MITRE ATT&CK® – AI Engine Rules
AI Rule ID | AI Rule Name | Log Sources Referenced by Rule | Items to Monitor |
|---|---|---|---|
1449 | T1003:OS Credential Dumping | MS Windows Event Logging XML – Security LogRhythm File Monitor (Windows) LogRhythm Process Monitor (Windows) LogRhythm Registry Integrity Monitor MS Windows Event Logging - PowerShell MS Windows Event Logging XML - Sysmon1 | Processes: Reg.exe Mimikatz.exe |
1452 | T1007:System Service Discovery | MS Windows Event Logging XML - Security MS Windows Event Logging - PowerShell MS Windows Event Logging XML - Sysmon1 | Processes: Sc.exe Tasklist.exe Wmic.exe |
1453 | T1012:Query Registry | MS Windows Event Logging XML – Security MS Windows Event Logging - PowerShell MS Windows Event Logging XML - Sysmon 8/91 MS Windows Event Logging XML - Sysmon1 | Processes: Reg.exe |
1454 | T1016:System Network Configuration Discovery | MS Windows Event Logging XML – Security MS Windows Event Logging XML - Sysmon1 | Processes: Arp.exe Ipconfig.exe Nbtstat.exe Net.exe Netsh.exe |
1455 | T1033:System Owner-User Discovery | MS Windows Event Logging XML – Security MS Windows Event Logging - PowerShell MS Windows Event Logging XML - Sysmon1 | Processes: Cmd.exe Quser.exe Qwinsta.exe Whoami.exe Wmic.exe |
1456 | T1048:Exfiltration Over Alternative Protocol | Syslog - LogRhythm Network Monitor | |
1457 | T1018:Remote System Discovery | MS Windows Event Logging XML - Security LogRhythm File Monitor (Windows) LogRhythm Process Monitor (Windows) MS Windows Event Logging XML - Sysmon1 | Processes: Arp.exe Ping.exe Net.exe |
1459 | T1543.003:Windows Service | MS Windows Event Logging XML - Security LogRhythm Registry Integrity Monitor MS Windows Event Logging - PowerShell MS Windows Event Logging XML - Sysmon1 MS Windows Event Logging XML - System Syslog - Cb Response LEEF | Registry: *System\CurrentControlSet\Services\ |
1460 | T1547.001:Registry Run Keys/Startup Folder | MS Windows Event Logging XML - Security MS Windows Event Logging XML - Sysmon1 | Processes: Reg.exe Registry: *Software\Microsoft\Command Processor\ *Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\ *Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\ *Software\Microsoft\Windows\CurrentVersion\Run\ *Software\Microsoft\Windows\CurrentVersion\RunOnce\ *Software\Microsoft\Windows\CurrentVersion\RunOnceEx\ |
1461 | T1059:Command and Scripting Interpreter | MS Windows Event Logging XML - Security MS Windows Event Logging - PowerShell MS Windows Event Logging XML - Sysmon1 | Processes: Cmd.exe Powershell.exe |
1462 | T1021.002:SMB/Windows Admin Shares | MS Windows Event Logging XML – Security MS Windows Event Logging - PowerShell | Processes: Net.exe |
1463 | T1082:System Information Discovery | MS Windows Event Logging XML – Security MS Windows Event Logging XML - Sysmon1 | Processes: Reg.exe |
1464 | T1059.001:PowerShell | MS Windows Event Logging - PowerShell MS Windows Event Logging XML - Security MS Windows Event Logging XML - Sysmon MS Windows Event Logging XML - Sysmon 8/9/10 | Processes: Powershell.exe |
1466 | T1189:Drive-By Compromise | MS Windows Event Logging XML - Security | Processes: Chrome.exe Edge.exe Firefox.exe Iexplore.exe File System: *temp\* |
1467 | T1057:Process Discovery | MS Windows Event Logging XML – Security MS Windows Event Logging XML - Sysmon1 | Processes: Tasklist.exe |
1468 | T1047:Windows Management Instrumentation | MS Windows Event Logging XML – Security MS Windows Event Logging XML - Sysmon1 | Processes: Wmic.exe |
1469 | T1070.006:Timestomp | MS Windows Event Logging XML - Sysmon1 | File System: C:\Users |
1477 | T1069:Permission Groups Discovery | MS Windows Event Logging XML - Security MS Windows Event Logging - PowerShell MS Windows Event Logging XML - Sysmon1 | Processes: Cmd.exe Powershell.exe |
1478 | T1087:Account Discovery | MS Windows Event Logging XML - Security MS Windows Event Logging - PowerShell MS Windows Event Logging XML - Sysmon1 | Processes: Cmd.exe Powershell.exe |
