| A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | Tactic | Technique | ID | Procedure related detection traces | ||||||||||||||||||||||
2 | Execution | Command and Scripting Interpreter | T1059 | revshell_cmd_svchost_sysmon_1.evtx | ||||||||||||||||||||||
3 | Execution | Signed Binary Proxy Execution | T1218 | susp_explorer_exec_root_cmdline_rimpq_CyberRaiju.evtx | ||||||||||||||||||||||
4 | Execution | Scheduled Task | T1053 | Short time living scheduled task (4698 followed by 4699 in less than 1 min time window) | ||||||||||||||||||||||
5 | Execution | Signed Binary Proxy Execution | T1218 | susp_explorer_exec.evtx | ||||||||||||||||||||||
6 | Execution | Signed Binary Proxy Execution | T1218 | sysmon_11_1_lolbas_downldr_desktopimgdownldr.evtx | ||||||||||||||||||||||
8 | Execution | Signed Binary Proxy Execution | T1218 | rogue_msi_url_1040_1042.evtx | ||||||||||||||||||||||
9 | Execution | Windows Management Instrumentation | T1047 | Sysmon 1 - wmighost_sysmon_20_21_1.evtx (scrcons.exe) | ||||||||||||||||||||||
10 | Execution | Signed Binary Proxy Execution | T1218 | MSI Package Exec - Meterpreter Reverse TCP - Sysmon Exec - Exec_sysmon_meterpreter_reversetcp_msipackage.evtx | ||||||||||||||||||||||
11 | Persistence | Windows Management Instrumentation Event Subscription | T1084 | WMI CommandLineConsumer -> sysmon_20_21_1_CommandLineEventConsumer.evtx | ||||||||||||||||||||||
12 | Defense Evasion, Execution | Rundll32 | T1085 | Execution via Rundll32.exe (url.dll ieframe.dll)|OpenURL FileProtocolHandler]-> exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx | ||||||||||||||||||||||
13 | Defense Evasion | Masquerading | T1036 | Sysmon_10_1_ppid_spoofing.evtx | ||||||||||||||||||||||
14 | Defense Evasion, Execution | Rundll32 | T1085 | Launch an executable by calling OpenURL in shdocvw.dll -> exec_sysmon_1_11_lolbin_rundll32_shdocvw_openurl.evtx | ||||||||||||||||||||||
15 | Defense Evasion | DLL Search Order Hijacking | T1038 | Sysmon 7 dllhijack_cdpsshims_CDPSvc | ||||||||||||||||||||||
16 | Defense Evasion | DLL Search Order Hijacking | T1038 | Sysmon 7 Update Session Orchestrator Dll Hijack.evtx | ||||||||||||||||||||||
17 | Defense Evasion, Execution | Rundll32 | T1085 | Launch an executable payload by calling RouteTheCall in zipfldr.dll -> exec_sysmon_1_11_lolbin_rundll32_zipfldr_RouteTheCall.evtx | ||||||||||||||||||||||
18 | Defense Evasion, Execution | Rundll32 | T1085 | Launch an executable by calling the RegisterOCX function in Advpack.dll -> exec_sysmon_1_lolbin_rundll32_advpack_RegisterOCX.evtx | ||||||||||||||||||||||
19 | Defense Evasion | Signed Binary Proxy Execution | T1218 | Executes payload using the Program Compatibility Assistant (pcalua.exe) -> exec_sysmon_1_lolbin_pcalua.evtx | ||||||||||||||||||||||
20 | Defense Evasion, Execution | Rundll32 | T1085 | Execute payload by calling pcwutl.dll LaunchApplication function -> exec_sysmon_1_rundll32_pcwutl_launchapplication.evtx | ||||||||||||||||||||||
21 | Defense Evasion | Signed Binary Proxy Execution | T1218 | Execute payload using "ftp.exe -s:ftp_cmd.txt" binary -> sysmon_1_ftp.evtx | ||||||||||||||||||||||
22 | Defense Evasion, Execution | Regsvr32 | T1117 | Execute sct stuff using regsvr32\scrobj.dll from pastebin (both ms binaries renamed and normal ones captured) -> exec_sysmon_1_lolbin_renamed_regsvr32_scrobj.evtx & exec_sysmon_lobin_regsvr32_sct.evtx | ||||||||||||||||||||||
23 | Defense Evasion, Execution | Scripting | T1064 | AMSI bypass via jscript9.dll (not instrumented by AMSI) -> exec_sysmon_1_7_jscript9_defense_evasion.evtx | ||||||||||||||||||||||
