Windows ATT&CK - Logging Cheat Sheet - Ver - Sept - 2018
Windows ATT&CK - Logging Cheat Sheet - Ver - Sept - 2018
This “Windows ATT&CK Logging Cheat Sheet” is intended to help you map the
tactics and techniques of the Mitre ATT&CK framework to Windows audit log
event IDs in order to know what to collect and harvest, and also what you could
hunt for using Windows logging Event IDs.
Sponsored by:
DEFINITIONS::
TACTICS: The eleven (11) focus ATT&CK tactic areas that all techniques are mapped to.
Initial Access
Execution
Persistence
Privilege Escalation
Defense Evasion
Credential Access
Discovery
Lateral Movement
Collection
Exfiltration
Command and Control
TECHNIQUE: The next level of detail that maps the type of item that is misused by the attacker and should be monitored.
TECHNIQUE ID: The Mitre Technique ID used to get more details of the attackers technique and how to defend, detect or hunt
for the details. Visit the link below
DATA SOURCES: The detail of what to monitor for, in this case the log event IDs.
LEGEND::
To what to set and the options of Windows logging, refer to the “Windows Logging Cheat Sheet(s)” available at:
https://www.malwarearchaeology.com/cheat-sheets/
To measure the compliance of settings against many industry audit policy standards, use LOG-MD available at:
https://www.log-md.com/compare/
Collection consists of techniques used to identify and gather information, such as sensitive files, from a target network prior to exfiltration. This category also covers locations on a system or network where the adversary may
look for information to exfiltrate.
4624
Account Windows event
Credential Access T1098 Authenticati Packet capture API monitoring
Manipulation logs
on logs
4624
Credential Access Brute Force T1110 Authenticati
on logs
200-500, 4100-
4688 4688
4104 Memory
Credential Access Credential Dumping T1003 Process Process CMD Other Event IDs API monitoring
PowerShell Forensics
Execution Line
logs
4663 4688
Credential Access Credentials in Files T1081 File Process CMD
monitoring Line
4657 4688 4688
Credentials in
Credential Access T1214 Windows Process CMD Process
Registry Registry Line Execution
5156 Network
Forced 4663 Network device
Credential Access T1187 Windows protocol
Authentication File monitoring logs
Firewall analysis
4769
Credential Access Kerberoasting T1208 Windows
event logs
4657 5156
LLMNR/NBT-NS Netflow/Enclave
Credential Access T1171 Windows Windows Packet capture
Poisoning netflow
Registry Firewall
Network Host network Netflow/Encla
Credential Access Network Sniffing T1040
device logs interface ve netflow
4688 4657 Sysmon
Credential Access Password Filter DLL T1174 Process Windows DLL Autoruns
Execution Registry monitoring
4657
Credential Access Private Keys T1145 File
monitoring
Two-Factor
Credential Access Authentication T1111 MFA
Interception
4688 4688
4663 Binary file
Defense Evasion Binary Padding T1009 Process Process CMD
File monitoring metadata
Execution Line
B9
Defense Evasion Code Signing T1116 Binary file LMD - File Hash
metadata
4624
Network
Defense Evasion DCShadow T1207 Authenticati Packet capture API monitoring
protocol analysis
on logs
Deobfuscate/Decod 4688 4688
4663
Defense Evasion e Files or T1140 Process Process
File monitoring
Information CMD Line Execution
4688 4657 7040
Disabling Security 4689 4663
Defense Evasion T1089 Process Windows Service API monitoring Anti-virus
Tools Process Term File monitoring
CMD Line Registry Changed
4688 1000,1001
Exploitation for 4663
Defense Evasion T1211 Process Windows Error
Defense Evasion File monitoring
Execution Reporting
4688 B9
4663
Defense Evasion File Deletion T1107 Process Binary file
File monitoring
CMD Line metadata
200-500, 4100-
4688 4688
File System Logical 4104 4663
Defense Evasion T1006 Process Process CMD API monitoring
Offsets PowerShell File monitoring
Execution Line
logs
4688
Sensor health
Defense Evasion Indicator Blocking T1054 Process 4688
and status
CMD Line
4688 4688 5156 B9
Indicator Removal
Defense Evasion T1066 Process Process Windows Anti-virus Binary file
from Tools CMD Line Execution Firewall metadata
4663 4688 4688
Indicator Removal
Defense Evasion T1070 File Process CMD Process
on Host monitoring Line Execution
4688 4688
Indirect Command Windows ID 1 & 7
Defense Evasion T1202 Process Process
Execution event logs Sysmon
CMD Line Execution
Digital
Install Root 4657 SSL/TLS
Defense Evasion T1130 Certificate
Certificate Reg Audit inspection
Logs
4688 B9
4663
Defense Evasion Masquerading T1036 Process File Hashing Binary file
File monitoring
Execution metadata
4657 4688 4688
4663 LMD
Defense Evasion Modify Registry T1112 Windows Process Process CMD
File monitoring Reg Compare
Registry Execution Line
Network Share 4688 4688 4624
5140/5145
Defense Evasion Connection T1126 Process Process CMD Authentication Packet capture
Net Shares
Removal Execution Line logs
4663 LMD
Defense Evasion NTFS File Attributes T1096 File Kernel drivers API monitoring EA, ADS
monitoring Hash Compare
4688 4688
4663 Binary file
Defense Evasion,Execution Rundll32 T1085 Process Process
File monitoring metadata
CMD Line Execution
4688
4663 DLL Binary file
Persistence Time Providers T1209 Process Loaded DLLs API monitoring
File monitoring monitoring metadata
Execution
Windows
5861
Management
Persistence T1084 WMI
Instrumentation Objects
Event Subscription
4688 4657
Winlogon Helper 4663 LOG-MD
Persistence T1004 Process Windows AutoRuns
DLL File monitoring Hash Compare
Execution Registry
4688 4657
Persistence,Privilege Accessibility 4663
T1015 Process Windows AutoRuns
Escalation Features File monitoring
Execution Registry
4688 4657
Persistence,Privilege
AppCert DLLs T1182 Process Windows Loaded DLLs
Escalation Execution Registry
4688 4657
Persistence,Privilege
AppInit DLLs T1103 Process Windows Loaded DLLs
Escalation Execution Registry