1479 | T1083:File and Directory Discovery | MS Windows Event Logging - PowerShell MS Windows Event Logging XML - PowerShell MS Windows Event Logging XML - Security (v1 & v2) MS Windows Event Logging XML - Sysmon (v1 & v2) MS Windows Event Logging XML - Sysmon 8/9/10 | Configuration: PowerShell Module logging must be enabled Please refer to Logging and Monitoring Configuration section of the MITRE ATT&CK Module Deployment Guide for more information: https://docs.logrhythm.com/docs/kb/threat-detection/mitre-att-ck-module/mitre-att-ck-module-deployment-guide/mitre-att-ck-deployment-guide-import-and-synchronize-the-module#MITREATT&CK%C2%AEDeploymentGuide%E2%80%93ImportandSynchronizetheModule-LoggingandMonitoringConfiguration Tuning: |
| 1480 | T1218.011:Rundll32 | MS Windows Event Logging XML - Security MS Windows Event Logging XML - Sysmon1 | Processes: rundll32.exe |
| 1481 | T1569.002:Service Execution | MS Windows Event Logging XML - Security LogRhythm Registry Integrity Monitor MS Windows Event Logging XML - Sysmon1 MS Windows Event Logging XML - System | Registry: HKLM\System\CurrentControlSet\Services Processes: cmd.exe powershell.exe |
| 1482 | T1090.001:Proxy | MS Windows Event Logging XML - Sysmon1 | Event ID: 3 |
| 1483 | T1105:Ingress Tool Transfer | MS Windows Event Logging XML - Sysmon1 LogRhythm File Monitor (Windows) MS Windows Event Logging XML - Security | Processes: Cmd.exe Powershell.exe |
| 1484 | T1218.010:Regsvr32 | MS Windows Event Logging XML - Sysmon1 | Processes: regsvr32.exe |
| 1492 | T1036.003:Rename System Utilities This rule requires populating the following system list: Windows System32 Hashes This list can be populated by running the following PowerShell command on a representative Windows workstation:
CODE
Import the contents of hashes.txt into the Windows System32 Hashes list. | MS Windows Event Logging XML - Sysmon1 | |
| 1493 | T1566.001:Spearphishing Attachment | MS Windows Event Logging XML - Security MS Windows Event Logging XML - Sysmon 8/9/101 Syslog - Cb Response LEEF | Registry: SOFTWARE\Microsoft\VBA \microsoft shared\vba\ SOFTWARE\Microsoft\VBA |
| 1494 | T1550.002:Pass the Hash | MS Windows Event Logging - PowerShell MS Windows Event Logging XML - Security MS Windows Event Logging XML - Sysmon1 | |
| 1495 | T1550.003:Pass the Ticket | MS Windows Event Logging - PowerShell MS Windows Event Logging XML - Security MS Windows Event Logging XML - Sysmon1 | |
| 1497 | T1053:Scheduled Task/Job | MS Windows Event Logging - PowerShell MS Windows Event Logging XML - Security MS Windows Event Logging XML - Sysmon 8/9/101 | Processes: at.exe schtasks.exe |
| 1499 | T1136.003:Cloud Account | API - Office 365 Management Activity | |
| 1500 | T1098:Account Manipulation | API - Office 365 Management Activity | |
| 1501 | T1566.002:Spearphishing Link | MS Windows Event Logging XML - Security MS Windows Event Logging XML - Sysmon 8/9/101 Syslog - Palo Alto Firewall | Processes: outlook.exe chrome.exe firefox.exe iexplore.exe microsoftedge.exe opera.exe safari.exe |
| 1502 | T1534:Internal Spearphishing Configuration: This rule must be configured before enabling. Add a second include filter that looks for internal spearphishing emails from your domain. Follow the format of the example where Sender Is:yourcompany\.com$ (REGEX NO CASE) and Recipient Is:yourcompany\.com$ (REGEX NO CASE) and Command Is:timaildata. | API - Office 365 Management Activity | |
| 1503 | T1114.003:Email Forwarding Rule | API - Office 365 Management Activity | |
| 1504 | T1566.002:Spearphishing Link:O365 | API - Office 365 Management Activity | |
