MITRE ATT&CK® Ransomware - AI Engine Rules

AI Rule ID	AI Rule Name	Log Sources Referenced by Rule	Items to Monitor
1463	T1082:System Information Discovery	MS Windows Event Logging XML - Security MS Windows Event Logging XML - Sysmon¹	Processes: Reg.exe
1464	T1059.001:PowerShell	MS Windows Event Logging - PowerShell MS Windows Event Logging XML - Security MS Windows Event Logging XML - Sysmon MS Windows Event Logging XML - Sysmon 8/9/10	Processes: Powershell.exe
1479	T1083:File and Directory Discovery	MS Windows Event Logging - PowerShell MS Windows Event Logging XML - PowerShell MS Windows Event Logging XML - Security (v1 & v2) MS Windows Event Logging XML - Sysmon (v1 & v2) MS Windows Event Logging XML - Sysmon 8/9/10	Configuration: PowerShell Module logging must be enabled Windows process and common-line auditing must be enabled Microsoft Sysmon's configuration for Event ID 1: Process creation must include (or not exclude) cmd.exe and tree.com. Refer to the Logging and Monitoring Configuration section of the MITRE ATT&CK Module Deployment Guide for more information. Tuning: Exclude accounts from trusted backup/scanning utilities such as vulnerability scanners or backup software that frequently perform file and directory scanning.
1541	T1489:Service Stop	MS Windows Event Logging XML - Security MS Windows Event Logging - Security MS Windows Event Logging XML - PowerShell MS Windows Event Logging - PowerShell MS Windows Event Logging XML - Sysmon MS Windows Event Logging XML - Sysmon 8/9/10 MS Windows Event Logging - Sysmon
1542	T1059.003:Windows Command Shell	MS Windows Event Logging XML - Security MS Windows Event Logging - Security MS Windows Event Logging XML - PowerShell MS Windows Event Logging - PowerShell MS Windows Event Logging XML - Sysmon MS Windows Event Logging XML - Sysmon 8/9/10 MS Windows Event Logging - Sysmon
1544	T1490:Inhibit System Recovery	MS Windows Event Logging - PowerShell MS Windows Event Logging XML - Security MS Windows Event Logging XML - Sysmon MS Windows Event Logging XML - Sysmon 8/9/10
1545	T1562.001:Disable or Modify Tools:Windows Defender	MS Windows Event Logging - PowerShell MS Windows Event Logging XML - Security MS Windows Event Logging XML - Sysmon MS Windows Event Logging XML - Sysmon 8/9/10 MS Windows Event Logging XML - Windows Defender	PowerShell module and script block logging must be enabled. Configuration steps can be found in the Logging and Monitoring Configuration section of the MITRE ATT&CK® Module Deployment Guide.
1546	T1106:Native API	MS Windows Event Logging XML - Security MS Windows Event Logging XML - Sysmon MS Windows Event Logging XML - Sysmon 8/9/10
1547	T1027:Obfuscated Files or Information	MS Windows Event Logging - PowerShell MS Windows Event Logging XML - Security MS Windows Event Logging XML - Sysmon MS Windows Event Logging XML - Sysmon 8/9/10 MS Windows Event Logging XML - System
1548	T1059.001:PowerShell:ProviderLifeCycle	MS Windows Event Logging - PowerShell	Vendor Message ID: 600
1556	T1486: Data Encrypted for Impact: Feedback Source: File Read and Delete	MS Windows Event Logging XML - Security	Vendor Message ID 4663
1557	T1486:Data Encrypted for Impact: Rate	Advanced Intelligence Engine Events	Common Event AIE: T1486: DataEncrypted:FeedbackSource
1558	T1486:Data Encrypted for Impact: Threshold	Advanced Intelligence Engine Events	Common Event AIE: T1486: DataEncrypted:FeedbackSource
1559	1562.002: Impair Defenses: Disable Windows Event Logging	MS Windows Event Logging XML - PowerShell MS Windows Event Logging XML - Security MS Windows Event Logging XML - Sysmon	Processes: auditpol.exe appcmd.exe reg.exe Registry: hklm\system\currentcontrolset\control\minint\(default)

¹ _{When configuring log source collection, users can choose from the following MS Sysmon log source types:}

_{MS Windows Event Logging XML - Sysmon}
_{MS Windows Event Logging XML - Sysmon 8/9}
_{MS Windows Event Logging XML - Sysmon 8/9/10}

_{Regardless of the MS Sysmon log source type chosen, MITRE ATT&CK module AI Engine rules reference only MS Windows Event Logging XML - Sysmon 8/9/10 (Policy ID 1000745).}