Use-Case	Activity Type (Legacy Event Type)/Parsers	MITRE ATT&CK® TTP	Content
Audit Tampering	process-create:success (process-created) ↳microsoft-sysmon-xml-process-create-success-processcreate-1 ↳microsoft-sysmon-json-process-create-success-processcreate ↳microsoft-sysmon-xml-process-create-success-processcreate ↳microsoft-sysmon-kv-process-create-success-createremotethread ↳microsoft-sysmon-json-process-create-success-createremotethread ↳microsoft-sysmon-cef-process-create-success-sysmoncreateprocess ↳microsoft-sysmon-xml-process-create-success-processcreate-2 ↳microsoft-sysmon-kv-process-create-success-processcreate-1 ↳microsoft-sysmon-kv-process-create-success-processcreate ↳microsoft-sysmon-xml-process-create-success-1	T1059 - Command and Scripting Interperter T1070 - Indicator Removal on Host T1070.001 - Indicator Removal on Host: Clear Windows Event Logs T1546 - Event Triggered Execution T1546.003 - T1546.003 T1562 - Impair Defenses T1562.006 - T1562.006	4 Rules
Compromised Credentials	app-activity:success (app-activity) ↳microsoft-evsecurity-json-file-success-objectopen ↳microsoft-evsecurity-json-file-success-objectopen ↳microsoft-evsecurity-json-file-success-objectopen app-login:success (app-login) ↳microsoft-defenderep-json-app-login-success-timegenerated file-delete:success (file-delete) ↳microsoft-sysmon-kv-file-delete-success-filedelete ↳microsoft-defenderep-json-file-success-tenantid file-read:success (file-read) ↳microsoft-evsecurity-json-file-success-objectopen file-write:success (file-write) ↳microsoft-sysmon-cef-file-write-success-filecreated ↳microsoft-sysmon-json-file-write-success-11 ↳microsoft-sysmon-kv-file-write-success-filecreate ↳microsoft-sysmon-json-file-write-success-2 ↳microsoft-sysmon-xml-file-write-success-11-1 ↳microsoft-defenderep-json-file-success-tenantid ↳microsoft-evsecurity-json-file-success-objectopen alert-trigger:success (process-alert) ↳microsoft-sysmon-xml-alert-trigger-success-25 process-create:success (process-created) ↳microsoft-sysmon-xml-process-create-success-processcreate-1 ↳microsoft-sysmon-json-process-create-success-processcreate ↳microsoft-sysmon-xml-process-create-success-processcreate ↳microsoft-sysmon-kv-process-create-success-createremotethread ↳microsoft-sysmon-json-process-create-success-createremotethread ↳microsoft-sysmon-cef-process-create-success-sysmoncreateprocess ↳microsoft-sysmon-xml-process-create-success-processcreate-2 ↳microsoft-sysmon-kv-process-create-success-processcreate-1 ↳microsoft-sysmon-kv-process-create-success-processcreate ↳microsoft-sysmon-xml-process-create-success-1 network-session:success (process-network) ↳microsoft-sysmon-xml-network-session-success-3 ↳microsoft-sysmon-json-network-session-success-netconn ↳microsoft-sysmon-kv-mul-network-session-success-detected ↳microsoft-sysmon-cef-network-session-success-networkconndetected	T1003 - OS Credential Dumping T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1003.005 - T1003.005 T1016 - System Network Configuration Discovery T1027 - Obfuscated Files or Information T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1040 - Network Sniffing T1078 - Valid Accounts T1083 - File and Directory Discovery T1133 - External Remote Services T1190 - Exploit Public Fasing Application T1218 - Signed Binary Proxy Execution T1218.011 - Signed Binary Proxy Execution: Rundll32 T1555 - Credentials from Password Stores TA0002 - TA0002	109 Rules 44 Models