| 1505 | T1190:Exploit Public-Facing Application:SQL Injection | API - Cisco IDS/IPS API - Sourcefire eStreamer Flat File - McAfee Foundstone Flat File - Snort Fast Alert File OPSEC LEA - Checkpoint Firewall OPSEC LEA - Checkpoint Log Server Syslog - Apcon Network Monitor Syslog - Cisco FirePOWER Syslog - Cisco FireSIGHT Syslog - Citrix Netscaler Syslog - Dell SecureWorks iSensor IPS Syslog - Enterasys Dragon IDS Syslog - F5 BIG-IP ASM v12 Syslog - F5 Big-IP LTM Syslog - Fortinet FortiAnalyzer Syslog - Fortinet FortiGate v4.0 Syslog - IBM WebSphere DataPower Integration Syslog - Imperva Incapsula CEF Syslog - Imperva SecureSphere Syslog - Juniper Firewall Syslog - Juniper IDP Syslog - Juniper NSM Syslog - NetScreen Firewall Syslog - OSSEC Alerts Syslog - Sguil Syslog - Snort IDS Syslog - Sourcefire IDS 3D Syslog - Symantec Endpoint Server Syslog - Tipping Point IPS Syslog - Trend Micro Deep Security CEF Syslog - Trustwave Web Application Firewall UDLA - ISS Proventia SiteProtector - IPS | This rule is specifically looking for logs that would be applicable to the detection of "SQL Injection". Configure rule with expected log source types by adding to the Log Source Criteria tab in the rule block. This rule should only evaluate logs associated with web applications, and that are public facing. Log source types that would be applicable to this rule include, and are not limited to those listed in "Log Sources Referenced by Rule". |
| 1513 | T1199:Trusted Relationship This rule requires populating the following system list: MA: Third Party Accounts | Advanced Intelligence | This rule must be tuned before enabling. Populate the “MA: Third Party Accounts” list with a list of user or service accounts used by 3rd parties to access your company’s network, applications, services, etc. |
| 1522 | T1078.001:Default Accounts This rule requires populating the following system list: MA: Default Accounts | Advanced Intelligence | This rule must be tuned before enabling. Populate the “MA: Default Accounts” list with a list of default accounts applicable to your company’s network, applications, services, etc. |
| 1523 | T1078.002:Domain Accounts This rule requires populating the following system list: MA: Domain Accounts | Advanced Intelligence | This rule must be tuned before enabling. Populate the “MA: Domain Accounts” list with a list of domain accounts applicable to your company’s network, applications, services, etc. |
| 1524 | T1078.003:Local Accounts This rule requires populating the following system list: MA: Local Accounts | Advanced Intelligence | This rule must be tuned before enabling. Populate the “MA: Local Accounts” list with a list of local accounts applicable to your company’s network, applications, services, etc. |
| 1525 | T1078.004:Cloud Accounts This rule requires populating the following system list: MA: Cloud Accounts | Advanced Intelligence | This rule must be tuned before enabling. Populate the “MA: Cloud Accounts” list with a list of cloud accounts applicable to your company’s network, applications, services, etc. |
| 1526 | T1606.002:SAML Tokens:O365 and ADFS This rule requires use of the TrueIdentity feature. | API - Office 365 Management Activity MS Windows Event Logging XML - Security Syslog - Open Collector - Azure Event Hub | |
| 1527 | T1484.002:Domain Trust Modification | API - Office 365 Management Activity MS Windows Event Logging - PowerShell Syslog - Open Collector - Azure Event Hub | |
| 1540 | T1552.004:Private Keys | MS Windows Event Logging XML – Security MS Windows Event Logging - Security MS Windows Event Logging XML – PowerShell MS Windows Event Logging - PowerShell | Note: Additional exclusions may need to be made for processes that legitimately use the "\microsoft##wid\tsql\query" named pipe . |
| 1541 | T1489:Service Stop | MS Windows Event Logging XML – Security MS Windows Event Logging - Security MS Windows Event Logging XML – PowerShell MS Windows Event Logging - PowerShell MS Windows Event Logging XML – Sysmon MS Windows Event Logging XML – Sysmon 8/9/10 MS Windows Event Logging - Sysmon | |
