QLean for IBM Security

www.scnsoft.com
QRadar SIEM: Admin Guide

MITRE Windows Integration App

for IBM Security QRadar SIEM

ADMIN GUIDE

© 2021 ScienceSoft| Page 1 from 43

 MITRE Windows Integration App:
Admin Guide

Table of Contents
Overview.....................................................................................................................................3
Supported Versions ...................................................................................................................3
Extension Installation ................................................................................................................3
Downloading Extension ............................................................................................................... 3
Installing Extension ..................................................................................................................... 4
App Description .........................................................................................................................4
Rules overview ........................................................................................................................... 4
Rules structure ........................................................................................................................... 5
Application side .......................................................................................................................... 6
Prerequisites ..............................................................................................................................7
Configuring WinCollect Agent ....................................................................................................... 8
Configuring Sysmon.................................................................................................................... 9
Usage........................................................................................................................................10
Add legitimate Windows Users and Machine (host) ........................................................................ 10
Map rules to MITRE Techniques via Use Case Manager (Optional) .................................................. 10
- Manually ........................................................................................................................... 10
- Automatically ..................................................................................................................... 11
Troubleshooting .......................................................................................................................12
Appendix A: Release notes......................................................................................................13
Appendix B: Custom Properties ..............................................................................................14
Appendix C: Custom Rules......................................................................................................15

© 2021 ScienceSoft | Page 2 from 43

 MITRE Windows Integration App:
Admin Guide

Overview
MITRE Windows Integration App tactics by ScienceSoft are based on the logs provided by a Microsoft Sysmon
tool that is configured in a certain way.
System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system,
remains resident across system reboots to monitor and log system activity to the Windows event log. It
provides detailed information about process creations, network connections, and changes to file creation time.
By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently
analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware
operate on your network.
While massively tested and tuned, some rules are disabled by default to prevent potential false-positives on
the production SIEM environment, so make sure to enable them after the Sysmon configuration is done.
IMPORTANT: This complimentary application is a part of the full set of the MITRE Windows Integration App
created by ScienceSoft. You can request this package as a commercial product along with the professional
services support for Sysmon configuration and troubleshooting at [email protected].

Supported Versions
Supported QRadar versions are:
 7.3.2 GA and higher

NOTE: this solution is developed by ScienceSoft and is not supported by IBM. You can request your own
custom QRadar application to be developed via the following email address: [email protected].

Extension Installation
The current application is distributed as a QRadar extension. In order to install it, please follow the steps below:

Downloading Extension
 Go to https://exchange.xforce.ibmcloud.com/hub
 Log in using your IBMid
 Filter by Type: Custom Rule

© 2021 ScienceSoft | Page 3 from 43

 MITRE Windows Integration App:
Admin Guide

 Select MITRE Windows Integration App extension

 Click Download button at the top right corner
 Save the extension zip file

Installing Extension
 Log in to the QRadar UI
 Go to Admin tab
 Open Extensions Management
 Click Add button
 Select Install immediately checkbox, click Browse button, locate the extension file downloaded
from IBM App Exchange, and click Add button
 Confirm all the steps and wait for installation to finish. This may take a while.
 Close Extensions Management window, press Ctrl+F5 to fully reload QRadar UI.
 Deploy changes if requested by QRadar

App Description
Rules overview
To get the list of MITRE ATT&CK rules please follow the steps below.
 Go to Offense tab
 Click Rules link

 Click Group drop-down and select a MITRE group.

© 2021 ScienceSoft | Page 4 from 43

 MITRE Windows Integration App:
Admin Guide

Rules structure
Click any MITRE ATT&CK group rule for more details.

IMPORTANT: In order to make MITRE ATT&CK rules to trigger, you must configure Sysmon for every rule
you are interested in. The Notes section of every rule contains a detailed configuration to be performed.
Please scroll down the Notes section to review the whole configuration guide for the rule.

Press Next (3) button to check Rule Response part.

© 2021 ScienceSoft | Page 5 from 43

 MITRE Windows Integration App:
Admin Guide

The following wizard page shows the CRE event that will be generated when the rule triggers. Event Name
field contains the unique id and name of MITRE ATT&CK tactics. Event Description field contains a short
description.

Application side
The application has the following tabs:
 Authentication token – with this tab you automatically map the MITRE ATT&CK rules with Use Case
Manager. Check Usage paragraph of this guide.
 Hints – contains description and short instruction how to configure a Sysmon service.

© 2021 ScienceSoft | Page 6 from 43

 MITRE Windows Integration App:
Admin Guide

 Sysmon Rules – a text form where you can copy or download all Sysmon queries related to this rules
set.

Prerequisites
The following software versions are required for proper configuration of audit settings and forwarding to IBM
QRadar:
 WinCollect Agent 7.2.8 or higher
 Sysmon 12.03 or higher

To verify if Sysmon is present and running on your Windows host, verify these steps:
With powershell (as admin):
get-service sysmon*

With GUI:
 Open run menu, type Win + R
 Type in opened window: services.msc
 Find Sysmon or Sysmon64, verify if it installed and running

© 2021 ScienceSoft | Page 7 from 43

 MITRE Windows Integration App:
Admin Guide

In the same way for WinCollect:

With powershell (as admin):
get-service wincollect

With GUI:
 Open run menu, type Win + R
 Type in opened window: services.msc
 Find WinCollect, verify if it installed and running

Configuring WinCollect Agent

WinCollect is a Syslog event forwarder that administrators can use to forward events from Windows logs to
QRadar. WinCollect can collect events from systems locally or be configured to remotely poll other Windows
systems for events.
For WinCollect installation, please refer to the IBM documentation.

© 2021 ScienceSoft | Page 8 from 43

 MITRE Windows Integration App:
Admin Guide

We recommend use following XPath queries for WinCollect configuration:

<QueryList>
<Query Id="0" Path="Events Of Interest">
<Select Path="Security">*</Select>
<Suppress Path="Security">(*[System[(EventID=5154 or EventID=5156 or EventID=5157 or
EventID=5158)]]) or (*[(EventData[Data[@Name='SubjectUserName'] = 'ANONYMOUS LOGON'] or
EventData[Data[@Name='TargetUserName'] = 'ANONYMOUS LOGON'])])</Suppress>
<Select Path="System">(*[System[(EventID=104 or EventID=1056 or EventID=7000 or EventID=7011 or
EventID=7013 or EventID=7030 or EventID=7031 or EventID=7035 or EventID=7036 or EventID=7040 or
EventID=7045)]])</Select>
<Select Path="Application">(*[((System[Provider[@Name='MsiInstaller'] and (EventID=1022 or
EventID=1033 or EventID=1034)]) or System[(Level=2) and (EventID=1000)])])</Select>
<Select Path="Microsoft-Windows-PowerShell/Admin">*</Select>
<Select Path="Microsoft-Windows-PowerShell/Operational">(*[System[(EventID = 4103 or EventID =
4104)]])</Select>
<Select Path="Microsoft-Windows-AppLocker/EXE and DLL">(*[(System[(EventID=8002) and
UserData/RuleAndFileData/PolicyName!="DLL"]) or System[(EventID=8003 or EventID=8004)]])</Select>
<Select Path="Microsoft-Windows-AppLocker/MSI and Script">(*[System[(EventID=8005 or EventID=8006
or EventID=8007)]])</Select>
<Select Path="Microsoft-Windows-Sysmon/Operational">(*[System[(EventID=1 or EventID=3 or
EventID=7 or EventID=8 or EventID=9 or EventID=10 or EventID=11 or EventID=12 or EventID=13 or
EventID=14 or EventID=17 or EventID=18 or EventID=19 or EventID=20 or EventID=21)]])</Select>
<Select Path="Microsoft-Windows-Security-
Mitigations/KernelMode">(*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or
@Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and
((EventID >= 1 and EventID <= 24) or EventID=5 or EventID=260)]])</Select>
<Select Path="Microsoft-Windows-Security-
Mitigations/UserMode">(*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or
@Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and
((EventID >= 1 and EventID <= 24) or EventID=5 or EventID=260)]])</Select>
</Query>
</QueryList>

Configuring Sysmon
Sysmon is a free solution initially developed by Mark Russinovich and Thomas Garnier from former Winternals
Software company and currently maintained by Microsoft. The tool is designed to extend the current logging
capabilities in Windows to aid in understanding and detecting attackers by behavior. It was developed originally
for internal use at Microsoft.
All of the events generated by Sysmon are saved in Microsoft-Windows-Sysmon/Operational EventLog in
order to accommodate security products that already leverage the EventLog, and to make the events easier
to view and collect.
Download an installation file from Microsoft. The tool supports 64-bit and 32-bit systems and uses a single
command line tool for installation and configuration management. Extract it to any folder and run a command:
sysmon64.exe –I sysmon.xml

Where sysmon.xml is pre-created configuration file:

Sample of configuration:
<Sysmon schemaversion="4.22">
<EventFiltering>
<RuleGroup name="" groupRelation="or">
<FileCreate onmatch="include">
<Rule groupRelation="or">
<TargetFilename name="T1170" condition="end with">.hta</TargetFilename>
</Rule>
</RuleGroup>
</EventFiltering>
</Sysmon>

© 2021 ScienceSoft | Page 9 from 43

 MITRE Windows Integration App:
Admin Guide

NOTE: Find full configuration file in Application UI Form

To update the current configuration, run the following command:

C:\Windows\Sysmon64.exe –c sysmon.xml

NOTE: You can easily install and configure both WinCollect Agent and Sysmon in an automated mode on
multiple windows hosts using required XPath and Sysmon configuration with IBM-validated professional
solution called QWAD QWAD WinCollect Assisted Deployment available on IBM App Exchange.