24 | Defense Evasion, Execution | Rundll32 | T1085 | rundll32 (mshtml RunHTMLApplication)-> mshta -> schtasks.exe -> exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx | ||||||||||||||||||||||
25 | Initial Access | Drive-by Compromise | T1189 | Exec via Drive-by "Adobe Flash CVE-2018-15982" -> exec_driveby_cve-2018-15982_sysmon_1_10.evtx (SrcImg=iexplorer.exe and CallTrace contains "UNKNOWN") | ||||||||||||||||||||||
26 | Defense Evasion, Execution | XSL Script Processing | T1220 | Exec of cmds/code via XSL (Extensible Markup Language) and WMIC & MSXSL -> exec_wmic_xsl_internet_sysmon_3_1_11.evtx & exec_msxsl_xsl_sysmon_1_7.evtx | ||||||||||||||||||||||
27 | Lateral Movement | PowerShell | T1086 | Reverse Shell via PowerCat -> powercat_revShell_sysmon_1_3.evtx | ||||||||||||||||||||||
28 | Execution, Persistence | NA | NA | Exec & Persist from Volume Shadow Copy -> sysmon_exec_from_vss_persistence.evtx | ||||||||||||||||||||||
29 | Defense Evasion | Signed Binary Proxy Execution | T1218 | Lol-bin exec stuff via vshadow.exe (external MS SDK utility) -> sysmon_lolbin_bohops_vshadow_exec.evtx | ||||||||||||||||||||||
30 | Defense Evasion, Execution | Scripting, Mshta | T1064, T1170 | SharpShooter vbs and hta stagless payload executed to deliver (in-memory) meterpreter shellcode -> sysmon_vbs_sharpshooter_stageless_meterpreter.evtx & sysmon_mshta_sharpshooter_stageless_meterpreter.evtx | ||||||||||||||||||||||
31 | Defense Evasion | Process Injection | T1055 | Traces of Invoke-ReflectivePEInjection (sysmon 10, 8) to inject meterpreter into notepad (sysmon 10,1, 3) -> Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx | ||||||||||||||||||||||
32 | Execution | Compiled HTML File | T1223 | Execution via malicious Compilted HTML file -> Sysmon_Exec_CompiledHTML.evtx (parent_process_name = hh.exe) | ||||||||||||||||||||||
33 | Defense Evasion, Execution | Control Panel Items | T1196 | Execution via CPL module - Shell32.dll!Control_RunDLL (sysmon_1_11_rundll32_cpl_ostap.evtx) - Ostap JS malware | ||||||||||||||||||||||
34 | Discovery | Account Discovery | T1087 | PsLoggedOn.exe traces on the destination host | ||||||||||||||||||||||
35 | Discovery | Account Discovery | T1087 | BloodHoundAD\SharpHound (with default scan options) traces on one target host | ||||||||||||||||||||||
36 | Discovery | Account Discovery | T1087 | Domain Admins Group enumeration - 4661 (SAM_GROUP S-1-5-21-domain-512) - DC logs | ||||||||||||||||||||||
37 | Discovery | Process Discovery | T1057 | Process Listing via meterpreter "ps" command - meterpreter_ps_cmd_process_listing_sysmon_10.evtx (more than 10 of sysmon 10 events from same src process and twoard different target images and with same calltrace and granted access) | ||||||||||||||||||||||
38 | Discovery | Account Discovery | T1087 | Invoke-UserHunter traces on the source machine --> Recon_Sysmon_3_Invoke_UserHunter_SourceMachine.evtx | ||||||||||||||||||||||
39 | Discovery | Account Discovery | T1087 | Discovery_sysmon_18_Invoke_UserHunter_NetSessionEnum_DC-srvsvc.evtx | ||||||||||||||||||||||
40 | Discovery | Network Share Discovery | T1135 | Traces of shares enumeration using "net view \target /all" on a target host using sysmon -> enum_shares_target_sysmon_3_18.evtx | ||||||||||||||||||||||
41 | Discovery | Account Discovery | T1087 | Enumeration of local user or group in Win10/16 and above will leave eventids 4798 or 4799 if enabled -> discovery_local_user_or_group_windows_security_4799_4798.evtx | ||||||||||||||||||||||
42 | Persistence | Application Shimming | T1138 | Application Shimming: sysmon (13 11) and windows native event 500 "Microsoft-Windows-Application-Experience\Program-Telemetry" | ||||||||||||||||||||||
