WINDOWS ATT&CK LOGGING CHEAT SHEET - Win 7 - Win 2012

This “Windows ATT&CK Logging Cheat Sheet” is intended to help you map the
tactics and techniques of the Mitre ATT&CK framework to Windows audit log
event IDs in order to know what to collect and harvest, and also what you could
hunt for using Windows logging Event IDs.
Sponsored by:

DEFINITIONS::

TACTICS: The eleven (11) focus ATT&CK tactic areas that all techniques are mapped to.

 Initial Access
 Execution
 Persistence
 Privilege Escalation
 Defense Evasion
 Credential Access
 Discovery
 Lateral Movement
 Collection
 Exfiltration
 Command and Control

TECHNIQUE: The next level of detail that maps the type of item that is misused by the attacker and should be monitored.

TECHNIQUE ID: The Mitre Technique ID used to get more details of the attackers technique and how to defend, detect or hunt
for the details. Visit the link below

DATA SOURCES: The detail of what to monitor for, in this case the log event IDs.

RESOURCES: Places to get more information

 Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) Framework
o https://attack.mitre.org
 MalwareArchaeology.com/cheat-sheets for more Windows cheat sheets
 Log-MD.com – The Log Malicious Discovery tool reads security related log events and settings. Use Log-MD to audit
your log settings compared to the “Windows Logging Cheat Sheet” and Center for Internet Security (CIS) Benchmarks.
It is a standalone tool to help those with and without a log management solution find malicious activity.
o
 Google! – But of course

LEGEND::

Coverage of this technique is good.

Coverage of this technique is not complete.

There is no coverage of this technique.

SETTING AND MEASURING AUDIT LOGGING::

To what to set and the options of Windows logging, refer to the “Windows Logging Cheat Sheet(s)” available at:

 https://www.malwarearchaeology.com/cheat-sheets/

To measure the compliance of settings against many industry audit policy standards, use LOG-MD available at:

 https://www.log-md.com/compare/

Sept 2018 ver 1.0 MalwareArchaeology.com Page 1 of 15

WINDOWS ATT&CK LOGGING CHEAT SHEET - Win 7 - Win 2012
TACTIC: COLLECTION

Collection consists of techniques used to identify and gather information, such as sensitive files, from a target network prior to exfiltration. This category also covers locations on a system or network where the adversary may
look for information to exfiltrate.

Tech Data Data Data Data

Technique nique Data Data Data Data Data Data Data Source Source Source Source
Tactic Name ID Source 1 Source 2 Source 3 Source 4 Source 5 Source 6 Source 7 8 9 10 11
4688
4663
Collection Audio Capture T1123 Process API monitoring
File monitoring
Execution
4688
Automated 4663 Data loss
Collection T1119 Process
Collection File monitoring prevention
CMD Line
API
Collection Clipboard Data T1115
monitoring
Data from
Application Authentication Data loss Third-party
Collection Information T1213
Logs logs prevention application logs
Repositories
200-500, 4100-
4688 4688
Data from Local 4104 4663 5861
Collection T1005 Process Process CMD
System PowerShell File monitoring WMI
Execution Line
logs
4688 4688 5140/5145
Data from Network 4663
Collection T1039 Process Process Share
Shared Drive File monitoring
CMD Line Execution connection
4688 4688 4657
Data from 4663 5140/5145
Collection T1025 Process Process CMD Windows
Removable Media File monitoring Net Shares
Execution Line Registry
4688 4688
4663
Collection Data Staged T1074 Process Process
File monitoring
CMD Line Execution
4688 4624
5156 4663
Collection Email Collection T1114 Process Authentication
Firewall Logs File monitoring
Execution logs
4624 4688
Collection Man in the Browser T1185 Authenticati Process API monitoring Packet capture
on logs Execution
4688
4663
Collection Screen Capture T1113 Process API monitoring
File monitoring
Execution