Usage
Add legitimate Windows Users and Machine (host)
Most of the rules do have the following test defined in rule logic:
and NOT when any of User are contained in any of MITRE: Windows Users Whitelist
- AlphaNumeric (Ignore Case)
and NOT when any of Machine ID (custom) are contained in any of MITRE: Windows Machines Whitelist
- AlphaNumeric (Ignore Case)

Add legitimate user names to the MITRE: Windows Users Whitelist and MITRE: Windows Machines
Whitelist reference sets in order to avoid false-positive offenses.
NOTE: Please refer to Appendix C for complete list of rules available in this package.

Map rules to MITRE Techniques via Use Case Manager (Optional)

Windows MITRE rules can be mapped to MITRE Techniques with UCM Use Case Manager that you can get
from IBM App Exchange.
There are two ways to do that: manually in Use Case Manager, or automatically via MITRE Windows
Integration App application.

- Manually
To map techniques click ATT&CK™ Action button on the main page of Use Case Manager and select Import.

Click an upload icon and select a map file with .json extension, then click Import.

© 2021 ScienceSoft | Page 10 from 43

 MITRE Windows Integration App:
Admin Guide

You can download a mapping json file from Application. Open MITRE Windows App interface. Move to Hints
tab, then click Download Mapping File button.

- Automatically
 Login to QRadar UI
 Go to Admin tab
 Create new Authorized Service
 Open the MITRE Windows Integration App interface
 On the initial run you’ll be presented with a configuration field to enter Authorization Token
 Enter Authorization Token generated on previous step (1)
 Press Save button to save configuration

© 2021 ScienceSoft | Page 11 from 43

 MITRE Windows Integration App:
Admin Guide

After that the app will once map all rules from it. Check the status bar to be sure that has happened.

NOTE: Be sure that you have Use Case Manager installed.

Troubleshooting
This application is provided “as-is”. You can provide any suggestions how to make it better and request
professional services support for Sysmon configuration and troubleshooting at [email protected].

© 2021 ScienceSoft | Page 12 from 43

 MITRE Windows Integration App:
Admin Guide

Appendix A: Release notes

1.0.0
Initial version

© 2021 ScienceSoft | Page 13 from 43

 MITRE Windows Integration App:
Admin Guide

Appendix B: Custom Properties

Several custom properties are provided to enhance Sysmon events normalization. The custom properties
listed below will be installed automatically along with the application.
Name Description Regex
Target User Name Default custom extraction of Target User Target.*?Account
Machine ID Name
Defaultfrom DSMextraction
custom payload. of Machine ID. Computer=([^\s]+)
Name[\:\\\=\s]+(.*?)\s+(?:Account
Sysmon Rule Name from DSM
Name payload.
of rule that triggered the event. Domain| Target Domain:| &amp;&amp;| \s)
RuleName:\s+(.+)\s+Utc

© 2021 ScienceSoft | Page 14 from 43


Appendix C: Custom Rules
Complete list of rules provided with application:
Rule Name
MITRE.WIN.T1003.005.RULE
OS Credential Dumping:
Cached Domain Credentials
MITRE.WIN.T1007.RULE
System Service Discovery
MITRE.WIN.T1012.RULE
Query Registry
MITRE Windows Integration App:
Logic
when the event(s) were
detected by one or more of
Microsoft Windows Security
Event Log
AND when the event matches
Event ID is any of [1]
AND when the event matches
Sysmon Rule Name (custom) is
any of T1003
AND NOT when any of Machine
ID (custom) are contained in
any of MITRE: Windows
Machines Whitelist -
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
when the event(s) were
detected by one or more of
Microsoft Windows Security
Event Log
AND when the event matches
Event ID is any of [1]
AND when the event matches
Sysmon Rule Name (custom) is
any of T1007
AND NOT when any of Machine
ID (custom) are contained in
any of MITRE: Windows
Machines Whitelist -
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
when the event(s) were
detected by one or more of
Microsoft Windows Security
Event Log
AND when the event matches
Event ID is any of [1]
AND when the event matches
Sysmon Rule Name (custom) is
any of T1012
© 2021 ScienceSoft | Page 15 from 43
Admin Guide
Notes
This is rule based on Sysmon
configuration. Following options should
be enable:
In section <ProcessCreate
onmatch="include"> add following lines:
<CommandLine name="T1003.005"
condition="contains">HKLM\SECURITY\C
ACHE</CommandLine>
Get more Windows MITRE rules:
https://www.scnsoft.com/services/securi
ty/siem/windows-mitre-attack-rules
This is rule based on Sysmon
configuration. Following options should
be enable:
In section <ProcessCreate
onmatch="include"> add following lines:
<OriginalFileName name="T1007"
condition="contains">LoadOrd</Original
FileName>
<OriginalFileName name="T1007"
condition="is">PsService.exe</OriginalFil
eName>
Get more Windows MITRE rules:
https://www.scnsoft.com/services/securi
ty/siem/windows-mitre-attack-rules
This is rule based on Sysmon
configuration. Following options should
be enable:
In section <ProcessCreate
onmatch="include"> add following lines:
<OriginalFileName name="T1012"
condition="contains">Regsize</OriginalFi
leName>
 MITRE Windows Integration App:
AND NOT when any of Machine
ID (custom) are contained in
any of MITRE: Windows
Machines Whitelist -
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
MITRE.WIN.T1021.001.RULE when the event(s) were
Remote Services: Remote detected by one or more of
Desktop Protocol Microsoft Windows Security
Event Log
AND when the event matches
Event ID is any of [12 or 13 or
14]
AND when the event matches
Sysmon Rule Name (custom) is
any of T1021
AND NOT when any of Machine
ID (custom) are contained in
any of MITRE: Windows
Machines Whitelist -
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
MITRE.WIN.T1021.003.RULE when the event(s) were
Remote Services: detected by one or more of
Distributed Component Microsoft Windows Security
Object Model Event Log
AND when the event matches
Event ID is any of [12 or 13 or
14]
AND when the event matches
Sysmon Rule Name (custom) is
any of T1021
AND NOT when any of Machine
ID (custom) are contained in
any of MITRE: Windows
Machines Whitelist -
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
MITRE.WIN.T1021.006.RULE when the event(s) were
Remote Services: Windows detected by one or more of
Remote Management Microsoft Windows Security
Event Log
© 2021 ScienceSoft | Page 16 from 43
Admin Guide
<OriginalFileName name="T1012"
condition="is">ru.exe</OriginalFileName
>
Get more Windows MITRE rules:
https://www.scnsoft.com/services/securi
ty/siem/windows-mitre-attack-rules
This is rule based on Sysmon
configuration. Following options should
be enable:
In section <RegistryEvent
onmatch="include"> add following lines:
<TargetObject name="T1021.001"
condition="is">HKLM\SOFTWARE\Policie
s\Microsoft\Windows NT\Terminal
Services</TargetObject>
Get more Windows MITRE rules:
https://www.scnsoft.com/services/securi
ty/siem/windows-mitre-attack-rules
This is rule based on Sysmon
configuration. Following options should
be enable:
In section <RegistryEvent
onmatch="include"> add following lines:
<TargetObject name="T1021.003"
condition="is">HKLM\SOFTWARE\Micros
oft\Ole</TargetObject>
Get more Windows MITRE rules:
https://www.scnsoft.com/services/securi
ty/siem/windows-mitre-attack-rules
This is rule based on Sysmon
configuration. Following options should
be enable:

MITRE.WIN.T1027.RULE
Obfuscated Files or
Information
MITRE.WIN.T1037.001.RULE
Boot or Logon Initialization
Scripts: Logon Script
(Windows)
MITRE Windows Integration App:
AND when the event matches
Event ID is any of [1 or 3]
AND when the event matches
Sysmon Rule Name (custom) is
any of T1021
AND NOT when any of Machine
ID (custom) are contained in
any of MITRE: Windows
Machines Whitelist -
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
when the event(s) were
detected by one or more of
Microsoft Windows Security
Event Log
AND when the event matches
Event ID is any of [1]
AND when the event matches
Sysmon Rule Name (custom) is
any of T1027
AND NOT when any of Machine
ID (custom) are contained in
any of MITRE: Windows
Machines Whitelist -
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
when the event(s) were
detected by one or more of
Microsoft Windows Security
Event Log
AND when the event matches
Event ID is any of [12 or 13 or
14]
AND when the event matches
Sysmon Rule Name (custom) is
any of T1037
AND NOT when any of Machine
ID (custom) are contained in
any of MITRE: Windows
Machines Whitelist -
AlphaNumeric
AND NOT when any of
Username are contained in any
© 2021 ScienceSoft | Page 17 from 43
Admin Guide
In section <ProcessCreate
onmatch="include"> add following lines:
<Image name="T1021.006"
condition="image">winrm.cmd</Image>
<OriginalFileName name="T1021.006"
condition="is">wsmprovhost.exe</Origin
alFileName>
In section <NetworkConnect
onmatch="include"> add following lines:
<DestinationPort name="T1021.006"
condition="is">5986</DestinationPort>
Get more Windows MITRE rules:
https://www.scnsoft.com/services/securi
ty/siem/windows-mitre-attack-rules
This is rule based on Sysmon
configuration. Following options should
be enable:
In section <ProcessCreate
onmatch="include"> add following lines:
<CommandLine name="T1027"
condition="contains">ˆ</CommandLine>
<CommandLine name="T1027"
condition="contains">../../</CommandLi
ne>
Get more Windows MITRE rules:
https://www.scnsoft.com/services/securi
ty/siem/windows-mitre-attack-rules
This is rule based on Sysmon
configuration. Following options should
be enable:
In section <RegistryEvent
onmatch="include"> add following lines:
<TargetObject name="T1037.001"
condition="contains">HKCU\Environment
\UserInitMprLogonScript</TargetObject>
<TargetObject name="T1037.001"
condition="contains">HKEY_CURRENT_U
SER\Environment
"UserInitMprLogonScript"</TargetObject
>
Get more Windows MITRE rules:

