Skip to main content
Skip table of contents

MITRE ATT&CK Module

The MITRE ATT&CK Module is a collection of AI Engine rules designed to detect unusual or malicious user activity that is occurring within your organization’s network.

General Data Collection Requirements

When enabling the MITRE ATT&CK Module rules in your environment, be aware of the following considerations regarding data collection:

  1. Detection of many of the adversarial techniques in the MITRE framework requires logging at the endpoint.

  2. Many of the detections require command-line parameter logging.

  3. Endpoint logging solutions must be configured to log the objects (such as processes, directories, and registry entries) cited in the AIE Rules.

Logging and Monitoring Configuration

Configure Command Line Parameter Logging

Command line parameter logging must be enabled for several of the AI Engine rules in the MITRE ATT&CK Module. The following instructions explain how to enable command line parameter logging for the MS Windows Event Logging XML - Security and MS Windows Event Logging XML - Sysmon 8/9/10 log source types.

Command Line Parameter Logging for MS Windows Event Logging XML - Security logs

Two group policy settings must be enabled in Microsoft Windows: Audit Process Creation and Include command line in process creation events.

  • Audit Process Creation. Enable the following setting in Windows Group Policy:

    • Policy Location: Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Detailed Tracking

    • Policy Name: Audit Process Creation

    • Include command line in Process Creation Events. Enable the following setting in Windows Group Policy:

      • Policy Location: Computer Configuration > Administrative Templates > System > Audit Process Creation

      • Policy Name: Include command line in process creation events

For more information, see https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing.

Command Line Parameter Logging for MS Windows Event Logging XML - Sysmon logs

Microsoft Sysmon process creation events (Event ID 1) provide extended information about newly-created processes including their command line parameters.

Sysmon is configured via an XML configuration file which specifies include and exclude filters for the names of processes that will be logged.

If Microsoft Sysmon is already deployed in your organization, review the <ProcessCreate> section of your Sysmon configuration file and ensure that it does not exclude the process names cited in AI Engine Rules Log Sources section later in this document.

If Microsoft Sysmon is not deployed in your environment, the following resources can get you started:

Configure PowerShell Logging

PowerShell Script Block logging must be enabled for visibility into the PowerShell commands that are executed.

  • Turn on PowerShell Script Block Logging. Enable the following setting in Windows Group Policy:

    • Policy Location: Computer Configuration > Policies > Administrative Templates > Windows Components > Windows PowerShell

    • Policy Name: Turn on PowerShell Script Block Logging

It is not necessary to enable the “Log script invocation start/stop events” setting. Doing so may increase log volume substantially.

PowerShell events are logged to the Microsoft-Windows-PowerShell/Operational Event Log. Ensure that you have a Log Source configured to collect this log. For more information on PowerShell logging, see https://docs.microsoft.com/en-us/powershell/wmf/5.0/audit_overview.

Configure Registry Monitoring

Registry Monitoring must be deployed and configured for several of the AI Engine rules in the MITRE ATT&CK Module. The following instructions explain how to enable Registry Monitoring logging for the MS Windows Event Logging XML – Security, MS Windows Event Logging XML - Sysmon 8/9/10, and LogRhythm Registry Integrity Monitor log source types.

Registry Monitoring Configuration for MS Windows Event Logging XML - Security logs

Configuring Registry Monitoring for the Windows Security logs is a two-step process: enable the group policy settings for the Audit Registry and configure the Audit settings for the registry keys that you wish to monitor.

  • Enable Audit Registry. Enable the following setting in Windows Group Policy:

    • Policy Location: Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Object Access

    • Policy Name: Audit Registry

Configure the Audit Settings for the registry keys that you wish to monitor

To configure Registry Auditing Settings, follow the guidance at https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-registry

Registry Monitoring Configuration for MS Windows Event Logging XML - Sysmon logs

Microsoft Sysmon registry modification events (Event ID 12, 13 & 14) provide information about registry objects being added, deleted, set or renamed.

Sysmon is configured via an XML configuration file which specifies include and exclude filters for the registry key paths of processes that will be monitored.

If Microsoft Sysmon is already deployed in your organization, review the <RegistryEvent> section of your Sysmon configuration file and ensure that it does not exclude the registry paths cited in AI Engine Rules Log Sources section later in this document.

If Microsoft Sysmon is not deployed in your environment, the following resources can get you started:

Registry Monitoring Configuration for LogRhythm Registry Integrity Monitor logs

LogRhythm Sysmon includes the Registry Integrity Monitor feature.

Configure a Registry Integrity Monitor Policy to include the registry paths cited in the AI Engine Rules Log Sources table later in this document.

For information on the configuration of Registry Integrity Monitor, see the Registry Integrity Monitoring section in the LogRhythm SIEM Help, available under Documentation & Downloads on the LogRhythm Community.

Configure File Monitoring

File Monitoring must be deployed and configured for several of the AI Engine rules in the MITRE ATT&CK Module. The following instructions explain how to enable File Monitoring logging for the MS Windows Event Logging XML – Security, MS Windows Event Logging XML - Sysmon 8/9/10, and LogRhythm File Monitor log source types.

File Monitoring Configuration for MS Windows Event Logging XML - Security logs

Configuring File Monitoring for the Windows Security logs is a two-step process: enable the group policy settings for the Audit File System and configure the Audit settings for the file system paths that you wish to monitor.

  • Enable Audit File System. Enable the following setting in Windows Group Policy:

    • Policy Location: Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Object Access

    • Policy Name: Audit File System

 Configure the Audit Settings for the File System paths that you wish to monitor

To configure File System Auditing Settings, follow the guidance at: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-system

File System Monitoring Configuration for MS Windows Event Logging XML - Sysmon logs

Microsoft Sysmon file create events (Event ID 11) provide information about files being added to the file system.

Sysmon is configured via an XML configuration file which specifies include and exclude filters for the file system names and paths that will be monitored.

If Microsoft Sysmon is already deployed in your organization, review the <FileCreate> section of your Sysmon configuration file and ensure that it does not exclude the file paths cited in AI Engine Rules Log Sources section later in this document.

If Microsoft Sysmon is not deployed in your environment, the following resources can get you started:

File System Monitoring Configuration for LogRhythm File Monitor logs

LogRhythm Sysmon includes the File Integrity Monitor feature.

Configure a File Integrity Monitor Policy to include the file system paths cited in the AI Engine Rules Log Sources table later in this document.

For information on the configuration of File Integrity Monitor, see the File Integrity Monitoring section in the LogRhythm SIEM Help, available under Documentation & Downloads on the LogRhythm Community.

Configure File Creation Time Monitoring

File Creation Time Changed Configuration for MS Windows Event Logging XML - Sysmon logs

Microsoft Sysmon file creation time events (Event ID 2) provide information about file creation times being changed retroactively in the file system.

Sysmon is configured via an XML configuration file which specifies include and exclude filters for the file system names and paths that will be monitored.

If Microsoft Sysmon is already deployed in your organization, review the <FileCreateTime> section of your Sysmon configuration file and ensure that it does not exclude the file paths cited in AI Engine Rules Log Sources section later in this document.

If Microsoft Sysmon is not deployed in your environment, the following resources can get you started:


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.