Cryptomining	process-create:success (process-created) ↳microsoft-sysmon-xml-process-create-success-processcreate-1 ↳microsoft-sysmon-json-process-create-success-processcreate ↳microsoft-sysmon-xml-process-create-success-processcreate ↳microsoft-sysmon-kv-process-create-success-createremotethread ↳microsoft-sysmon-json-process-create-success-createremotethread ↳microsoft-sysmon-cef-process-create-success-sysmoncreateprocess ↳microsoft-sysmon-xml-process-create-success-processcreate-2 ↳microsoft-sysmon-kv-process-create-success-processcreate-1 ↳microsoft-sysmon-kv-process-create-success-processcreate ↳microsoft-sysmon-xml-process-create-success-1	T1496 - Resource Hijacking	1 Rules
Data Access	app-activity:success (app-activity) ↳microsoft-evsecurity-json-file-success-objectopen ↳microsoft-evsecurity-json-file-success-objectopen ↳microsoft-evsecurity-json-file-success-objectopen app-login:success (app-login) ↳microsoft-defenderep-json-app-login-success-timegenerated file-delete:success (file-delete) ↳microsoft-sysmon-kv-file-delete-success-filedelete ↳microsoft-defenderep-json-file-success-tenantid file-read:success (file-read) ↳microsoft-evsecurity-json-file-success-objectopen file-write:success (file-write) ↳microsoft-sysmon-cef-file-write-success-filecreated ↳microsoft-sysmon-json-file-write-success-11 ↳microsoft-sysmon-kv-file-write-success-filecreate ↳microsoft-sysmon-json-file-write-success-2 ↳microsoft-sysmon-xml-file-write-success-11-1 ↳microsoft-defenderep-json-file-success-tenantid ↳microsoft-evsecurity-json-file-success-objectopen process-create:success (process-created) ↳microsoft-sysmon-xml-process-create-success-processcreate-1 ↳microsoft-sysmon-json-process-create-success-processcreate ↳microsoft-sysmon-xml-process-create-success-processcreate ↳microsoft-sysmon-kv-process-create-success-createremotethread ↳microsoft-sysmon-json-process-create-success-createremotethread ↳microsoft-sysmon-cef-process-create-success-sysmoncreateprocess ↳microsoft-sysmon-xml-process-create-success-processcreate-2 ↳microsoft-sysmon-kv-process-create-success-processcreate-1 ↳microsoft-sysmon-kv-process-create-success-processcreate ↳microsoft-sysmon-xml-process-create-success-1	T1003 - OS Credential Dumping T1078 - Valid Accounts T1083 - File and Directory Discovery	44 Rules 24 Models
Data Exfiltration	file-write:success (file-write) ↳microsoft-sysmon-cef-file-write-success-filecreated ↳microsoft-sysmon-json-file-write-success-11 ↳microsoft-sysmon-kv-file-write-success-filecreate ↳microsoft-sysmon-json-file-write-success-2 ↳microsoft-sysmon-xml-file-write-success-11-1 ↳microsoft-defenderep-json-file-success-tenantid ↳microsoft-evsecurity-json-file-success-objectopen process-create:success (process-created) ↳microsoft-sysmon-xml-process-create-success-processcreate-1 ↳microsoft-sysmon-json-process-create-success-processcreate ↳microsoft-sysmon-xml-process-create-success-processcreate ↳microsoft-sysmon-kv-process-create-success-createremotethread ↳microsoft-sysmon-json-process-create-success-createremotethread ↳microsoft-sysmon-cef-process-create-success-sysmoncreateprocess ↳microsoft-sysmon-xml-process-create-success-processcreate-2 ↳microsoft-sysmon-kv-process-create-success-processcreate-1 ↳microsoft-sysmon-kv-process-create-success-processcreate ↳microsoft-sysmon-xml-process-create-success-1	T1003 - OS Credential Dumping T1040 - Network Sniffing T1041 - Exfiltration Over C2 Channel T1048 - Exfiltration Over Alternative Protocol T1059 - Command and Scripting Interperter T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols T1071.002 - Application Layer Protocol: File Transfer Protocols T1071.004 - Application Layer Protocol: DNS T1552 - Unsecured Credentials T1552.001 - T1552.001 T1560 - Archive Collected Data T1572 - Protocol Tunneling TA0002 - TA0002	9 Rules 1 Models