MITRE.WIN.T1037.005.RULE
Boot or Logon Initialization
Scripts: Startup Items
MITRE.WIN.T1040.RULE
Network Sniffing
MITRE.WIN.T1049.RULE
System Network
Connections Discovery
MITRE Windows Integration App:
of MITRE: Windows Users
Whitelist - AlphaNumeric
when the event(s) were
detected by one or more of
Microsoft Windows Security
Event Log
AND when the event matches
Event ID is any of [11]
AND when the event matches
Sysmon Rule Name (custom) is
any of T1037
AND NOT when any of Machine
ID (custom) are contained in
any of MITRE: Windows
Machines Whitelist -
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
when the event(s) were
detected by one or more of
Microsoft Windows Security
Event Log
AND when the event matches
Event ID is any of [1]
AND when the event matches
Sysmon Rule Name (custom) is
any of T1040
AND NOT when any of Machine
ID (custom) are contained in
any of MITRE: Windows
Machines Whitelist -
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
when the event(s) were
detected by one or more of
Microsoft Windows Security
Event Log
AND when the event matches
Event ID is any of [1 or 3 or 17
or 18]
AND when the event matches
Sysmon Rule Name (custom) is
any of T1049
AND NOT when any of Machine
ID (custom) are contained in
any of MITRE: Windows
© 2021 ScienceSoft | Page 18 from 43
Admin Guide
https://www.scnsoft.com/services/securi
ty/siem/windows-mitre-attack-rules
This is rule based on Sysmon
configuration. Following options should
be enable:
In section <FileCreate
onmatch="include"> add following lines:
<TargetFilename name="T1037.005"
condition="contains">\Startup\</TargetFi
lename>
Get more Windows MITRE rules:
https://www.scnsoft.com/services/securi
ty/siem/windows-mitre-attack-rules
This is rule based on Sysmon
configuration. Following options should
be enable:
In section <ProcessCreate
onmatch="include"> add following lines:
<OriginalFileName name="T1040"
condition="is">PktMon.exe</OriginalFile
Name>
Get more Windows MITRE rules:
https://www.scnsoft.com/services/securi
ty/siem/windows-mitre-attack-rules
This is rule based on Sysmon
configuration. Following options should
be enable:
In section <ProcessCreate
onmatch="include"> add following lines:
<OriginalFileName name="T1049"
condition="is">netstat.exe</OriginalFileN
ame>
In section <NetworkConnect
onmatch="include"> add following lines:
<Image name="T1049"
 MITRE Windows Integration App:
Machines Whitelist -
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
MITRE.WIN.T1052.001.RULE when the event(s) were
Exfiltration Over Physical detected by one or more of
Medium: Exfiltration over Microsoft Windows Security
USB Event Log
AND when the event matches
Event ID is any of [2003 or 2004
or 2006 or 2010 or 2100 or
2101 or 2105 or 2106]
AND NOT when any of Machine
ID (custom) are contained in
any of MITRE: Windows
Machines Whitelist -
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
MITRE.WIN.T1053.RULE when the event(s) were
Scheduled Task/Job detected by one or more of
Microsoft Windows Security
Event Log
AND when the event matches
Event ID is any of [1 or 3 or 7 or
11]
AND when the event matches
Sysmon Rule Name (custom) is
any of T1053
AND NOT when any of Machine
ID (custom) are contained in
any of MITRE: Windows
Machines Whitelist -
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
© 2021 ScienceSoft | Page 19 from 43
Admin Guide
condition="image">netstat.exe</Image>
In section <PipeEvent
onmatch="include"> add following lines:
<PipeName name="T1049"
condition="begin
with">\srvsvc</PipeName>
Get more Windows MITRE rules:
https://www.scnsoft.com/services/securi
ty/siem/windows-mitre-attack-rules
No action required.
Get more Windows MITRE rules:
https://www.scnsoft.com/services/securi
ty/siem/windows-mitre-attack-rules
This is rule based on Sysmon
configuration. Following options should
be enable:
In section <ProcessCreate
onmatch="include"> add following lines:
<OriginalFileName name="T1053"
condition="contains
any">schtasks.exe;sctasks.exe</OriginalFi
leName>
<OriginalFileName name="T1053"
condition="is">taskeng.exe</OriginalFile
Name>
In section <NetworkConnect
onmatch="include"> add following lines:
<Image name="T1053"
condition="image">schtasks.exe</Image
>
<Image name="T1053"
condition="image">at.exe</Image>
<Image name="T1053"
condition="image">taskeng.exe</Image>
 MITRE Windows Integration App:
Admin Guide

In section <ImageLoad
onmatch="include"> add following lines:
<ImageLoaded name="T1053"
condition="end
with">taskschd.dll</ImageLoaded>

In section <FileCreate
onmatch="include"> add following lines:
<TargetFilename name="T1053"
condition="begin
with">C:\Windows\SysWOW64\Tasks</T
argetFilename>
<TargetFilename name="T1053"
condition="begin
with">C:\Windows\system32\Tasks</Tar
getFilename>
<TargetFilename name="T1053"
condition="begin
with">C:\Windows\Tasks\</TargetFilena
me>

Get more Windows MITRE rules:

https://www.scnsoft.com/services/securi
ty/siem/windows-mitre-attack-rules
MITRE.WIN.T1053.002.RULE when the event(s) were No action required.
Scheduled Task/Job: At detected by one or more of
(Windows) Microsoft Windows Security Get more Windows MITRE rules:
Event Log https://www.scnsoft.com/services/securi
AND when the event matches ty/siem/windows-mitre-attack-rules
Event ID is any of [106 or 140 or
141 or 4698 or 4700 or 4701]
AND NOT when any of Machine
ID (custom) are contained in
any of MITRE: Windows
Machines Whitelist -
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
MITRE.WIN.T1053.005.RULE when the event(s) were No action required.
Scheduled Task/Job: detected by one or more of
Scheduled Task Microsoft Windows Security Get more Windows MITRE rules:
Event Log https://www.scnsoft.com/services/securi
AND when the event matches ty/siem/windows-mitre-attack-rules
Event ID is any of [106 or 140 or
141 or 4698 or 4700 or 4701]
AND NOT when any of Machine
ID (custom) are contained in
any of MITRE: Windows

© 2021 ScienceSoft | Page 20 from 43

 MITRE Windows Integration App:
Admin Guide

Machines Whitelist -
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
MITRE.WIN.T1056.001.RULE when the event(s) were This is rule based on Sysmon
Input Capture: Keylogging detected by one or more of configuration. Following options should
Microsoft Windows Security be enable:
Event Log
AND when the event matches In section <RegistryEvent
Event ID is any of [12 or 13 or onmatch="include"> add following lines:
14] <TargetObject name="T1056.001"
AND when the event matches condition="contains">\SOFTWARE\Micro
Sysmon Rule Name (custom) is soft\Windows\CurrentVersion\Capability
any of T1056 AccessManager\ConsentStore\hunmanIn
AND NOT when any of Machine terfaceDevice</TargetObject>
ID (custom) are contained in
any of MITRE: Windows Get more Windows MITRE rules:
Machines Whitelist - https://www.scnsoft.com/services/securi
AlphaNumeric ty/siem/windows-mitre-attack-rules
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
MITRE.WIN.T1059.006.RULE when the event(s) were This is rule based on Sysmon
Command and Scripting detected by one or more of configuration. Following options should
Interpreter: Python Microsoft Windows Security be enable:
Event Log
AND when the event matches In section <ProcessCreate
Event ID is any of [1] onmatch="include"> add following lines:
AND when the event matches <Image name="T1059.006"
Sysmon Rule Name (custom) is condition="image">python.exe</Image>
any of T1059
AND NOT when any of Machine Get more Windows MITRE rules:
ID (custom) are contained in https://www.scnsoft.com/services/securi
any of MITRE: Windows ty/siem/windows-mitre-attack-rules
Machines Whitelist -
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
MITRE.WIN.T1059.007.RULE when the event(s) were This is rule based on Sysmon
Command and Scripting detected by one or more of configuration. Following options should
Interpreter: Microsoft Windows Security be enable:
JavaScript/JScript Event Log
AND when the event matches In section <ProcessCreate
Event ID is any of [1] onmatch="include"> add following lines:
AND when the event matches <Image name="T1059.007"
Sysmon Rule Name (custom) is condition="image">cscript.exe</Image>

© 2021 ScienceSoft | Page 21 from 43

 MITRE Windows Integration App:
Admin Guide

any of T1059 <Image name="T1059.007"

AND NOT when any of Machine condition="image">wscript.exe</Image>
ID (custom) are contained in
any of MITRE: Windows Get more Windows MITRE rules:
Machines Whitelist - https://www.scnsoft.com/services/securi
AlphaNumeric ty/siem/windows-mitre-attack-rules
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
MITRE.WIN.T1069.RULE when the event(s) were This is rule based on Sysmon
Permission Groups detected by one or more of configuration. Following options should
Discovery Microsoft Windows Security be enable:
Event Log
AND when the event matches In section <NetworkConnect
Event ID is any of [3] onmatch="include"> add following lines:
AND when the event matches <Image name="T1069"
Sysmon Rule Name (custom) is condition="image">net1.exe</Image>
any of T1069
AND NOT when any of Machine Get more Windows MITRE rules:
ID (custom) are contained in https://www.scnsoft.com/services/securi
any of MITRE: Windows ty/siem/windows-mitre-attack-rules
Machines Whitelist -
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
MITRE.WIN.T1069.001.RULE when the event(s) were This is rule based on Sysmon
Permission Groups detected by one or more of configuration. Following options should
Discovery: Local Groups Microsoft Windows Security be enable:
Event Log
AND when the event matches In section <ProcessCreate
Event ID is any of [1] onmatch="include"> add following lines:
AND when the event matches <CommandLine name="T1069.001"
Sysmon Rule Name (custom) is condition="contains">net
any of T1069 localgroup</CommandLine>
AND NOT when any of Machine
ID (custom) are contained in Get more Windows MITRE rules:
any of MITRE: Windows https://www.scnsoft.com/services/securi
Machines Whitelist - ty/siem/windows-mitre-attack-rules
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
MITRE.WIN.T1069.002.RULE when the event(s) were This is rule based on Sysmon
Permission Groups detected by one or more of configuration. Following options should
Discovery: Domain Groups Microsoft Windows Security be enable:
Event Log
AND when the event matches In section <ProcessCreate