Sept 2018 ver 1.0 MalwareArchaeology.com Page 2 of 15

WINDOWS ATT&CK LOGGING CHEAT SHEET - Win 7 - Win 2012
4688
4663
Collection Video Capture T1125 Process API monitoring
File monitoring
Execution
4657 4688
Collection,Credential Access Input Capture T1056 Windows Process Kernel drivers API monitoring
Registry Execution
5156 4688
Commonly Used Netflow/Enclave
Command and Control T1043 Windows Process Packet capture
Port netflow
Firewall Execution
4657
Communication
Registry 4663 Data loss
Command and Control Through Removable T1092
Monitoring File monitoring prevention
Media USB Keys
5156 4688
Netflow/Encla
Command and Control Connection Proxy T1090 Windows Process Packet capture
ve netflow
Firewall Execution
Custom Command 5156 4688
Netflow/Enclave
Command and Control and Control T1094 Windows Process Packet capture
netflow
Protocol Firewall Execution
Custom 4688 4688 5156 Malware
Netflow/Encla
Command and Control Cryptographic T1024 Process Process CMD Windows Packet capture reverse
ve netflow
Protocol Execution Line Firewall engineering
5156 4688
Network
Command and Control Data Encoding T1132 Windows Process Packet capture
protocol analysis
Firewall Execution
4688 5156
Network
Command and Control Data Obfuscation T1001 Process Windows FW Logs Packet capture
protocol analysis
Execution Firewall
SSL/TLS
Command and Control Domain Fronting T1172 Packet capture
inspection
4688 5156 Malware
Netflow/Enclave
Command and Control Fallback Channels T1008 Process Windows reverse Packet capture
netflow
Execution Firewall engineering
4688 4688 5156
Multiband Malware reverse Netflow/Enclav
Command and Control T1026 Process Process CMD Windows Packet capture
Communication engineering e netflow
Execution Line Firewall
Network
Netflow/Enclave
Command and Control Multi-hop Proxy T1188 protocol
netflow
analysis
5156 4688 Malware
Multilayer
Command and Control T1079 Windows Process reverse Packet capture
Encryption Firewall Execution engineering

Sept 2018 ver 1.0 MalwareArchaeology.com Page 3 of 15

WINDOWS ATT&CK LOGGING CHEAT SHEET - Win 7 - Win 2012
5156 Network
Multi-Stage Network device Netflow/Encla
Command and Control T1104 Windows protocol Packet capture
Channels logs ve netflow
Firewall analysis
Network
5156 4688
Remote Access intrusion Network
Command and Control T1219 Windows Process
Tools detection protocol analysis
Firewall Execution
system
Network
Standard 5156 4688
intrusion Network
Command and Control Application Layer T1071 Windows Process
detection protocol analysis
Protocol Firewall Execution
system
Standard 5156 4688 Malware
SSL/TLS Netflow/Enclav
Command and Control Cryptographic T1032 Windows Process reverse Packet capture
inspection e netflow
Protocol Firewall Execution engineering
Standard Non- 5156 4688 Malware
Netflow/Encla
Command and Control Application Layer T1095 Windows Process reverse Packet capture
ve netflow
Protocol Firewall Execution engineering
5156 4688
Uncommonly Used Netflow/Encla
Command and Control T1065 Windows Process
Port ve netflow
Firewall Execution
Host Network
Command and Netflow/Enclave SSL/TLS
Web Service T1102 network protocol Packet capture
Control,Defense Evasion netflow inspection
interface analysis

4663 5156 4688 Network

Command and Control,Lateral Netflow/Encla
Remote File Copy T1105 File Windows Process Packet capture protocol
Movement ve netflow
monitoring Firewall Execution analysis

4624
Account Windows event
Credential Access T1098 Authenticati Packet capture API monitoring
Manipulation logs
on logs
4624
Credential Access Brute Force T1110 Authenticati
on logs
200-500, 4100-
4688 4688
4104 Memory
Credential Access Credential Dumping T1003 Process Process CMD Other Event IDs API monitoring
PowerShell Forensics
Execution Line
logs
4663 4688
Credential Access Credentials in Files T1081 File Process CMD
monitoring Line
4657 4688 4688
Credentials in
Credential Access T1214 Windows Process CMD Process
Registry Registry Line Execution

Sept 2018 ver 1.0 MalwareArchaeology.com Page 4 of 15

WINDOWS ATT&CK LOGGING CHEAT SHEET - Win 7 - Win 2012
4624 4688 1000, 1001
Exploitation for
Credential Access T1212 Authenticati Process Windows Error
Credential Access on logs Execution Reporting

