm-Labs/Microsoft-SysMon-config