© 2021 ScienceSoft | Page 22 from 43

 MITRE Windows Integration App:
Admin Guide

Event ID is any of [1] onmatch="include"> add following lines:

AND when the event matches <CommandLine name="T1069.002"
Sysmon Rule Name (custom) is condition="contains">net group
any of T1069 /domain</CommandLine>
AND NOT when any of Machine
ID (custom) are contained in Get more Windows MITRE rules:
any of MITRE: Windows https://www.scnsoft.com/services/securi
Machines Whitelist - ty/siem/windows-mitre-attack-rules
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
MITRE.WIN.T1070.RULE when the event(s) were This is rule based on Sysmon
Indicator Removal on Host detected by one or more of configuration. Following options should
Microsoft Windows Security be enable:
Event Log
AND when the event matches In section <ProcessCreate
Event ID is any of [1 or 3] onmatch="include"> add following lines:
AND when the event matches <OriginalFileName name="T1070"
Sysmon Rule Name (custom) is condition="is">wevtutil.exe</OriginalFile
any of T1070 Name>
AND NOT when any of Machine
ID (custom) are contained in In section <NetworkConnect
any of MITRE: Windows onmatch="include"> add following lines:
Machines Whitelist - <Image name="T1070"
AlphaNumeric condition="image">wevtutil.exe</Image>
AND NOT when any of
Username are contained in any Get more Windows MITRE rules:
of MITRE: Windows Users https://www.scnsoft.com/services/securi
Whitelist - AlphaNumeric ty/siem/windows-mitre-attack-rules
MITRE.WIN.T1070.001.RULE when the event(s) were No action required.
Indicator Removal on Host: detected by one or more of
Clear Windows Event Logs Microsoft Windows Security Get more Windows MITRE rules:
Event Log https://www.scnsoft.com/services/securi
AND when the event matches ty/siem/windows-mitre-attack-rules
Event ID is any of [1102]
AND NOT when any of Machine
ID (custom) are contained in
any of MITRE: Windows
Machines Whitelist -
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
MITRE.WIN.T1070.005.RULE when the event(s) were This is rule based on Sysmon
Indicator Removal on Host: detected by one or more of configuration. Following options should
Network Share Connection Microsoft Windows Security be enable:
Removal Event Log
AND when the event matches In section <ProcessCreate

© 2021 ScienceSoft | Page 23 from 43

 MITRE Windows Integration App:
Event ID is any of [1]
AND when the event matches
Sysmon Rule Name (custom) is
any of T1070
AND NOT when any of Machine
ID (custom) are contained in
any of MITRE: Windows
Machines Whitelist -
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
MITRE.WIN.T1074.RULE when the event(s) were
Data Staged detected by one or more of
Microsoft Windows Security
Event Log
AND when the event matches
Event ID is any of [1]
AND when the event matches
Sysmon Rule Name (custom) is
any of T1074
AND NOT when any of Machine
ID (custom) are contained in
any of MITRE: Windows
Machines Whitelist -
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
MITRE.WIN.T1078.RULE when the event(s) were
Valid Accounts detected by one or more of
Microsoft Windows Security
Event Log
AND when the event matches
Event ID is any of [1]
AND when the event matches
Sysmon Rule Name (custom) is
any of T1078
AND NOT when any of Machine
ID (custom) are contained in
any of MITRE: Windows
Machines Whitelist -
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
© 2021 ScienceSoft | Page 24 from 43
Admin Guide
onmatch="include"> add following lines:
<CommandLine name="T1070.005"
condition="contains
any">netuse;net1use</CommandLine>
<CommandLine name="T1070.005"
condition="contains
any">\\;delete</CommandLine>
Get more Windows MITRE rules:
https://www.scnsoft.com/services/securi
ty/siem/windows-mitre-attack-rules
This is rule based on Sysmon
configuration. Following options should
be enable:
In section <ProcessCreate
onmatch="include"> add following lines:
<OriginalFileName name="T1074"
condition="is">robocopy.exe</OriginalFil
eName>
<OriginalFileName name="T1074"
condition="is">xcopy.exe</OriginalFileNa
me>
Get more Windows MITRE rules:
https://www.scnsoft.com/services/securi
ty/siem/windows-mitre-attack-rules
This is rule based on Sysmon
configuration. Following options should
be enable:
In section <ProcessCreate
onmatch="include"> add following lines:
<OriginalFileName name="T1078"
condition="is">djoin.exe</OriginalFileNa
me>
Get more Windows MITRE rules:
https://www.scnsoft.com/services/securi
ty/siem/windows-mitre-attack-rules
 MITRE Windows Integration App:
MITRE.WIN.T1082.RULE when the event(s) were
System Information detected by one or more of
Discovery Microsoft Windows Security
Event Log
AND when the event matches
Event ID is any of [1]
AND when the event matches
Sysmon Rule Name (custom) is
any of T1082
AND NOT when any of Machine
ID (custom) are contained in
any of MITRE: Windows
Machines Whitelist -
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
MITRE.WIN.T1087.RULE when the event(s) were
Account Discovery detected by one or more of
Microsoft Windows Security
Event Log
AND when the event matches
Event ID is any of [1]
AND when the event matches
Sysmon Rule Name (custom) is
any of T1087
AND NOT when any of Machine
ID (custom) are contained in
any of MITRE: Windows
Machines Whitelist -
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
MITRE.WIN.T1087.001.RULE when the event(s) were
Account Discovery: Local detected by one or more of
Account Microsoft Windows Security
Event Log
AND when the event matches
Event ID is any of [1]
AND when the event matches
Sysmon Rule Name (custom) is
any of T1087
AND NOT when any of Machine
ID (custom) are contained in
any of MITRE: Windows
Machines Whitelist -
AlphaNumeric
AND NOT when any of
© 2021 ScienceSoft | Page 25 from 43
Admin Guide
This is rule based on Sysmon
configuration. Following options should
be enable:
In section <ProcessCreate
onmatch="include"> add following lines:
<CommandLine name="T1082"
condition="contains any">systeminfo;net
config
workstation;hostname;ver;set;date
/t</CommandLine>
Get more Windows MITRE rules:
https://www.scnsoft.com/services/securi
ty/siem/windows-mitre-attack-rules
This is rule based on Sysmon
configuration. Following options should
be enable:
In section <ProcessCreate
onmatch="include"> add following lines:
<OriginalFileName name="T1087"
condition="is">cmdkey.exe</OriginalFile
Name>
<OriginalFileName name="T1087"
condition="is">klist.exe</OriginalFileNam
e>
Get more Windows MITRE rules:
https://www.scnsoft.com/services/securi
ty/siem/windows-mitre-attack-rules
This is rule based on Sysmon
configuration. Following options should
be enable:
In section <ProcessCreate
onmatch="include"> add following lines:
<CommandLine name="T1087.001"
condition="contains any">net user;net
localgroup</CommandLine>
Get more Windows MITRE rules:
https://www.scnsoft.com/services/securi
ty/siem/windows-mitre-attack-rules

MITRE.WIN.T1087.002.RULE
Account Discovery: Domain
Account
MITRE.WIN.T1114.001.RULE
Email Collection: Local Email
Collection
MITRE.WIN.T1123.RULE
Audio Capture
MITRE Windows Integration App:
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
when the event(s) were
detected by one or more of
Microsoft Windows Security
Event Log
AND when the event matches
Event ID is any of [1]
AND when the event matches
Sysmon Rule Name (custom) is
any of T1087
AND NOT when any of Machine
ID (custom) are contained in
any of MITRE: Windows
Machines Whitelist -
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
when the event(s) were
detected by one or more of
Microsoft Windows Security
Event Log
AND when the event matches
Event ID is any of [1]
AND when the event matches
Sysmon Rule Name (custom) is
any of T1114
AND NOT when any of Machine
ID (custom) are contained in
any of MITRE: Windows
Machines Whitelist -
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
when the event(s) were
detected by one or more of
Microsoft Windows Security
Event Log
AND when the event matches
Event ID is any of [12 or 13 or
14]
AND when the event matches
Sysmon Rule Name (custom) is
any of T1123
AND NOT when any of Machine
ID (custom) are contained in
© 2021 ScienceSoft | Page 26 from 43
Admin Guide
This is rule based on Sysmon
configuration. Following options should
be enable:
In section <ProcessCreate
onmatch="include"> add following lines:
<CommandLine name="T1087.002"
condition="contains any">net user
/domain;net group
/domain</CommandLine>
Get more Windows MITRE rules:
https://www.scnsoft.com/services/securi
ty/siem/windows-mitre-attack-rules
This is rule based on Sysmon
configuration. Following options should
be enable:
In section <ProcessCreate
onmatch="include"> add following lines:
<CommandLine name="T1114.001"
condition="contains
any">\AppData\Local\Microsoft\Outlook;
\Documents\Outlook
Files</CommandLine>
Get more Windows MITRE rules:
https://www.scnsoft.com/services/securi
ty/siem/windows-mitre-attack-rules
This is rule based on Sysmon
configuration. Following options should
be enable:
In section <RegistryEvent
onmatch="include"> add following lines:
<TargetObject name="T1123"
condition="contains">\SOFTWARE\Micro
soft\Windows\CurrentVersion\Capability
AccessManager\ConsentStore\bluetooth
</TargetObject>
<TargetObject name="T1123"