5156 Network
Forced 4663 Network device
Credential Access T1187 Windows protocol
Authentication File monitoring logs
Firewall analysis
4769
Credential Access Kerberoasting T1208 Windows
event logs
4657 5156
LLMNR/NBT-NS Netflow/Enclave
Credential Access T1171 Windows Windows Packet capture
Poisoning netflow
Registry Firewall
Network Host network Netflow/Encla
Credential Access Network Sniffing T1040
device logs interface ve netflow
4688 4657 Sysmon
Credential Access Password Filter DLL T1174 Process Windows DLL Autoruns
Execution Registry monitoring
4657
Credential Access Private Keys T1145 File
monitoring
Two-Factor
Credential Access Authentication T1111 MFA
Interception

Credential 4688 Sysmon ID 7

Windows event Sysmon - ID 7 Binary file
Access,Persistence,Privilege Hooking T1179 Process DLL API monitoring
logs Loaded DLLs metadata
Escalation Execution monitoring

4688 4688
4663 Binary file
Defense Evasion Binary Padding T1009 Process Process CMD
File monitoring metadata
Execution Line
B9
Defense Evasion Code Signing T1116 Binary file LMD - File Hash
metadata
4624
Network
Defense Evasion DCShadow T1207 Authenticati Packet capture API monitoring
protocol analysis
on logs
Deobfuscate/Decod 4688 4688
4663
Defense Evasion e Files or T1140 Process Process
File monitoring
Information CMD Line Execution
4688 4657 7040
Disabling Security 4689 4663
Defense Evasion T1089 Process Windows Service API monitoring Anti-virus
Tools Process Term File monitoring
CMD Line Registry Changed

Sept 2018 ver 1.0 MalwareArchaeology.com Page 5 of 15

WINDOWS ATT&CK LOGGING CHEAT SHEET - Win 7 - Win 2012
5156 4688
Sysmon - ID 7
Defense Evasion DLL Side-Loading T1073 Windows Process
Loaded DLLs
Firewall Execution

4688 1000,1001
Exploitation for 4663
Defense Evasion T1211 Process Windows Error
Defense Evasion File monitoring
Execution Reporting

4688 B9
4663
Defense Evasion File Deletion T1107 Process Binary file
File monitoring
CMD Line metadata
200-500, 4100-
4688 4688
File System Logical 4104 4663
Defense Evasion T1006 Process Process CMD API monitoring
Offsets PowerShell File monitoring
Execution Line
logs
4688
Sensor health
Defense Evasion Indicator Blocking T1054 Process 4688
and status
CMD Line
4688 4688 5156 B9
Indicator Removal
Defense Evasion T1066 Process Process Windows Anti-virus Binary file
from Tools CMD Line Execution Firewall metadata
4663 4688 4688
Indicator Removal
Defense Evasion T1070 File Process CMD Process
on Host monitoring Line Execution
4688 4688
Indirect Command Windows ID 1 & 7
Defense Evasion T1202 Process Process
Execution event logs Sysmon
CMD Line Execution
Digital
Install Root 4657 SSL/TLS
Defense Evasion T1130 Certificate
Certificate Reg Audit inspection
Logs
4688 B9
4663
Defense Evasion Masquerading T1036 Process File Hashing Binary file
File monitoring
Execution metadata
4657 4688 4688
4663 LMD
Defense Evasion Modify Registry T1112 Windows Process Process CMD
File monitoring Reg Compare
Registry Execution Line
Network Share 4688 4688 4624
5140/5145
Defense Evasion Connection T1126 Process Process CMD Authentication Packet capture
Net Shares
Removal Execution Line logs

4663 LMD
Defense Evasion NTFS File Attributes T1096 File Kernel drivers API monitoring EA, ADS
monitoring Hash Compare

Sept 2018 ver 1.0 MalwareArchaeology.com Page 6 of 15

WINDOWS ATT&CK LOGGING CHEAT SHEET - Win 7 - Win 2012
Network
5156 4688 4663 - File B9 Malware Network Email SSL/TLS
Obfuscated Files or Windows Environment intrusion
Defense Evasion T1027 Windows Process CMD Auditing Bninary file reverse protocol gatewa inspectio
Information event logs variable detectio
Firewall Line File monitoring metadata engineering analysis y n
n system
4688
Process
Defense Evasion T1186 Process API monitoring
Doppelg?nging Execution
4688
Defense Evasion Process Hollowing T1093 Process LMD - B9 API monitoring Check with Fred
Execution
LOG-MD
4688 LOG-MD
LOG-MD Windows
Defense Evasion Rootkit T1014 Process File Hash BIOS MBR System calls
AutoRuns Registry
Execution Compare
Compare
LOG-MD -
B9
Defense Evasion Software Packing T1045
Binary file
metadata
4688 4688
4663
Defense Evasion Timestomp T1099 Process Process
File monitoring
CMD Line Execution
4688 4688
Defense Evasion,Execution CMSTP T1191 Process Process CMD
Execution Line
4688 4688 4657
Windows event Binary file DLL
Defense Evasion,Execution Control Panel Items T1196 Process Process Windows API monitoring
logs metadata monitoring
CMD Line Execution Registry
4688 4688
ID 1 & 7
Defense Evasion,Execution InstallUtil T1118 Process Process CMD
Sysmon
Execution Line
4688 4688
ID 1 & 7
Defense Evasion,Execution Mshta T1170 Process Process CMD
Sysmon
Execution Line
4688 4688
ID 1 & 7
Defense Evasion,Execution Regsvcs/Regasm T1121 Process Process CMD
Sysmon
Execution Line

