MITRE ATT&CK® Ransomware - AI Engine Rules

1463

T1082:System Information Discovery

MS Windows Event Logging XML - Security

MS Windows Event Logging XML - Sysmon¹

Processes:

Reg.exe

1464

T1059.001:PowerShell

MS Windows Event Logging - PowerShell

MS Windows Event Logging XML - Security

MS Windows Event Logging XML - Sysmon

MS Windows Event Logging XML - Sysmon 8/9/10

Processes:

Powershell.exe

1479

T1083:File and Directory Discovery

MS Windows Event Logging - PowerShell

MS Windows Event Logging XML - PowerShell

MS Windows Event Logging XML - Security (v1 & v2)

MS Windows Event Logging XML - Sysmon (v1 & v2)

MS Windows Event Logging XML - Sysmon 8/9/10

Configuration:

PowerShell Module logging must be enabled
Windows process and common-line auditing must be enabled
Microsoft Sysmon's configuration for Event ID 1: Process creation  must include (or not exclude) cmd.exe and tree.com.

Refer to the Logging and Monitoring Configuration section of the MITRE ATT&CK Module Deployment Guide for more information.

Tuning:
Exclude accounts from trusted backup/scanning utilities such as vulnerability scanners or backup software that frequently perform file and directory scanning.

1541

T1489:Service Stop

MS Windows Event Logging XML - Security

MS Windows Event Logging - Security

MS Windows Event Logging XML - PowerShell

MS Windows Event Logging - PowerShell

MS Windows Event Logging XML - Sysmon

MS Windows Event Logging XML - Sysmon 8/9/10

MS Windows Event Logging - Sysmon

1542

T1059.003:Windows Command Shell

MS Windows Event Logging XML - Security

MS Windows Event Logging - Security

MS Windows Event Logging XML - PowerShell

MS Windows Event Logging - PowerShell

MS Windows Event Logging XML - Sysmon

MS Windows Event Logging XML - Sysmon 8/9/10

MS Windows Event Logging - Sysmon

1544

T1490:Inhibit System Recovery

MS Windows Event Logging - PowerShell

MS Windows Event Logging XML - Security

MS Windows Event Logging XML - Sysmon

MS Windows Event Logging XML - Sysmon 8/9/10

1545

T1562.001:Disable or Modify Tools:Windows Defender

MS Windows Event Logging - PowerShell

MS Windows Event Logging XML - Security

MS Windows Event Logging XML - Sysmon

MS Windows Event Logging XML - Sysmon 8/9/10

MS Windows Event Logging XML - Windows Defender

PowerShell module and script block logging must be enabled. Configuration steps can be found in the

section of the MITRE ATT&CK® Module Deployment Guide.

1546

T1106:Native API

MS Windows Event Logging XML - Security

MS Windows Event Logging XML - Sysmon

MS Windows Event Logging XML - Sysmon 8/9/10

1547

T1027:Obfuscated Files or Information

MS Windows Event Logging - PowerShell

MS Windows Event Logging XML - Security

MS Windows Event Logging XML - Sysmon

MS Windows Event Logging XML - Sysmon 8/9/10

MS Windows Event Logging XML - System

1548

T1059.001:PowerShell:ProviderLifeCycle

MS Windows Event Logging - PowerShell

Vendor Message ID:

600

1556

T1486: Data Encrypted for Impact: Feedback Source: File Read and Delete

MS Windows Event Logging XML - Security

Vendor Message ID 4663

1557

T1486:Data Encrypted for Impact: Rate

Advanced Intelligence Engine Events

Common Event AIE: T1486: DataEncrypted:FeedbackSource

1558

T1486:Data Encrypted for Impact: Threshold

Advanced Intelligence Engine Events

Common Event AIE: T1486: DataEncrypted:FeedbackSource

1559

1562.002: Impair Defenses: Disable Windows Event Logging

MS Windows Event Logging XML - PowerShell

MS Windows Event Logging XML - Security

MS Windows Event Logging XML - Sysmon

Processes:

auditpol.exe
appcmd.exe
reg.exe

Registry:
hklm\system\currentcontrolset\control\minint\(default)