MITRE.WIN.T1125.RULE
Video Capture
MITRE.WIN.T1127.001.RULE
Trusted Developer Utilities
Proxy Execution: MSBuild
MITRE.WIN.T1137.002.RULE
Office Application Startup:
Office Test
MITRE Windows Integration App:
any of MITRE: Windows
Machines Whitelist -
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
when the event(s) were
detected by one or more of
Microsoft Windows Security
Event Log
AND when the event matches
Event ID is any of [12 or 13 or
14]
AND when the event matches
Sysmon Rule Name (custom) is
any of T1125
AND NOT when any of Machine
ID (custom) are contained in
any of MITRE: Windows
Machines Whitelist -
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
when the event(s) were
detected by one or more of
Microsoft Windows Security
Event Log
AND when the event matches
Event ID is any of [1]
AND when the event matches
Sysmon Rule Name (custom) is
any of T1127
AND NOT when any of Machine
ID (custom) are contained in
any of MITRE: Windows
Machines Whitelist -
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
when the event(s) were
detected by one or more of
Microsoft Windows Security
Event Log
AND when the event matches
Event ID is any of [12 or 13 or
© 2021 ScienceSoft | Page 27 from 43
Admin Guide
condition="contains">\SOFTWARE\Micro
soft\Windows\CurrentVersion\Capability
AccessManager\ConsentStore\micropho
ne</TargetObject>
Get more Windows MITRE rules:
https://www.scnsoft.com/services/securi
ty/siem/windows-mitre-attack-rules
This is rule based on Sysmon
configuration. Following options should
be enable:
In section <RegistryEvent
onmatch="include"> add following lines:
<TargetObject name="T1125"
condition="contains">\SOFTWARE\Micro
soft\Windows\CurrentVersion\Capability
AccessManager\ConsentStore\webcam</
TargetObject>
Get more Windows MITRE rules:
https://www.scnsoft.com/services/securi
ty/siem/windows-mitre-attack-rules
This is rule based on Sysmon
configuration. Following options should
be enable:
In section <ProcessCreate
onmatch="include"> add following lines:
<OriginalFileName name="T1127.001"
condition="is">MSBuild.exe</OriginalFile
Name>
Get more Windows MITRE rules:
https://www.scnsoft.com/services/securi
ty/siem/windows-mitre-attack-rules
This is rule based on Sysmon
configuration. Following options should
be enable:
In section <RegistryEvent
onmatch="include"> add following lines:
 MITRE Windows Integration App:
Admin Guide

14] <TargetObject name="T1137.002"

AND when the event matches condition="end
Sysmon Rule Name (custom) is with">Software\Microsoft\Office
any of T1137 test\Special\Perf</TargetObject>
AND NOT when any of Machine
ID (custom) are contained in Get more Windows MITRE rules:
any of MITRE: Windows https://www.scnsoft.com/services/securi
Machines Whitelist - ty/siem/windows-mitre-attack-rules
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
MITRE.WIN.T1187.RULE when the event(s) were This is rule based on Sysmon
Forced Authentication detected by one or more of configuration. Following options should
Microsoft Windows Security be enable:
Event Log
AND when the event matches In section <FileCreate
Event ID is any of [11] onmatch="include"> add following lines:
AND when the event matches <TargetFilename name="T1187"
Sysmon Rule Name (custom) is condition="end
any of T1187 with">.scf</TargetFilename>
AND NOT when any of Machine <TargetFilename name="T1187"
ID (custom) are contained in condition="end
any of MITRE: Windows with">.lnk</TargetFilename>
Machines Whitelist -
AlphaNumeric Get more Windows MITRE rules:
AND NOT when any of https://www.scnsoft.com/services/securi
Username are contained in any ty/siem/windows-mitre-attack-rules
of MITRE: Windows Users
Whitelist - AlphaNumeric
MITRE.WIN.T1200.RULE when the event(s) were No action required.
Hardware Additions detected by one or more of
Microsoft Windows Security Get more Windows MITRE rules:
Event Log https://www.scnsoft.com/services/securi
AND when the event matches ty/siem/windows-mitre-attack-rules
Event ID is any of [2003 or 2004
or 2006 or 2010 or 2100 or
2102 or 2101 or 2105 or 2106]
AND NOT when any of Machine
ID (custom) are contained in
any of MITRE: Windows
Machines Whitelist -
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
MITRE.WIN.T1218.001.RULE when the event(s) were This is rule based on Sysmon
Signed Binary Proxy detected by one or more of configuration. Following options should
Microsoft Windows Security be enable:

© 2021 ScienceSoft | Page 28 from 43

 MITRE Windows Integration App:
Execution: Compiled HTML Event Log
File AND when the event matches
Event ID is any of [1]
AND when the event matches
Sysmon Rule Name (custom) is
any of T1218
AND NOT when any of Machine
ID (custom) are contained in
any of MITRE: Windows
Machines Whitelist -
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
MITRE.WIN.T1218.002.RULE when the event(s) were
Signed Binary Proxy detected by one or more of
Execution: Control Panel Microsoft Windows Security
Event Log
AND when the event matches
Event ID is any of [1]
AND when the event matches
Sysmon Rule Name (custom) is
any of T1218
AND NOT when any of Machine
ID (custom) are contained in
any of MITRE: Windows
Machines Whitelist -
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
MITRE.WIN.T1218.003.RULE when the event(s) were
Signed Binary Proxy detected by one or more of
Execution: CMSTP Microsoft Windows Security
Event Log
AND when the event matches
Event ID is any of [1]
AND when the event matches
Sysmon Rule Name (custom) is
any of T1218
AND NOT when any of Machine
ID (custom) are contained in
any of MITRE: Windows
Machines Whitelist -
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
© 2021 ScienceSoft | Page 29 from 43
Admin Guide
In section <ProcessCreate
onmatch="include"> add following lines:
<Image name="T1218.001"
condition="image">hh.exe</Image>
Get more Windows MITRE rules:
https://www.scnsoft.com/services/securi
ty/siem/windows-mitre-attack-rules
This is rule based on Sysmon
configuration. Following options should
be enable:
In section <ProcessCreate
onmatch="include"> add following lines:
<CommandLine name="T1218.002"
condition="contains
all">rundll32.exe;shell32.dll;Control_Run
DLL</CommandLine>
<CommandLine name="T1218.002"
condition="contains
all">control;/name</CommandLine>
Get more Windows MITRE rules:
https://www.scnsoft.com/services/securi
ty/siem/windows-mitre-attack-rules
This is rule based on Sysmon
configuration. Following options should
be enable:
In section <ProcessCreate
onmatch="include"> add following lines:
<CommandLine name="T1218.003"
condition="contains
all">/ni;/s</CommandLine>
<OriginalFileName name="T1218.003"
condition="is">CMSTP.exe</OriginalFileN
ame>
Get more Windows MITRE rules:
https://www.scnsoft.com/services/securi
ty/siem/windows-mitre-attack-rules
 MITRE Windows Integration App:
MITRE.WIN.T1218.004.RULE when the event(s) were
Signed Binary Proxy detected by one or more of
Execution: InstallUtil Microsoft Windows Security
Event Log
AND when the event matches
Event ID is any of [1]
AND when the event matches
Sysmon Rule Name (custom) is
any of T1218
AND NOT when any of Machine
ID (custom) are contained in
any of MITRE: Windows
Machines Whitelist -
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
MITRE.WIN.T1218.007.RULE when the event(s) were
Signed Binary Proxy detected by one or more of
Execution: Msiexec Microsoft Windows Security
Event Log
AND when the event matches
Event ID is any of [1]
AND when the event matches
Sysmon Rule Name (custom) is
any of T1218
AND NOT when any of Machine
ID (custom) are contained in
any of MITRE: Windows
Machines Whitelist -
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
MITRE.WIN.T1218.008.RULE when the event(s) were
Signed Binary Proxy detected by one or more of
Execution: Odbcconf Microsoft Windows Security
Event Log
AND when the event matches
Event ID is any of [1]
AND when the event matches
Sysmon Rule Name (custom) is
any of T1218
AND NOT when any of Machine
ID (custom) are contained in
any of MITRE: Windows
Machines Whitelist -
AlphaNumeric
AND NOT when any of
© 2021 ScienceSoft | Page 30 from 43
Admin Guide
This is rule based on Sysmon
configuration. Following options should
be enable:
In section <ProcessCreate
onmatch="include"> add following lines:
<CommandLine name="T1218.004"
condition="contains
all">/logfile=;/LogToConsole=false;/U</C
ommandLine>
<OriginalFileName name="T1218.004"
condition="is">InstallUtil.exe</OriginalFil
eName>
Get more Windows MITRE rules:
https://www.scnsoft.com/services/securi
ty/siem/windows-mitre-attack-rules
This is rule based on Sysmon
configuration. Following options should
be enable:
In section <ProcessCreate
onmatch="include"> add following lines:
<Image name="T1218.007"
condition="image">msiexec.exe</Image>
Get more Windows MITRE rules:
https://www.scnsoft.com/services/securi
ty/siem/windows-mitre-attack-rules
This is rule based on Sysmon
configuration. Following options should
be enable:
In section <ProcessCreate
onmatch="include"> add following lines:
<Image name="T1218.008"
condition="image">odbcconf.exe</Image
>
Get more Windows MITRE rules:
https://www.scnsoft.com/services/securi
ty/siem/windows-mitre-attack-rules
 MITRE Windows Integration App:
Admin Guide