4688 4688 ID - 7 4657

Defense Evasion,Execution Regsvr32 T1117 Process Process Sysmon Windows
CMD Line Execution Loaded DLLs Registry

4688 4688
4663 Binary file
Defense Evasion,Execution Rundll32 T1085 Process Process
File monitoring metadata
CMD Line Execution

Sept 2018 ver 1.0 MalwareArchaeology.com Page 7 of 15

WINDOWS ATT&CK LOGGING CHEAT SHEET - Win 7 - Win 2012
4688 4688
4663 LMD - Hash
Defense Evasion,Execution Scripting T1064 Process Process
File monitoring Compare
CMD Line Execution
4688 4688
Signed Binary Proxy
Defense Evasion,Execution T1218 Process Process CMD
Execution Execution Line
4688 4688
Signed Script Proxy
Defense Evasion,Execution T1216 Process Process CMD
Execution Execution Line
4688 4688
Trusted Developer
Defense Evasion,Execution T1127 Process Process CMD
Utilities Execution Line
BITS Logs
4688 Process
Defense Evasion,Persistence BITS Jobs T1197 Windows API monitoring Packet capture
CMD Line
event logs
4688
Component 4663
Defense Evasion,Persistence T1109 Process
Firmware File Monitoring
CMD Line
LOG-MD
4688
Component Object Windows
Defense Evasion,Persistence T1122 Process DLL monitoring Loaded DLLs
Model Hijacking Registry
CMD Line
Compare
4663 4688 4688
Hidden Files and LMD
Defense Evasion,Persistence T1158 File Process Process CMD
Directories Hash Compae
monitoring Execution Line
4688 5156 LMD - B9 Network
4663 Login - 4624
Defense Evasion,Persistence Redundant Access T1108 Process Windows Binary file protocol Packet capture
File monitoring Auth Logs
Execution Firewall metadata analysis
4688 4657
SIP and Trust Windows DLL Application
Defense Evasion,Persistence T1198 Process Windows Loaded DLLs API monitoring
Provider Hijacking event logs monitoring Logs
Execution Registry
Defense 4688 4688
DLL Search Order 4663 Sysmon - ID 7
Evasion,Persistence,Privilege T1038 Process Process
Hijacking File monitoring DLL monitoring
Escalation CMD Line Execution

Defense 4688 4657

Image File Execution Windows
Evasion,Persistence,Privilege T1183 Process Windows LMD - Autoruns
Options Injection event logs
Escalation Execution Registry

Defense 4624 4688

Evasion,Persistence,Privilege Valid Accounts T1078 Authenticati Process
Escalation,Initial Access on logs Execution