| 1542 | T1059.003:Windows Command Shell | MS Windows Event Logging XML – Security MS Windows Event Logging - Security MS Windows Event Logging XML – PowerShell MS Windows Event Logging - PowerShell MS Windows Event Logging XML – Sysmon MS Windows Event Logging XML – Sysmon 8/9/10 MS Windows Event Logging - Sysmon | |
| 1544 | T1490:Inhibit System Recovery | MS Windows Event Logging - PowerShell MS Windows Event Logging XML - Security MS Windows Event Logging XML - Sysmon MS Windows Event Logging XML - Sysmon 8/9/10 | |
| 1545 | T1562.001:Disable or Modify Tools:Windows Defender | MS Windows Event Logging - PowerShell MS Windows Event Logging XML - Security MS Windows Event Logging XML - Sysmon MS Windows Event Logging XML - Sysmon 8/9/10 MS Windows Event Logging XML - Windows Defender | PowerShell module and script block logging must be enabled. Configuration steps can be found in the Logging and Monitoring Configuration section of the MITRE ATT&CK® Module Deployment Guide. |
| 1546 | T1106:Native API | MS Windows Event Logging XML - Security MS Windows Event Logging XML - Sysmon MS Windows Event Logging XML - Sysmon 8/9/10 | |
| 1547 | T1027:Obfuscated Files or Information | MS Windows Event Logging - PowerShell MS Windows Event Logging XML - Security MS Windows Event Logging XML - Sysmon MS Windows Event Logging XML - Sysmon 8/9/10 MS Windows Event Logging XML – System | |
| 1548 | T1059.001:PowerShell:ProviderLifeCycle | MS Windows Event Logging - PowerShell | Vendor Message ID: 600 |
| 1550 | T1621:MFA Request Generation:Okta Push from Non-Whitelisted Location | API - Okta Event | This rule depends on the CCF: Whitelisted Regions list included with the Consolidated Compliance Framework (CCF) Module (https://docs.logrhythm.com/docs/kb/compliance/consolidated-compliance-framework-ccf-module). If necessary, enable this module in your LogRhythm deployment and populate the list with approved regions. If it is not desired to use the CCF Module, clone the rule and create a custom list for approved regions. |
| 1551 | T1621:MFA Request Generation:Rapid Okta AD Authentication Success | API - Okta Event | |
| 1552 | T1621:MFA Request Generation:Repeated OKTA Push Denies | API - Okta Event | |
| 1553 | T1621:MFA Request Generation:Repeated OKTA Push Denies then Allow | API - Okta Event | |
| 1554 | T1558.003:Kerberoasting:Invoke-Kerberoast | MS Windows Event Logging - PowerShell MS Windows Event Logging XML - Security MS Windows Event Logging XML - Sysmon | |
| 1555 | T1558.003:Kerberoasting:TGS Requests for Multiple Services | MS Windows Event Logging XML - Security | |
| 1556 | T1486: Data Encrypted for Impact: Feedback Source: File Read and Delete | MS Windows Event Logging XML - Security | Vendor Message ID 4663 |
| 1557 | T1486:Data Encrypted for Impact: Rate | Advanced Intelligence Engine Events | Common Event AIE: T1486: DataEncrypted:FeedbackSource |
| 1558 | T1486:Data Encrypted for Impact: Threshold | Advanced Intelligence Engine Events | Common Event AIE: T1486: DataEncrypted:FeedbackSource |
| 1559 | 1562.002: Impair Defenses: Disable Windows Event Logging | MS Windows Event Logging XML - PowerShell MS Windows Event Logging XML - Security MS Windows Event Logging XML - Sysmon | Processes: auditpol.exe Registry: |
| 1565 | T1539:Steal Web Session Cookie | LogRhythm File Monitor (Windows) MS Windows Event Logging XML - Security MS Windows Event Logging XML - Sysmon | Processes: firefox.exe chrome.exe msedge.exe Files: cookie user.js prefs.js |
| 1566 | T1134.002:Access Token Manipulation:Create Process with Token | MS Windows Event Logging XML - PowerShell MS Windows Event Logging XML - Security MS Windows Event Logging XML - Sysmon | |
1 When configuring log source collection, users can choose from the following MS Sysmon log source types:
Regardless of the MS Sysmon log source type chosen, MITRE ATT&CK module AI Engine rules reference only MS Windows Event Logging XML - Sysmon 8/9/10 (Policy ID 1000745). | |||