Username are contained in any

of MITRE: Windows Users
Whitelist - AlphaNumeric
MITRE.WIN.T1218.011.RULE when the event(s) were This is rule based on Sysmon
Signed Binary Proxy detected by one or more of configuration. Following options should
Execution: Rundll32 Microsoft Windows Security be enable:
Event Log
AND when the event matches In section <NetworkConnect
Event ID is any of [3] onmatch="include"> add following lines:
AND when the event matches <Image name="T1218.011"
Sysmon Rule Name (custom) is condition="image">rundll32.exe</Image
any of T1218 >
AND NOT when any of Machine
ID (custom) are contained in Get more Windows MITRE rules:
any of MITRE: Windows https://www.scnsoft.com/services/securi
Machines Whitelist - ty/siem/windows-mitre-attack-rules
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
MITRE.WIN.T1222.001.RULE when the event(s) were No action required.
File and Directory detected by one or more of
Permissions Modification: Microsoft Windows Security Get more Windows MITRE rules:
Windows File and Directory Event Log https://www.scnsoft.com/services/securi
Permissions Modification AND when the event matches ty/siem/windows-mitre-attack-rules
Event ID is any of [4670]
AND NOT when any of Machine
ID (custom) are contained in
any of MITRE: Windows
Machines Whitelist -
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
MITRE.WIN.T1482.RULE when the event(s) were This is rule based on Sysmon
Domain Trust Discovery detected by one or more of configuration. Following options should
Microsoft Windows Security be enable:
Event Log
AND when the event matches In section <ProcessCreate
Event ID is any of [1] onmatch="include"> add following lines:
AND when the event matches <CommandLine name="T1482"
Sysmon Rule Name (custom) is condition="contains
any of T1482 all">"C:\WINDOWS\system32\nltest.exe"
AND NOT when any of Machine /domain_trusts </CommandLine>
ID (custom) are contained in <OriginalFileName name="T1482"
any of MITRE: Windows condition="is">nltestrk.exe</OriginalFile
Machines Whitelist - Name>
AlphaNumeric
AND NOT when any of Get more Windows MITRE rules:

© 2021 ScienceSoft | Page 31 from 43

 MITRE Windows Integration App:
Admin Guide

Username are contained in any https://www.scnsoft.com/services/securi

of MITRE: Windows Users ty/siem/windows-mitre-attack-rules
Whitelist - AlphaNumeric
MITRE.WIN.T1489.RULE when the event(s) were No action required.
Service Stop detected by one or more of
Microsoft Windows Security Get more Windows MITRE rules:
Event Log https://www.scnsoft.com/services/securi
AND when the event matches ty/siem/windows-mitre-attack-rules
Event ID is any of [None]
AND NOT when any of Machine
ID (custom) are contained in
any of MITRE: Windows
Machines Whitelist -
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
MITRE.WIN.T1489.RULE when the event(s) were This is rule based on Sysmon
Service Stop [Sysmon] detected by one or more of configuration. Following options should
Microsoft Windows Security be enable:
Event Log
AND when the event matches In section <ProcessCreate
Event ID is any of [1] onmatch="include"> add following lines:
AND when the event matches <CommandLine name="T1489"
Sysmon Rule Name (custom) is condition="contains any">net stop;Stop-
any of T1489 Service</CommandLine>
AND NOT when any of Machine
ID (custom) are contained in Get more Windows MITRE rules:
any of MITRE: Windows https://www.scnsoft.com/services/securi
Machines Whitelist - ty/siem/windows-mitre-attack-rules
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
MITRE.WIN.T1490.RULE when the event(s) were No action required.
Inhibit System Recovery detected by one or more of
Microsoft Windows Security Get more Windows MITRE rules:
Event Log https://www.scnsoft.com/services/securi
AND when the event matches ty/siem/windows-mitre-attack-rules
Event ID is any of [524]
AND NOT when any of Machine
ID (custom) are contained in
any of MITRE: Windows
Machines Whitelist -
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric

© 2021 ScienceSoft | Page 32 from 43

 MITRE Windows Integration App:
Admin Guide

MITRE.WIN.T1490.RULE when the event(s) were This is rule based on Sysmon

Inhibit System Recovery detected by one or more of configuration. Following options should
[Sysmon] Microsoft Windows Security be enable:
Event Log
AND when the event matches In section <ProcessCreate
Event ID is any of [1] onmatch="include"> add following lines:
AND when the event matches <OriginalFileName name="T1490"
Sysmon Rule Name (custom) is condition="is">vassadmin.exe</OriginalFi
any of T1490 leName>
AND NOT when any of Machine
ID (custom) are contained in Get more Windows MITRE rules:
any of MITRE: Windows https://www.scnsoft.com/services/securi
Machines Whitelist - ty/siem/windows-mitre-attack-rules
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
MITRE.WIN.T1518.RULE when the event(s) were This is rule based on Sysmon
Software Discovery detected by one or more of configuration. Following options should
Microsoft Windows Security be enable:
Event Log
AND when the event matches In section <RegistryEvent
Event ID is any of [12 or 13 or onmatch="include"> add following lines:
14] <TargetObject name="T1518"
AND when the event matches condition="contains">SOFTWARE\Micros
Sysmon Rule Name (custom) is oft\Windows\CurrentVersion\App
any of T1518 Paths</TargetObject>
AND NOT when any of Machine
ID (custom) are contained in Get more Windows MITRE rules:
any of MITRE: Windows https://www.scnsoft.com/services/securi
Machines Whitelist - ty/siem/windows-mitre-attack-rules
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
MITRE.WIN.T1529.RULE when the event(s) were No action required.
System Shutdown/Reboot detected by one or more of
Microsoft Windows Security Get more Windows MITRE rules:
Event Log https://www.scnsoft.com/services/securi
AND when the event matches ty/siem/windows-mitre-attack-rules
Event ID is any of [1074 or
6006]
AND NOT when any of Machine
ID (custom) are contained in
any of MITRE: Windows
Machines Whitelist -
AlphaNumeric
AND NOT when any of
Username are contained in any

© 2021 ScienceSoft | Page 33 from 43

 MITRE Windows Integration App:
of MITRE: Windows Users
Whitelist - AlphaNumeric
MITRE.WIN.T1546.001.RULE when the event(s) were
Event Triggered Execution: detected by one or more of
Change Default File Microsoft Windows Security
Association Event Log
AND when the event matches
Event ID is any of [12 or 13 or
14]
AND when the event matches
Sysmon Rule Name (custom) is
any of T1546
AND NOT when any of Machine
ID (custom) are contained in
any of MITRE: Windows
Machines Whitelist -
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
MITRE.WIN.T1546.007.RULE when the event(s) were
Event Triggered Execution: detected by one or more of
Netsh Helper DLL Microsoft Windows Security
Event Log
AND when the event matches
Event ID is any of [12 or 13 or
14]
AND when the event matches
Sysmon Rule Name (custom) is
any of T1546
AND NOT when any of Machine
ID (custom) are contained in
any of MITRE: Windows
Machines Whitelist -
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
MITRE.WIN.T1546.009.RULE when the event(s) were
Event Triggered Execution: detected by one or more of
AppCert DLLs Microsoft Windows Security
Event Log
AND when the event matches
Event ID is any of [12 or 13 or
14]
AND when the event matches
Sysmon Rule Name (custom) is
any of T1546
AND NOT when any of Machine
© 2021 ScienceSoft | Page 34 from 43
Admin Guide
This is rule based on Sysmon
configuration. Following options should
be enable:
In section <RegistryEvent
onmatch="include"> add following lines:
<TargetObject name="T1546.001"
condition="contains">\Explorer\FileExts<
/TargetObject>
Get more Windows MITRE rules:
https://www.scnsoft.com/services/securi
ty/siem/windows-mitre-attack-rules
This is rule based on Sysmon
configuration. Following options should
be enable:
In section <RegistryEvent
onmatch="include"> add following lines:
<TargetObject name="T1546.007"
condition="contains">SOFTWARE\Micros
oft\Netsh</TargetObject>
Get more Windows MITRE rules:
https://www.scnsoft.com/services/securi
ty/siem/windows-mitre-attack-rules
This is rule based on Sysmon
configuration. Following options should
be enable:
In section <RegistryEvent
onmatch="include"> add following lines:
<TargetObject name="T1546.009"
condition="begin
with">HKLM\SYSTEM\CurrentControlSet\
Control\Session
Manager\AppCertDlls</TargetObject>
 MITRE Windows Integration App:
ID (custom) are contained in
any of MITRE: Windows
Machines Whitelist -
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
MITRE.WIN.T1546.012.RULE when the event(s) were
Event Triggered Execution: detected by one or more of
Image File Execution Microsoft Windows Security
Options Injection Event Log
AND when the event matches
Event ID is any of [12 or 13 or
14]
AND when the event matches
Sysmon Rule Name (custom) is
any of T1546
AND NOT when any of Machine
ID (custom) are contained in
any of MITRE: Windows
Machines Whitelist -
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
MITRE.WIN.T1546.013.RULE when the event(s) were
Event Triggered Execution: detected by one or more of
PowerShell Profile Microsoft Windows Security
Event Log
AND when the event matches
Event ID is any of [11]
AND when the event matches
Sysmon Rule Name (custom) is
any of T1546
AND NOT when any of Machine
ID (custom) are contained in
any of MITRE: Windows
Machines Whitelist -
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
MITRE.WIN.T1547.002.RULE when the event(s) were
Boot or Logon Autostart detected by one or more of
Execution: Authentication Microsoft Windows Security
Package Event Log
© 2021 ScienceSoft | Page 35 from 43
Admin Guide
Get more Windows MITRE rules:
https://www.scnsoft.com/services/securi
ty/siem/windows-mitre-attack-rules
This is rule based on Sysmon
configuration. Following options should
be enable:
In section <RegistryEvent
onmatch="include"> add following lines:
<TargetObject name="T1546.012"
condition="begin
with">HKLM\SOFTWARE\Wow6432Node
\Microsoft\Windows
NT\CurrentVersion\Image File Execution
Options</TargetObject>
<TargetObject name="T1546.012"
condition="begin
with">HKLM\Software\Microsoft\Windo
ws NT\CurrentVersion\Image File
Execution Options</TargetObject>
Get more Windows MITRE rules:
https://www.scnsoft.com/services/securi
ty/siem/windows-mitre-attack-rules
This is rule based on Sysmon
configuration. Following options should
be enable:
In section <FileCreate
onmatch="include"> add following lines:
<TargetFilename name="T1546.013"
condition="end
with">\Profile.ps1</TargetFilename>
<TargetFilename name="T1546.013"
condition="end
with">_profile.ps1</TargetFilename>
Get more Windows MITRE rules:
https://www.scnsoft.com/services/securi
ty/siem/windows-mitre-attack-rules
This is rule based on Sysmon
configuration. Following options should
be enable:

MITRE.WIN.T1547.003.RULE
Boot or Logon Autostart
Execution: Time Providers
MITRE.WIN.T1547.005.RULE
Boot or Logon Autostart
Execution: Security Support
Provider
MITRE Windows Integration App:
AND when the event matches
Event ID is any of [12 or 13 or
14]
AND when the event matches
Sysmon Rule Name (custom) is
any of T1547
AND NOT when any of Machine
ID (custom) are contained in
any of MITRE: Windows
Machines Whitelist -
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
when the event(s) were
detected by one or more of
Microsoft Windows Security
Event Log
AND when the event matches
Event ID is any of [12 or 13 or
14]
AND when the event matches
Sysmon Rule Name (custom) is
any of T1547
AND NOT when any of Machine
ID (custom) are contained in
any of MITRE: Windows
Machines Whitelist -
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
when the event(s) were
detected by one or more of
Microsoft Windows Security
Event Log
AND when the event matches
Event ID is any of [12 or 13 or
14]
AND when the event matches
Sysmon Rule Name (custom) is
any of T1547
AND NOT when any of Machine
ID (custom) are contained in
any of MITRE: Windows
Machines Whitelist -
AlphaNumeric
AND NOT when any of
Username are contained in any
© 2021 ScienceSoft | Page 36 from 43
Admin Guide
In section <RegistryEvent
onmatch="include"> add following lines:
<TargetObject name="T1547.002"
condition="begin
with">HKLM\SYSTEM\CurrentControlSet\
Control\Lsa</TargetObject>
Get more Windows MITRE rules:
https://www.scnsoft.com/services/securi
ty/siem/windows-mitre-attack-rules
This is rule based on Sysmon
configuration. Following options should
be enable:
In section <RegistryEvent
onmatch="include"> add following lines:
<TargetObject name="T1547.003"
condition="contains">HKEY_LOCAL_MAC
HINE\System\CurrentControlSet\Services
\W32Time\TimeProviders</TargetObject
>
Get more Windows MITRE rules:
https://www.scnsoft.com/services/securi
ty/siem/windows-mitre-attack-rules
This is rule based on Sysmon
configuration. Following options should
be enable:
In section <RegistryEvent
onmatch="include"> add following lines:
<TargetObject name="T1547.005"
condition="contains">SOFTWARE\Micros
oft\Windows NT\CurrentVersion\Image
File Execution
Options\LSASS.exe</TargetObject>
Get more Windows MITRE rules:
https://www.scnsoft.com/services/securi
ty/siem/windows-mitre-attack-rules
 MITRE Windows Integration App:
of MITRE: Windows Users
Whitelist - AlphaNumeric
MITRE.WIN.T1547.008.RULE when the event(s) were
Boot or Logon Autostart detected by one or more of
Execution: LSASS Driver Microsoft Windows Security
Event Log
AND when the event matches
Event ID is any of [12 or 13 or
14]
AND when the event matches
Sysmon Rule Name (custom) is
any of T1547
AND NOT when any of Machine
ID (custom) are contained in
any of MITRE: Windows
Machines Whitelist -
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
MITRE.WIN.T1547.009.RULE when the event(s) were
Boot or Logon Autostart detected by one or more of
Execution: Shortcut Microsoft Windows Security
Modification Event Log
AND when the event matches
Event ID is any of [11]
AND when the event matches
Sysmon Rule Name (custom) is
any of T1547
AND NOT when any of Machine
ID (custom) are contained in
any of MITRE: Windows
Machines Whitelist -
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
MITRE.WIN.T1547.010.RULE when the event(s) were
Boot or Logon Autostart detected by one or more of
Execution: Port Monitors Microsoft Windows Security
Event Log
AND when the event matches
Event ID is any of [12 or 13 or
14]
AND when the event matches
Sysmon Rule Name (custom) is
any of T1547
AND NOT when any of Machine
ID (custom) are contained in
© 2021 ScienceSoft | Page 37 from 43
Admin Guide
This is rule based on Sysmon
configuration. Following options should
be enable:
In section <RegistryEvent
onmatch="include"> add following lines:
<TargetObject name="T1547.008"
condition="contains">\CurrentControlSet
\Services\NTDS\DirectoryServiceExtPt</T
argetObject>
<TargetObject name="T1547.008"
condition="contains">\CurrentControlSet
\Services\NTDS\LsaDbExtPt</TargetObjec
t>
Get more Windows MITRE rules:
https://www.scnsoft.com/services/securi
ty/siem/windows-mitre-attack-rules
This is rule based on Sysmon
configuration. Following options should
be enable:
In section <FileCreate
onmatch="include"> add following lines:
<TargetFilename name="T1547.009"
condition="contains">\Start
Menu</TargetFilename>
Get more Windows MITRE rules:
https://www.scnsoft.com/services/securi
ty/siem/windows-mitre-attack-rules
This is rule based on Sysmon
configuration. Following options should
be enable:
In section <RegistryEvent
onmatch="include"> add following lines:
<TargetObject name="T1547.010"
condition="begin
with">HKCU\SOFTWARE\Microsoft\Wind
ows
NT\CurrentVersion\Ports</TargetObject>
<TargetObject name="T1547.010"
 MITRE Windows Integration App:
any of MITRE: Windows
Machines Whitelist -
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
MITRE.WIN.T1550.002.RULE when the event(s) were
Use Alternate detected by one or more of
Authentication Material: Microsoft Windows Security
Pass the Hash Event Log
AND when the event matches
Event ID is any of [12 or 13 or
14]
AND when the event matches
Sysmon Rule Name (custom) is
any of T1550
AND NOT when any of Machine
ID (custom) are contained in
any of MITRE: Windows
Machines Whitelist -
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
MITRE.WIN.T1552.001.RULE when the event(s) were
Unsecured Credentials: detected by one or more of
Credentials In Files Microsoft Windows Security
Event Log
AND when the event matches
Event ID is any of [1]
AND when the event matches
Sysmon Rule Name (custom) is
any of T1552
AND NOT when any of Machine
ID (custom) are contained in
any of MITRE: Windows
Machines Whitelist -
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
MITRE.WIN.T1552.002.RULE when the event(s) were
Unsecured Credentials: detected by one or more of
Credentials in Registry Microsoft Windows Security
Event Log
AND when the event matches
Event ID is any of [1]
© 2021 ScienceSoft | Page 38 from 43
Admin Guide
condition="begin
with">HKLM\SOFTWARE\Microsoft\Wind
ows
NT\CurrentVersion\Ports</TargetObject>
Get more Windows MITRE rules:
https://www.scnsoft.com/services/securi
ty/siem/windows-mitre-attack-rules
This is rule based on Sysmon
configuration. Following options should
be enable:
In section <RegistryEvent
onmatch="include"> add following lines:
<TargetObject name="T1550.002"
condition="contains">SOFTWARE\Micros
oft\Windows\CurrentVersion\Policies\Sy
stem\LocalAccountTokenFilterPolicy</Tar
getObject>
Get more Windows MITRE rules:
https://www.scnsoft.com/services/securi
ty/siem/windows-mitre-attack-rules
This is rule based on Sysmon
configuration. Following options should
be enable:
In section <ProcessCreate
onmatch="include"> add following lines:
<OriginalFileName name="T1552.001"
condition="is">where.exe</OriginalFileN
ame>
<OriginalFileName name="T1552.001"
condition="is">findstr.exe</OriginalFileN
ame>
Get more Windows MITRE rules:
https://www.scnsoft.com/services/securi
ty/siem/windows-mitre-attack-rules
This is rule based on Sysmon
configuration. Following options should
be enable:
In section <ProcessCreate
onmatch="include"> add following lines:
 MITRE Windows Integration App:
AND when the event matches
Sysmon Rule Name (custom) is
any of T1552
AND NOT when any of Machine
ID (custom) are contained in
any of MITRE: Windows
Machines Whitelist -
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
MITRE.WIN.T1553.004.RULE when the event(s) were
Subvert Trust Controls: detected by one or more of
Install Root Certificate Microsoft Windows Security
Event Log
AND when the event matches
Event ID is any of [12 or 13 or
14]
AND when the event matches
Sysmon Rule Name (custom) is
any of T1553
AND NOT when any of Machine
ID (custom) are contained in
any of MITRE: Windows
Machines Whitelist -
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
MITRE.WIN.T1556.RULE when the event(s) were
Modify Authentication detected by one or more of
Process Microsoft Windows Security
Event Log
AND when the event matches
Event ID is any of [12 or 13 or
14]
AND when the event matches
Sysmon Rule Name (custom) is
any of T1556
AND NOT when any of Machine
ID (custom) are contained in
any of MITRE: Windows
Machines Whitelist -
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
© 2021 ScienceSoft | Page 39 from 43
Admin Guide
<CommandLine name="T1552.002"
condition="contains">/f password /t
REG_SZ /s</CommandLine>
Get more Windows MITRE rules:
https://www.scnsoft.com/services/securi
ty/siem/windows-mitre-attack-rules
This is rule based on Sysmon
configuration. Following options should
be enable:
In section <RegistryEvent
onmatch="include"> add following lines:
<TargetObject name="T1553.004"
condition="contains">\Microsoft\System
Certificates\Root\Certificates</TargetObj
ect>
<TargetObject name="T1553.004"
condition="begin
with">HKLM\SOFTWARE\Microsoft\Enter
priseCertificates\Root\Certificates</Targ
etObject>
Get more Windows MITRE rules:
https://www.scnsoft.com/services/securi
ty/siem/windows-mitre-attack-rules
This is rule based on Sysmon
configuration. Following options should
be enable:
In section <RegistryEvent
onmatch="include"> add following lines:
<TargetObject name="T1556"
condition="contains">\SYSTEM\CurrentC
ontrolSet\Control\Lsa\Notification
Packages</TargetObject>
Get more Windows MITRE rules:
https://www.scnsoft.com/services/securi
ty/siem/windows-mitre-attack-rules