Sept 2018 ver 1.0 MalwareArchaeology.com Page 8 of 15

WINDOWS ATT&CK LOGGING CHEAT SHEET - Win 7 - Win 2012
4688
Defense Evasion,Privilege Access Token
T1134 Process API monitoring Access Tokens
Escalation Manipulation CMD Line
4688 4688 4624
Defense Evasion,Privilege Bypass User
T1088 Process Process CMD Authentication System calls
Escalation Account Control Execution Line logs
Defense Evasion,Privilege Extra Window
T1181
Escalation Memory Injection
4657 4688
Defense Evasion,Privilege 4663
Process Injection T1055 Windows Process DLL monitoring Named Pipes API monitoring
Escalation File monitoring
Registry Execution
4688 4688
Discovery Account Discovery T1087 Process Process API monitoring
CMD Line Execution
4688 4688
Application Window
Discovery T1010 Process Process CMD API monitoring
Discovery Execution Line
4663 4688 4688
Browser Bookmark
Discovery T1217 File Process CMD Process API monitoring
Discovery monitoring Line Execution
4663 4688 4688
File and Directory
Discovery T1083 File Process CMD Process
Discovery monitoring Line Execution
4688 5156
Network Service Netflow/Encla Network
Discovery T1046 Process Windows Packet capture
Scanning ve netflow protocol analysis
CMD Line Firewall
4688 4688 5156 Network
Network Share 5140/5145
Discovery T1135 Process Process CMD Windows protocol
Discovery Net Shares
Execution Line Firewall analysis
4688 4688
Password Policy
Discovery T1201 Process Process
Discovery CMD Line Execution
4688 4688
Peripheral Device
Discovery T1120 Process Process
Discovery CMD Line Execution
4688 4688
Permission Groups
Discovery T1069 Process Process API monitoring
Discovery CMD Line Execution
4688 4688
Discovery Process Discovery T1057 Process Process
CMD Line Execution
4688 4688
Windows
Discovery Query Registry T1012 Process Process CMD
Registry
Execution Line

Sept 2018 ver 1.0 MalwareArchaeology.com Page 9 of 15

WINDOWS ATT&CK LOGGING CHEAT SHEET - Win 7 - Win 2012
4688 4688
Remote System 5156 Network
Discovery T1018 Process Process CMD
Discovery Win Firewall protocol analysis
Execution Line
4663 4688 4688
Security Software
Discovery T1063 File Process CMD Process
Discovery monitoring Line Execution
4688 4688
System Information
Discovery T1082 Process Process
Discovery CMD Line Execution
System Network 4688 4688 200-500, 4100-
5861
Discovery Configuration T1016 Process Process CMD 4104
WMI
Discovery Execution Line PowerShell
System Network 4688 4688
Discovery Connections T1049 Process Process
Discovery CMD Line Execution
4688 4688
System Owner/User 4663 4624
Discovery T1033 Process Process PowerShell
Discovery File monitoring WMI Auth
CMD Line Execution
4688 4688
System Service 5861
Discovery T1007 Process Process CMD
Discovery WMI
Execution Line
4688 4688
System Time
Discovery T1124 Process Process CMD API monitoring
Discovery Execution Line
4688 4688
Command-Line
Execution T1059 Process Process
Interface CMD Line Execution
4688 4657
Dynamic Data Windows
Execution T1173 Process Windows DLL monitoring API monitoring
Exchange event logs
Execution Registry
4688
Execution through
Execution T1106 Process API monitoring
API Execution
4688
Execution through 4663 DLL
Execution T1129 Process API monitoring
Module Load File monitoring monitoring
Execution
4688 5156
Exploitation for
Execution T1203 Process Windows Anti-virus System calls
Client Execution Execution Firewall
4688 4688 B9
Graphical User 4663
Execution T1061 Process Process Binary file
Interface File monitoring
CMD Line Execution metadata
4688 4688 4657
4663
Execution PowerShell T1086 Process Process Windows
File monitoring
CMD Line Execution Registry
Sept 2018 ver 1.0 MalwareArchaeology.com Page 10 of 15
WINDOWS ATT&CK LOGGING CHEAT SHEET - Win 7 - Win 2012
4688 4688 4657
7045 7040
Execution Service Execution T1035 Process Process Windows
New Service Service Change
CMD Line Execution Registry
4688 4688
Execution User Execution T1204 Process Process Anti-virus
CMD Line Execution
Windows 4688 4688 4624
Netflow/Enclave
Execution Management T1047 Process Process Authentication
netflow
Instrumentation CMD Line Execution logs
4688 5156 4657
Third-party 4663 Binary file Third-party
Execution,Lateral Movement T1072 Process Windows Windows
Software File monitoring metadata application logs
Execution Firewall Registry
4688 4688 5156 4624
Windows Remote 5140/5145 4663 Netflow/Encla
Execution,Lateral Movement T1028 Process Process Windows Authentication
Management Net Shares File monitoring ve netflow
CMD Line Execution Firewall logs
4688
4663 DLL Sysmon - ID 6
Execution,Persistence LSASS Driver T1177 Process Loaded DLLs API monitoring
File monitoring monitoring Kernel drivers
Execution
4688 4688
Execution,Persistence,Privileg 4663 Windows event
Scheduled Task T1053 Process Process
e Escalation File monitoring logs
CMD Line Execution
4688 4688 5156
Automated 4663
Exfiltration T1020 Process Process CMD Windows
Exfiltration File monitoring
Execution Line Firewall
4688 4688 4663 5156
Binary file
Exfiltration Data Compressed T1002 Process Process CMD File Windows IDS/IPS DLP
metadata
Execution Line Monitoring Firewall
4688 4688 Network
4663 Binary file
Exfiltration Data Encrypted T1022 Process Process CMD IDS/IPS DLP protocol
File monitoring metadata
Execution Line analysis
5156 4688
Data Transfer Size Netflow/Enclave
Exfiltration T1030 Windows Process Packet capture
Limits netflow
Firewall Execution
4688 5156 Network
Exfiltration Over Netflow/Enclave
Exfiltration T1048 Process Windows Packet capture protocol User interface
Alternative Protocol netflow
Execution Firewall analysis
Exfiltration Over 4688 5156
Exfiltration Command and T1041 Process Windows LMD - SRUM User interface
Control Channel Execution Firewall
Exfiltration Over 4688 4688 5156
Exfiltration Other Network T1011 Process Process CMD Windows User interface
Medium Execution Line Firewall

