Vendor: Microsoft Product: Sysmon Rules Models MITRE ATT&CK® TTPs Activity Types Parsers 485 114 158 11 23 Use-Case Activity Types (Legacy Event Type)/Parsers MITRE ATT&CK® TTP Content Abnormal Authentication & Access app-activity:success (app-activity) ↳microsoft-evsecurity-json-file-success-objectopen ↳microsoft-evsecurity-json-file-success-objectopen ↳microsoft-evsecurity-json-file-success-objectopen app-login:success (app-login) ↳microsoft-defenderep-json-app-login-success-timegenerated T1078 - Valid AccountsT1133 - External Remote Services 12 Rules4 Models Account Manipulation app-activity:success (app-activity) ↳microsoft-evsecurity-json-file-success-objectopen ↳microsoft-evsecurity-json-file-success-objectopen ↳microsoft-evsecurity-json-file-success-objectopen process-create:success (process-created) ↳microsoft-sysmon-xml-process-create-success-processcreate-1 ↳microsoft-sysmon-json-process-create-success-processcreate ↳microsoft-sysmon-xml-process-create-success-processcreate ↳microsoft-sysmon-kv-process-create-success-createremotethread ↳microsoft-sysmon-json-process-create-success-createremotethread ↳microsoft-sysmon-cef-process-create-success-sysmoncreateprocess ↳microsoft-sysmon-xml-process-create-success-processcreate-2 ↳microsoft-sysmon-kv-process-create-success-processcreate-1 ↳microsoft-sysmon-kv-process-create-success-processcreate ↳microsoft-sysmon-xml-process-create-success-1 T1003 - OS Credential DumpingT1003.003 - T1003.003T1021 - Remote ServicesT1021.003 - T1021.003T1059 - Command and Scripting InterperterT1059.001 - Command and Scripting Interperter: PowerShellT1059.003 - T1059.003T1078 - Valid AccountsT1098 - Account ManipulationT1098.002 - Account Manipulation: Exchange Email Delegate PermissionsT1136 - Create AccountT1136.001 - Create Account: Create: Local AccountT1218 - Signed Binary Proxy ExecutionT1218.010 - Signed Binary Proxy Execution: Regsvr32T1531 - Account Access RemovalT1559 - Inter-Process CommunicationT1559.002 - T1559.002 16 Rules7 Models Destruction of Data file-delete:success (file-delete) ↳microsoft-sysmon-kv-file-delete-success-filedelete ↳microsoft-defenderep-json-file-success-tenantid T1070 - Indicator Removal on HostT1070.004 - Indicator Removal on Host: File DeletionT1485 - Data Destruction 1 Rules Next Page -->> MITRE ATT&CK® Framework for Enterprise Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact External Remote ServicesValid AccountsExploit Public Fasing ApplicationPhishing Windows Management InstrumentationCommand and Scripting InterperterScheduled Task/JobInter-Process CommunicationSystem ServicesExploitation for Client ExecutionUser ExecutionScheduled Task/Job: Scheduled TaskCommand and Scripting Interperter: PowerShellSoftware Deployment ToolsScheduled Task/Job: At (Windows) Pre-OS BootCreate AccountCreate or Modify System ProcessExternal Remote ServicesValid AccountsHijack Execution FlowServer Software Component: Web ShellAccount ManipulationBITS JobsCreate or Modify System Process: Windows ServiceScheduled Task/JobServer Software ComponentEvent Triggered ExecutionBoot or Logon Autostart ExecutionCreate Account: Create: Local AccountAccount Manipulation: Exchange Email Delegate Permissions Access Token Manipulation: Token Impersonation/TheftCreate or Modify System ProcessValid AccountsAccess Token ManipulationExploitation for Privilege EscalationHijack Execution FlowGroup Policy ModificationProcess InjectionScheduled Task/JobAbuse Elevation Control MechanismEvent Triggered ExecutionBoot or Logon Autostart ExecutionProcess Injection: Dynamic-link Library InjectionAbuse Elevation Control Mechanism: Bypass User Account Control Hide ArtifactsIndirect Command ExecutionImpair DefensesIndicator Removal on Host: Clear Windows Event LogsGroup Policy ModificationTrusted Developer Utilities Proxy ExecutionMasquerading: Match Legitimate Name or LocationMasquerading: Rename System UtilitiesFile and Directory Permissions Modification: Windows File and Directory Permissions ModificationObfuscated Files or Information: Compile After DeliveryObfuscated Files or Information: Indicator Removal from ToolsHijack Execution Flow: DLL Side-LoadingIndicator Removal on Host: File DeletionMasqueradingValid AccountsModify RegistryBITS JobsUse Alternate Authentication MaterialHide Artifacts: NTFS File AttributesIndicator Removal on HostUse Alternate Authentication Material: Pass the TicketPre-OS BootFile and Directory Permissions ModificationDeobfuscate/Decode Files or InformationAbuse Elevation Control MechanismImpair Defenses: Disable or Modify System FirewallObfuscated Files or InformationSigned Binary Proxy Execution: Compiled HTML FileAccess Token ManipulationHijack Execution FlowProcess InjectionSigned Binary Proxy Execution: MsiexecSigned Binary Proxy ExecutionSigned Binary Proxy Execution: Regsvcs/RegasmSigned Binary Proxy Execution: CMSTPSigned Binary Proxy Execution: Control PanelSigned Binary Proxy Execution: InstallUtilSigned Binary Proxy Execution: Regsvr32Trusted Developer Utilities Proxy Execution: MSBuildSigned Binary Proxy Execution: Rundll32 OS Credential DumpingUnsecured CredentialsSteal or Forge Kerberos TicketsCredentials from Password StoresSteal or Forge Kerberos Tickets: KerberoastingNetwork Sniffing Account DiscoveryDomain Trust DiscoverySystem Service DiscoverySystem Network Connections DiscoveryAccount Discovery: Local AccountAccount Discovery: Domain AccountFile and Directory DiscoveryNetwork SniffingSystem Information DiscoveryNetwork Share DiscoveryQuery RegistryProcess DiscoverySystem Owner/User DiscoverySoftware DiscoveryRemote System DiscoverySystem Network Configuration Discovery Exploitation of Remote ServicesRemote Service Session HijackingRemote ServicesRemote Services: SMB/Windows Admin SharesUse Alternate Authentication MaterialRemote Services: Remote Desktop ProtocolSoftware Deployment Tools Screen CaptureEmail CollectionAudio CaptureArchive Collected DataEmail Collection: Email Forwarding Rule Protocol TunnelingApplication Layer Protocol: DNSApplication Layer Protocol: File Transfer ProtocolsApplication Layer Protocol: Web ProtocolsRemote Access SoftwareDynamic ResolutionIngress Tool TransferDynamic Resolution: Domain Generation AlgorithmsProxy: Multi-hop ProxyApplication Layer ProtocolProxy Exfiltration Over Alternative ProtocolExfiltration Over C2 Channel Account Access RemovalData DestructionResource HijackingData Encrypted for ImpactInhibit System Recovery