MITRE.WIN.T1556.001.RULE
Modify Authentication
Process: Domain Controller
Authentication
MITRE.WIN.T1556.002.RULE
Modify Authentication
Process: Password Filter DLL
MITRE.WIN.T1557.001.RULE
Man-in-the-Middle:
LLMNR/NBT-NS Poisoning
and SMB Relay
MITRE Windows Integration App:
when the event(s) were
detected by one or more of
Microsoft Windows Security
Event Log
AND when the event matches
Event ID is any of [7]
AND when the event matches
Sysmon Rule Name (custom) is
any of T1556
AND NOT when any of Machine
ID (custom) are contained in
any of MITRE: Windows
Machines Whitelist -
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
when the event(s) were
detected by one or more of
Microsoft Windows Security
Event Log
AND when the event matches
Event ID is any of [12 or 13 or
14]
AND when the event matches
Sysmon Rule Name (custom) is
any of T1556
AND NOT when any of Machine
ID (custom) are contained in
any of MITRE: Windows
Machines Whitelist -
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
when the event(s) were
detected by one or more of
Microsoft Windows Security
Event Log
AND when the event matches
Event ID is any of [12 or 13 or
14]
AND when the event matches
Sysmon Rule Name (custom) is
any of T1557
AND NOT when any of Machine
ID (custom) are contained in
any of MITRE: Windows
Machines Whitelist -
© 2021 ScienceSoft | Page 40 from 43
Admin Guide
This is rule based on Sysmon
configuration. Following options should
be enable:
In section <ImageLoad
onmatch="include"> add following lines:
Get more Windows MITRE rules:
https://www.scnsoft.com/services/securi
ty/siem/windows-mitre-attack-rules
This is rule based on Sysmon
configuration. Following options should
be enable:
In section <RegistryEvent
onmatch="include"> add following lines:
<TargetObject name="T1556.002"
condition="contains">\SYSTEM\CurrentC
ontrolSet\Control\Lsa\Notification
Packages</TargetObject>
Get more Windows MITRE rules:
https://www.scnsoft.com/services/securi
ty/siem/windows-mitre-attack-rules
This is rule based on Sysmon
configuration. Following options should
be enable:
In section <RegistryEvent
onmatch="include"> add following lines:
<TargetObject name="T1557.001"
condition="contains">\Software\Policies\
Microsoft\Windows
NT\DNSClient</TargetObject>
Get more Windows MITRE rules:
https://www.scnsoft.com/services/securi
ty/siem/windows-mitre-attack-rules
 MITRE Windows Integration App:
Admin Guide

AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
MITRE.WIN.T1558.001.RULE when the event(s) were No action required.
Steal or Forge Kerberos detected by one or more of
Tickets: Golden Ticket Microsoft Windows Security Get more Windows MITRE rules:
Event Log https://www.scnsoft.com/services/securi
AND when the event matches ty/siem/windows-mitre-attack-rules
Event ID is any of [4624 or 4672
or 4634]
AND when the event matches
"Target User Name" != "Logon
Account Name" AQL filter query
AND NOT when any of Machine
ID (custom) are contained in
any of MITRE: Windows
Machines Whitelist -
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
MITRE.WIN.T1558.002.RULE when the event(s) were No action required.
Steal or Forge Kerberos detected by one or more of
Tickets: Silver Ticket Microsoft Windows Security Get more Windows MITRE rules:
Event Log https://www.scnsoft.com/services/securi
AND when the event matches ty/siem/windows-mitre-attack-rules
Event ID is any of [4624 or 4672
or 4634]
AND when the event matches
"Target User Name" != "Logon
Account Name" AQL filter query
AND NOT when any of Machine
ID (custom) are contained in
any of MITRE: Windows
Machines Whitelist -
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
MITRE.WIN.T1558.003.RULE when the event(s) were No action required.
Steal or Forge Kerberos detected by one or more of
Tickets: Kerberoasting Microsoft Windows Security Get more Windows MITRE rules:
Event Log https://www.scnsoft.com/services/securi
AND when the event matches ty/siem/windows-mitre-attack-rules
Event ID is any of 4769
AND when the event matches
Ticket Encryption Type (custom)

© 2021 ScienceSoft | Page 41 from 43

 MITRE Windows Integration App:
is any of 0x17
AND NOT when any of Machine
ID (custom) are contained in
any of MITRE: Windows
Machines Whitelist -
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
MITRE.WIN.T1562.002.RULE when the event(s) were
Impair Defenses: Disable detected by one or more of
Windows Event Logging Microsoft Windows Security
Event Log
AND when the event matches
Event ID is any of [12 or 13 or
14]
AND when the event matches
Sysmon Rule Name (custom) is
any of T1562
AND NOT when any of Machine
ID (custom) are contained in
any of MITRE: Windows
Machines Whitelist -
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
MITRE.WIN.T1563.002.RULE when the event(s) were
Remote Service Session detected by one or more of
Hijacking: RDP Hijacking Microsoft Windows Security
Event Log
AND when the event matches
Event ID is any of [1]
AND when the event matches
Sysmon Rule Name (custom) is
any of T1563
AND NOT when any of Machine
ID (custom) are contained in
any of MITRE: Windows
Machines Whitelist -
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
MITRE.WIN.T1574.010.RULE when the event(s) were
Hijack Execution Flow: detected by one or more of
Microsoft Windows Security
© 2021 ScienceSoft | Page 42 from 43
Admin Guide
This is rule based on Sysmon
configuration. Following options should
be enable:
In section <RegistryEvent
onmatch="include"> add following lines:
<TargetObject name="T1562.002"
condition="contains
all">REGISTRY\MACHINE\SYSTEM\Contro
lSet001\Service\EventLog;MaxSize</Targ
etObject>
<TargetObject name="T1562.002"
condition="contains
all">REGISTRY\MACHINE\SYSTEM\Contro
lSet001\Service\EventLog;Retention</Tar
getObject>
Get more Windows MITRE rules:
https://www.scnsoft.com/services/securi
ty/siem/windows-mitre-attack-rules
This is rule based on Sysmon
configuration. Following options should
be enable:
In section <ProcessCreate
onmatch="include"> add following lines:
<Image name="T1563.002"
condition="image">tscon.exe</Image>
<CommandLine name="T1563.002"
condition="contains any">cmd.exe
/k;cmd.exe /c</CommandLine>
Get more Windows MITRE rules:
https://www.scnsoft.com/services/securi
ty/siem/windows-mitre-attack-rules
This is rule based on Sysmon
configuration. Following options should
be enable:
 MITRE Windows Integration App:
Admin Guide

Services File Permissions Event Log

Weakness AND when the event matches
Event ID is any of [11]
AND when the event matches
Sysmon Rule Name (custom) is
any of T1574
AND NOT when any of Machine
ID (custom) are contained in
any of MITRE: Windows
Machines Whitelist -
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
MITRE.WIN.T1574.011.RULE when the event(s) were
Hijack Execution Flow: detected by one or more of
Services Registry Microsoft Windows Security
Permissions Weakness Event Log
AND when the event matches
Event ID is any of [12 or 13 or
14]
AND when the event matches
Sysmon Rule Name (custom) is
any of T1574
AND NOT when any of Machine
ID (custom) are contained in
any of MITRE: Windows
Machines Whitelist -
AlphaNumeric
AND NOT when any of
Username are contained in any
of MITRE: Windows Users
Whitelist - AlphaNumeric
In section <FileCreate
onmatch="include"> add following lines:
<TargetFilename name="T1574.010"
condition="begin
with">C:\Windows\Temp\</TargetFilena
me>
Get more Windows MITRE rules:
https://www.scnsoft.com/services/securi
ty/siem/windows-mitre-attack-rules
This is rule based on Sysmon
configuration. Following options should
be enable:
In section <RegistryEvent
onmatch="include"> add following lines:
<TargetObject name="T1574.011"
condition="contains">HKLM\SYSTEM\Cur
rentControlSet\Services</TargetObject>
Get more Windows MITRE rules:
https://www.scnsoft.com/services/securi
ty/siem/windows-mitre-attack-rules

© 2021 ScienceSoft | Page 43 from 43