Sept 2018 ver 1.0 MalwareArchaeology.com Page 11 of 15

WINDOWS ATT&CK LOGGING CHEAT SHEET - Win 7 - Win 2012
4657 219, 441
Exfiltration Over Data loss
Exfiltration T1052 Registry - Registry - File monitoring
Physical Medium prevention
USB Keys USB/PnP IDs
5156 4688 100-200
Netflow/Enclave
Exfiltration Scheduled Transfer T1029 Windows Process Scheduled
netflow
Firewall Execution Tasks
Network
4688 5156
Drive-by intrusion SSL/TLS Network
Initial Access T1189 Process Windows Web proxy Packet capture
Compromise detection inspection device logs
Execution Firewall
system
Exploit Public-Facing Application Web application
Initial Access T1190 Packet capture Web logs
Application logs firewall logs
Asset
Data loss
Initial Access Hardware Additions T1200 Managemen
prevention
t
Network
4688
Spearphishing 4663 intrusion Detonation
Initial Access T1193 Process Packet capture Mail server Email gateway
Attachment File monitoring detection chamber
Execution
system
Packet Detonation SSL/TLS
Initial Access Spearphishing Link T1192 Web proxy Email gateway DNS records Mail server
capture chamber inspection

Spearphishing via SSL/TLS

Initial Access T1194 Anti-virus Web proxy
Service inspection
4663
Supply Chain
Initial Access T1195 File Web proxy
Compromise monitoring
Third-party
Trusted Application Authentication
Initial Access T1199 application
Relationship Logs logs
logs
Application 4688 4688 5156
4663
Lateral Movement Deployment T1017 Process Process CMD Windows
File monitoring
Software Execution Line Firewall
Distributed 4688 4657
Authentication Windows event DLL
Lateral Movement Component Object T1175 Process Windows API monitoring Packet capture
logs logs monitoring
Model Execution Registry

4688 1000, 1001

Exploitation of 4663
Lateral Movement T1210 Process Windows Error
Remote Services File monitoring
Execution Reporting
4624
Lateral Movement Pass the Hash T1075 Authenticati
on logs

Sept 2018 ver 1.0 MalwareArchaeology.com Page 12 of 15

WINDOWS ATT&CK LOGGING CHEAT SHEET - Win 7 - Win 2012
4624
Lateral Movement Pass the Ticket T1097 Authenticati
on logs
4688 4624
Remote Desktop Netflow/Encla
Lateral Movement T1076 Process Authentication
Protocol ve netflow
Execution logs
4624, 4625
21, 23, 25, 41
Lateral Movement Remote Services T1021 Authenticati
RDP Logs
on logs
4663 4688
Lateral Movement Shared Webroot T1051 File Process
monitoring Execution
4663 4688
Taint Shared
Lateral Movement T1080 File Process
Content monitoring Execution
5156 4624 4688 4688
Windows Admin
Lateral Movement T1077 Windows Authentication Process CMD Process
Shares Firewall logs Line Execution
219, 421,
4657
Lateral Movement,Credential Replication Through 4657 4663 Data loss
T1091 Windows
Access,Initial Access Removable Media USB/PnP - File monitoring prevention
Registry
IDs
4688
Lateral 4663
Logon Scripts T1037 Process
Movement,Persistence File monitoring
Execution
4657
Authentication DLL
Persistence T1131 Windows Loaded DLLs
Package monitoring
Registry
API
Persistence Bootkit T1067 MBR VBR
monitoring
5156 4688
File Audit - Network Browser
Persistence Browser Extensions T1176 Windows Process Packet capture System calls
4663 protocol analysis extensions
Firewall Execution
4657 4688 4688
Change Default File
Persistence T1042 Windows Process CMD Process
Association Registry Line Execution
4688 4688 4624
Windows event
Persistence Create Account T1136 Process Process CMD Authentication
logs
Execution Line logs
4624
External Remote
Persistence T1133 Authenticati
Services on logs