Data Leak	app-activity:success (app-activity) ↳microsoft-evsecurity-json-file-success-objectopen ↳microsoft-evsecurity-json-file-success-objectopen ↳microsoft-evsecurity-json-file-success-objectopen file-write:success (file-write) ↳microsoft-sysmon-cef-file-write-success-filecreated ↳microsoft-sysmon-json-file-write-success-11 ↳microsoft-sysmon-kv-file-write-success-filecreate ↳microsoft-sysmon-json-file-write-success-2 ↳microsoft-sysmon-xml-file-write-success-11-1 ↳microsoft-defenderep-json-file-success-tenantid ↳microsoft-evsecurity-json-file-success-objectopen	T1114 - Email Collection T1114.001 - T1114.001 T1114.003 - Email Collection: Email Forwarding Rule	4 Rules
Evasion	process-create:success (process-created) ↳microsoft-sysmon-xml-process-create-success-processcreate-1 ↳microsoft-sysmon-json-process-create-success-processcreate ↳microsoft-sysmon-xml-process-create-success-processcreate ↳microsoft-sysmon-kv-process-create-success-createremotethread ↳microsoft-sysmon-json-process-create-success-createremotethread ↳microsoft-sysmon-cef-process-create-success-sysmoncreateprocess ↳microsoft-sysmon-xml-process-create-success-processcreate-2 ↳microsoft-sysmon-kv-process-create-success-processcreate-1 ↳microsoft-sysmon-kv-process-create-success-processcreate ↳microsoft-sysmon-xml-process-create-success-1 registry-create:success (registry-write) ↳microsoft-sysmon-mix-registry-create-success-valueset ↳microsoft-sysmon-json-registry-create-success-valuesettask13 ↳microsoft-sysmon-json-registry-modify-success-13 ↳microsoft-sysmon-str-registry-modify-success-13 ↳microsoft-sysmon-cef-registry-modify-success-registryvalueset ↳microsoft-sysmon-kv-registry-modify-success-registryvalueset ↳microsoft-evsecurity-json-file-success-objectopen	T1027 - Obfuscated Files or Information T1027.004 - Obfuscated Files or Information: Compile After Delivery T1036 - Masquerading T1036.003 - Masquerading: Rename System Utilities T1036.005 - Masquerading: Match Legitimate Name or Location T1059 - Command and Scripting Interperter T1059.001 - Command and Scripting Interperter: PowerShell T1059.005 - T1059.005 T1070 - Indicator Removal on Host T1070.001 - Indicator Removal on Host: Clear Windows Event Logs T1105 - Ingress Tool Transfer T1127 - Trusted Developer Utilities Proxy Execution T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild T1140 - Deobfuscate/Decode Files or Information T1197 - BITS Jobs T1202 - Indirect Command Execution T1203 - Exploitation for Client Execution T1218 - Signed Binary Proxy Execution T1218.002 - Signed Binary Proxy Execution: Control Panel T1218.004 - Signed Binary Proxy Execution: InstallUtil T1218.008 - T1218.008 T1218.009 - Signed Binary Proxy Execution: Regsvcs/Regasm T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1218.011 - Signed Binary Proxy Execution: Rundll32 T1484 - Group Policy Modification T1484.001 - T1484.001 T1542 - Pre-OS Boot T1542.003 - T1542.003 T1543 - Create or Modify System Process T1543.003 - Create or Modify System Process: Windows Service T1552 - Unsecured Credentials T1552.006 - T1552.006 T1562 - Impair Defenses T1562.001 - T1562.001 T1562.004 - Impair Defenses: Disable or Modify System Firewall T1562.006 - T1562.006 T1564 - Hide Artifacts T1564.001 - T1564.001 T1564.002 - T1564.002 T1564.004 - Hide Artifacts: NTFS File Attributes T1574 - Hijack Execution Flow	46 Rules 3 Models
Lateral Movement	app-login:success (app-login) ↳microsoft-defenderep-json-app-login-success-timegenerated process-create:success (process-created) ↳microsoft-sysmon-xml-process-create-success-processcreate-1 ↳microsoft-sysmon-json-process-create-success-processcreate ↳microsoft-sysmon-xml-process-create-success-processcreate ↳microsoft-sysmon-kv-process-create-success-createremotethread ↳microsoft-sysmon-json-process-create-success-createremotethread ↳microsoft-sysmon-cef-process-create-success-sysmoncreateprocess ↳microsoft-sysmon-xml-process-create-success-processcreate-2 ↳microsoft-sysmon-kv-process-create-success-processcreate-1 ↳microsoft-sysmon-kv-process-create-success-processcreate ↳microsoft-sysmon-xml-process-create-success-1 network-session:success (process-network) ↳microsoft-sysmon-xml-network-session-success-3 ↳microsoft-sysmon-json-network-session-success-netconn ↳microsoft-sysmon-kv-mul-network-session-success-detected ↳microsoft-sysmon-cef-network-session-success-networkconndetected	T1021 - Remote Services T1021.001 - Remote Services: Remote Desktop Protocol T1021.003 - T1021.003 T1021.006 - T1021.006 T1047 - Windows Management Instrumentation T1059 - Command and Scripting Interperter T1059.001 - Command and Scripting Interperter: PowerShell T1071 - Application Layer Protocol T1090 - Proxy T1090.003 - Proxy: Multi-hop Proxy T1190 - Exploit Public Fasing Application T1210 - Exploitation of Remote Services T1219 - Remote Access Software T1563 - Remote Service Session Hijacking T1563.002 - T1563.002 TA0008 - TA0008 TA0010 - TA0010 TA0011 - TA0011	65 Rules 20 Models
Malware	app-login:success (app-login) ↳microsoft-defenderep-json-app-login-success-timegenerated dns-request:success (dns-query) ↳microsoft-windows-kv-dns-request-success-query ↳microsoft-sysmon-xml-dns-request-success-query file-write:success (file-write) ↳microsoft-sysmon-cef-file-write-success-filecreated ↳microsoft-sysmon-json-file-write-success-11 ↳microsoft-sysmon-kv-file-write-success-filecreate ↳microsoft-sysmon-json-file-write-success-2 ↳microsoft-sysmon-xml-file-write-success-11-1 ↳microsoft-defenderep-json-file-success-tenantid ↳microsoft-evsecurity-json-file-success-objectopen dll-load:success (image-loaded) ↳microsoft-sysmon-kv-dll-load-success-7 alert-trigger:success (process-alert) ↳microsoft-sysmon-xml-alert-trigger-success-25 process-create:success (process-created) ↳microsoft-sysmon-xml-process-create-success-processcreate-1 ↳microsoft-sysmon-json-process-create-success-processcreate ↳microsoft-sysmon-xml-process-create-success-processcreate ↳microsoft-sysmon-kv-process-create-success-createremotethread ↳microsoft-sysmon-json-process-create-success-createremotethread ↳microsoft-sysmon-cef-process-create-success-sysmoncreateprocess ↳microsoft-sysmon-xml-process-create-success-processcreate-2 ↳microsoft-sysmon-kv-process-create-success-processcreate-1 ↳microsoft-sysmon-kv-process-create-success-processcreate ↳microsoft-sysmon-xml-process-create-success-1 network-session:success (process-network) ↳microsoft-sysmon-xml-network-session-success-3 ↳microsoft-sysmon-json-network-session-success-netconn ↳microsoft-sysmon-kv-mul-network-session-success-detected ↳microsoft-sysmon-cef-network-session-success-networkconndetected registry-create:success (registry-write) ↳microsoft-sysmon-mix-registry-create-success-valueset ↳microsoft-sysmon-json-registry-create-success-valuesettask13 ↳microsoft-sysmon-json-registry-modify-success-13 ↳microsoft-sysmon-str-registry-modify-success-13 ↳microsoft-sysmon-cef-registry-modify-success-registryvalueset ↳microsoft-sysmon-kv-registry-modify-success-registryvalueset ↳microsoft-evsecurity-json-file-success-objectopen	T1003 - OS Credential Dumping T1003.002 - T1003.002 T1012 - Query Registry T1021 - Remote Services T1021.002 - Remote Services: SMB/Windows Admin Shares T1027 - Obfuscated Files or Information T1027.004 - Obfuscated Files or Information: Compile After Delivery T1036 - Masquerading T1036.004 - T1036.004 T1047 - Windows Management Instrumentation T1053 - Scheduled Task/Job T1053.003 - T1053.003 T1053.005 - Scheduled Task/Job: Scheduled Task T1055 - Process Injection T1055.001 - Process Injection: Dynamic-link Library Injection T1059 - Command and Scripting Interperter T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1059.005 - T1059.005 T1059.007 - T1059.007 T1071 - Application Layer Protocol T1072 - Software Deployment Tools T1078 - Valid Accounts T1083 - File and Directory Discovery T1105 - Ingress Tool Transfer T1112 - Modify Registry T1113 - Screen Capture T1123 - Audio Capture T1127 - Trusted Developer Utilities Proxy Execution T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild T1134 - Access Token Manipulation T1134.001 - Access Token Manipulation: Token Impersonation/Theft T1134.002 - T1134.002 T1135 - Network Share Discovery T1190 - Exploit Public Fasing Application T1197 - BITS Jobs T1202 - Indirect Command Execution T1203 - Exploitation for Client Execution T1204 - User Execution T1204.002 - T1204.002 T1210 - Exploitation of Remote Services T1218 - Signed Binary Proxy Execution T1218.001 - Signed Binary Proxy Execution: Compiled HTML File T1218.002 - Signed Binary Proxy Execution: Control Panel T1218.004 - Signed Binary Proxy Execution: InstallUtil T1218.005 - T1218.005 T1218.007 - Signed Binary Proxy Execution: Msiexec T1218.008 - T1218.008 T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1218.011 - Signed Binary Proxy Execution: Rundll32 T1482 - Domain Trust Discovery T1490 - Inhibit System Recovery T1505 - Server Software Component T1505.003 - Server Software Component: Web Shell T1543 - Create or Modify System Process T1543.003 - Create or Modify System Process: Windows Service T1546 - Event Triggered Execution T1546.001 - T1546.001 T1546.003 - T1546.003 T1546.011 - T1546.011 T1547 - Boot or Logon Autostart Execution T1547.001 - T1547.001 T1547.002 - T1547.002 T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1555 - Credentials from Password Stores T1558 - Steal or Forge Kerberos Tickets T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting T1562 - Impair Defenses T1562.004 - Impair Defenses: Disable or Modify System Firewall T1563 - Remote Service Session Hijacking T1563.002 - T1563.002 T1568 - Dynamic Resolution T1568.002 - Dynamic Resolution: Domain Generation Algorithms T1569 - System Services T1574 - Hijack Execution Flow T1574.002 - Hijack Execution Flow: DLL Side-Loading T1574.010 - T1574.010 T1574.011 - T1574.011 T1583 - T1583 T1583.001 - T1583.001 TA0002 - TA0002 TA0010 - TA0010 TA0011 - TA0011	189 Rules 33 Models
Phishing	process-create:success (process-created) ↳microsoft-sysmon-xml-process-create-success-processcreate-1 ↳microsoft-sysmon-json-process-create-success-processcreate ↳microsoft-sysmon-xml-process-create-success-processcreate ↳microsoft-sysmon-kv-process-create-success-createremotethread ↳microsoft-sysmon-json-process-create-success-createremotethread ↳microsoft-sysmon-cef-process-create-success-sysmoncreateprocess ↳microsoft-sysmon-xml-process-create-success-processcreate-2 ↳microsoft-sysmon-kv-process-create-success-processcreate-1 ↳microsoft-sysmon-kv-process-create-success-processcreate ↳microsoft-sysmon-xml-process-create-success-1	T1566 - Phishing T1566.001 - T1566.001	1 Rules
Privilege Abuse	app-activity:success (app-activity) ↳microsoft-evsecurity-json-file-success-objectopen ↳microsoft-evsecurity-json-file-success-objectopen ↳microsoft-evsecurity-json-file-success-objectopen app-login:success (app-login) ↳microsoft-defenderep-json-app-login-success-timegenerated file-delete:success (file-delete) ↳microsoft-sysmon-kv-file-delete-success-filedelete ↳microsoft-defenderep-json-file-success-tenantid file-read:success (file-read) ↳microsoft-evsecurity-json-file-success-objectopen file-write:success (file-write) ↳microsoft-sysmon-cef-file-write-success-filecreated ↳microsoft-sysmon-json-file-write-success-11 ↳microsoft-sysmon-kv-file-write-success-filecreate ↳microsoft-sysmon-json-file-write-success-2 ↳microsoft-sysmon-xml-file-write-success-11-1 ↳microsoft-defenderep-json-file-success-tenantid ↳microsoft-evsecurity-json-file-success-objectopen process-create:success (process-created) ↳microsoft-sysmon-xml-process-create-success-processcreate-1 ↳microsoft-sysmon-json-process-create-success-processcreate ↳microsoft-sysmon-xml-process-create-success-processcreate ↳microsoft-sysmon-kv-process-create-success-createremotethread ↳microsoft-sysmon-json-process-create-success-createremotethread ↳microsoft-sysmon-cef-process-create-success-sysmoncreateprocess ↳microsoft-sysmon-xml-process-create-success-processcreate-2 ↳microsoft-sysmon-kv-process-create-success-processcreate-1 ↳microsoft-sysmon-kv-process-create-success-processcreate ↳microsoft-sysmon-xml-process-create-success-1	T1047 - Windows Management Instrumentation T1078 - Valid Accounts T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1136 - Create Account T1136.001 - Create Account: Create: Local Account	17 Rules 8 Models
Privilege Escalation	app-activity:success (app-activity) ↳microsoft-evsecurity-json-file-success-objectopen ↳microsoft-evsecurity-json-file-success-objectopen ↳microsoft-evsecurity-json-file-success-objectopen process-create:success (process-created) ↳microsoft-sysmon-xml-process-create-success-processcreate-1 ↳microsoft-sysmon-json-process-create-success-processcreate ↳microsoft-sysmon-xml-process-create-success-processcreate ↳microsoft-sysmon-kv-process-create-success-createremotethread ↳microsoft-sysmon-json-process-create-success-createremotethread ↳microsoft-sysmon-cef-process-create-success-sysmoncreateprocess ↳microsoft-sysmon-xml-process-create-success-processcreate-2 ↳microsoft-sysmon-kv-process-create-success-processcreate-1 ↳microsoft-sysmon-kv-process-create-success-processcreate ↳microsoft-sysmon-xml-process-create-success-1	T1003 - OS Credential Dumping T1007 - System Service Discovery T1012 - Query Registry T1016 - System Network Configuration Discovery T1018 - Remote System Discovery T1027 - Obfuscated Files or Information T1027.004 - Obfuscated Files or Information: Compile After Delivery T1033 - System Owner/User Discovery T1036 - Masquerading T1036.004 - T1036.004 T1047 - Windows Management Instrumentation T1049 - System Network Connections Discovery T1053 - Scheduled Task/Job T1053.002 - Scheduled Task/Job: At (Windows) T1053.005 - Scheduled Task/Job: Scheduled Task T1057 - Process Discovery T1059 - Command and Scripting Interperter T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1068 - Exploitation for Privilege Escalation T1082 - System Information Discovery T1087 - Account Discovery T1087.001 - Account Discovery: Local Account T1087.002 - Account Discovery: Domain Account T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1127 - Trusted Developer Utilities Proxy Execution T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild T1134 - Access Token Manipulation T1134.001 - Access Token Manipulation: Token Impersonation/Theft T1134.002 - T1134.002 T1135 - Network Share Discovery T1218 - Signed Binary Proxy Execution T1218.002 - Signed Binary Proxy Execution: Control Panel T1218.003 - Signed Binary Proxy Execution: CMSTP T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1218.011 - Signed Binary Proxy Execution: Rundll32 T1222 - File and Directory Permissions Modification T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification T1482 - Domain Trust Discovery T1484 - Group Policy Modification T1484.001 - T1484.001 T1518 - Software Discovery T1518.001 - T1518.001 T1543 - Create or Modify System Process T1543.003 - Create or Modify System Process: Windows Service T1547 - Boot or Logon Autostart Execution T1547.002 - T1547.002 T1548 - Abuse Elevation Control Mechanism T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control T1552 - Unsecured Credentials T1552.006 - T1552.006 T1558 - Steal or Forge Kerberos Tickets T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting T1574 - Hijack Execution Flow T1574.002 - Hijack Execution Flow: DLL Side-Loading T1574.011 - T1574.011	47 Rules 7 Models