Persistence Hypervisor T1062 System calls

Sept 2018 ver 1.0 MalwareArchaeology.com Page 13 of 15

WINDOWS ATT&CK LOGGING CHEAT SHEET - Win 7 - Win 2012
4688 4688 4657
Modify Existing 4663 7040
Persistence T1031 Process Process Windows
Service File monitoring Service Change
CMD Line Execution Registry
4688 4657
DLL
Persistence Netsh Helper DLL T1128 Process Windows
monitoring
Execution Registry
4688 4688 4657
Office Application 4663
Persistence T1137 Process Process CMD Windows
Startup File monitoring
Execution Line Registry
4657
Registry Run Keys / 4663
Persistence T1060 Windows
Start Folder File monitoring
Registry
4688 4688 4657
4663
Persistence Screensaver T1180 Process Process CMD Windows
File monitoring
Execution Line Registry
4657
Security Support DLL
Persistence T1101 Windows Loaded DLLs
Provider monitoring
Registry
4688 4688
Shortcut 4663
Persistence T1023 Process Process CMD
Modification File monitoring
Execution Line

Persistence System Firmware T1019 BIOS EFI API monitoring

4688
4663 DLL Binary file
Persistence Time Providers T1209 Process Loaded DLLs API monitoring
File monitoring monitoring metadata
Execution
Windows
5861
Management
Persistence T1084 WMI
Instrumentation Objects
Event Subscription
4688 4657
Winlogon Helper 4663 LOG-MD
Persistence T1004 Process Windows AutoRuns
DLL File monitoring Hash Compare
Execution Registry
4688 4657
Persistence,Privilege Accessibility 4663
T1015 Process Windows AutoRuns
Escalation Features File monitoring
Execution Registry
4688 4657
Persistence,Privilege
AppCert DLLs T1182 Process Windows Loaded DLLs
Escalation Execution Registry
4688 4657
Persistence,Privilege
AppInit DLLs T1103 Process Windows Loaded DLLs
Escalation Execution Registry

Sept 2018 ver 1.0 MalwareArchaeology.com Page 14 of 15

WINDOWS ATT&CK LOGGING CHEAT SHEET - Win 7 - Win 2012
4688 4688 4657
Persistence,Privilege Application
T1138 Process Process Windows Loaded DLLs System calls
Escalation Shimming CMD Line Execution Registry
File System 4663 4688
Persistence,Privilege 7040, 7045
Permissions T1044 File Process CMD
Escalation Services
Weakness monitoring Line
4657 4688 4688
Persistence,Privilege
New Service T1050 Windows Process Process CMD
Escalation Registry Execution Line
8000-8027,
4688
Persistence,Privilege 4663 866
Path Interception T1034 Process
Escalation File monitoring Whitelist
Execution
Failures
4688 4657
Persistence,Privilege 4663 DLL
Port Monitors T1013 Process Windows AutoRuns API monitoring
Escalation File monitoring monitoring
Execution Registry
Service Registry 4688 4657
Persistence,Privilege 7040, 7045
Permissions T1058 Process Windows
Escalation Services
Weakness CMD Line Registry
4688 4624, 4625
Persistence,Privilege 4663 Netflow/Enclave
Web Shell T1100 Process Authentication Anti-virus
Escalation File monitoring netflow
Execution logs
1000, 1001
4688
Exploitation for Windows Application
Privilege Escalation T1068 Process
Privilege Escalation Error Logs
Execution
Reporting
4624, 4625
Windows event
Privilege Escalation SID-History Injection T1178 Authenticati API monitoring
logs
on logs

Sept 2018 ver 1.0 MalwareArchaeology.com Page 15 of 15