Privileged Activity	app-activity:success (app-activity) ↳microsoft-evsecurity-json-file-success-objectopen ↳microsoft-evsecurity-json-file-success-objectopen ↳microsoft-evsecurity-json-file-success-objectopen app-login:success (app-login) ↳microsoft-defenderep-json-app-login-success-timegenerated file-delete:success (file-delete) ↳microsoft-sysmon-kv-file-delete-success-filedelete ↳microsoft-defenderep-json-file-success-tenantid file-read:success (file-read) ↳microsoft-evsecurity-json-file-success-objectopen file-write:success (file-write) ↳microsoft-sysmon-cef-file-write-success-filecreated ↳microsoft-sysmon-json-file-write-success-11 ↳microsoft-sysmon-kv-file-write-success-filecreate ↳microsoft-sysmon-json-file-write-success-2 ↳microsoft-sysmon-xml-file-write-success-11-1 ↳microsoft-defenderep-json-file-success-tenantid ↳microsoft-evsecurity-json-file-success-objectopen process-create:success (process-created) ↳microsoft-sysmon-xml-process-create-success-processcreate-1 ↳microsoft-sysmon-json-process-create-success-processcreate ↳microsoft-sysmon-xml-process-create-success-processcreate ↳microsoft-sysmon-kv-process-create-success-createremotethread ↳microsoft-sysmon-json-process-create-success-createremotethread ↳microsoft-sysmon-cef-process-create-success-sysmoncreateprocess ↳microsoft-sysmon-xml-process-create-success-processcreate-2 ↳microsoft-sysmon-kv-process-create-success-processcreate-1 ↳microsoft-sysmon-kv-process-create-success-processcreate ↳microsoft-sysmon-xml-process-create-success-1	T1078 - Valid Accounts T1482 - Domain Trust Discovery	4 Rules 1 Models
Ransomware	app-login:success (app-login) ↳microsoft-defenderep-json-app-login-success-timegenerated file-write:success (file-write) ↳microsoft-sysmon-cef-file-write-success-filecreated ↳microsoft-sysmon-json-file-write-success-11 ↳microsoft-sysmon-kv-file-write-success-filecreate ↳microsoft-sysmon-json-file-write-success-2 ↳microsoft-sysmon-xml-file-write-success-11-1 ↳microsoft-defenderep-json-file-success-tenantid ↳microsoft-evsecurity-json-file-success-objectopen process-create:success (process-created) ↳microsoft-sysmon-xml-process-create-success-processcreate-1 ↳microsoft-sysmon-json-process-create-success-processcreate ↳microsoft-sysmon-xml-process-create-success-processcreate ↳microsoft-sysmon-kv-process-create-success-createremotethread ↳microsoft-sysmon-json-process-create-success-createremotethread ↳microsoft-sysmon-cef-process-create-success-sysmoncreateprocess ↳microsoft-sysmon-xml-process-create-success-processcreate-2 ↳microsoft-sysmon-kv-process-create-success-processcreate-1 ↳microsoft-sysmon-kv-process-create-success-processcreate ↳microsoft-sysmon-xml-process-create-success-1	T1003 - OS Credential Dumping T1003.001 - T1003.001 T1059 - Command and Scripting Interperter T1059.003 - T1059.003 T1070 - Indicator Removal on Host T1070.001 - Indicator Removal on Host: Clear Windows Event Logs T1078 - Valid Accounts T1218 - Signed Binary Proxy Execution T1218.011 - Signed Binary Proxy Execution: Rundll32 T1222 - File and Directory Permissions Modification T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification T1486 - Data Encrypted for Impact T1490 - Inhibit System Recovery	5 Rules

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

2_ds_microsoft_sysmon.md

2_ds_microsoft_sysmon.md

Files

2_ds_microsoft_sysmon.md

Latest commit

History

2_ds_microsoft_sysmon.md

File metadata and controls