43 | Persistence | Valid Accounts | T1078 | Assigning required DCSync AD extended rights to a backdoor regular account (PowerView DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl) - EventIDs 5136 & 4662 | ||||||||||||||||||||||
44 | Persistence | Windows Management Instrumentation Event Subscription | T1084 | WMIGhost malware sysmon 20 21 and 1 (ActiveScriptEventConsumer) - wmighost_sysmon_20_21_1.evtx | ||||||||||||||||||||||
45 | Persistence | Valid Accounts | T1138 | DCShadow - 4742 Computer Account changed - SPN contains "GC" and "HOST" - persistence_security_dcshadow_4742.evtx | ||||||||||||||||||||||
46 | Persistence | BITS Jobs | T1197 | Bitsadminexec - sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx (runtime traces) & persist_bitsadmin_Microsoft-Windows-Bits-Client-Operational.evtx (creation and runtime traces) | ||||||||||||||||||||||
47 | Persistence | Accessibility Features | T1015 | Persistent System Access via replacing onscreenkeyboard PE with cmd.exe -> persistence_accessibility_features_osk_sysmon1.evtx | ||||||||||||||||||||||
48 | Persistence | Component Object Model Hijacking | T1122 | Persistence via COM hijack of : {BCDE0395-E52F-467C-8E3D-C4579291692E} - CLSID_MMDeviceEnumerator (used i.e. by Firefox) -> persist_firefox_comhijack_sysmon_11_13_7_1.evtx | ||||||||||||||||||||||
49 | Persistence | Component Object Model Hijacking | T1122 | Persistence via COM hijack of "Outlook Protocol Manager" using TreatAs key for clsid lookup redirection (Turla APT Outlook backdoor) -> persist_turla_outlook_backdoor_comhijack.evtx | ||||||||||||||||||||||
50 | Persistence | Registry Run Keys / Startup Folder | T1060 | Startup++ -> persistence_startup_UserShellStartup_Folder_Changed_sysmon_13.evtx | ||||||||||||||||||||||
51 | Persistence | Logon Scripts | T1037 | Via Winlogon Shell registry -> sysmon_13_1_persistence_via_winlogon_shell.evtx (13 for reg change 1 with parentproc eqto userinit.exe for runtime detection) | ||||||||||||||||||||||
52 | Persistence | Image File Execution Options Injection | T1183 | Persistence using IFEO GlobalFlag and SilentProcessExit ImageFile Hijack (evil.exe starts when notepad.exe is closed) -> persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx (evil.exe is started as a child of werfault.exe) | ||||||||||||||||||||||
53 | Privilege Escalation | Access Token Manipulation | T1134 | Via Named Pipe Impersonation - sysmon_13_1_meterpreter_getsystem_NamedPipeImpersonation.evtx (.\pipe\random present in sysmon 1 cmdline and in service registry) and System_7045_namedpipe_privesc.evtx for default windows system event 7045 (service creation) | ||||||||||||||||||||||
54 | Privilege Escalation | Access Token Manipulation | T1134 | Elevate from administrator to NT AUTHORITY SYSTEM using handle inheritance (lsass.exe spawn process) -> sysmon_privesc_from_admin_to_system_handle_inheritance.evtx | ||||||||||||||||||||||
55 | Privilege Escalation | Scheduled Task | T1053 | Execution as System via a local temp scheduled task creation that runs as system -> sysmon_1_11_exec_as_system_via_schedtask.evtx | ||||||||||||||||||||||
56 | Privilege Escalation | Scheduled Task and Token Impersonation | T1053 T1134 | PrivEsc_SeImpersonatePriv_enabled_back_for_upnp_localsvc_4698.evtx | ||||||||||||||||||||||
57 | Privilege Escalation | Access Token Manipulation | T1134/005 | 4765_sidhistory_add_t1178.evtx | ||||||||||||||||||||||
58 | Privilege Escalation | Access Token Manipulation | T1134 | Invoke_TokenDuplication_UAC_Bypass4624.evtx | ||||||||||||||||||||||
59 | Privilege Escalation | Access Token Manipulation | T1134 | win10_4703_SeDebugPrivilege_enabled.evtx | ||||||||||||||||||||||
60 | Privilege Escalation | Access Token Manipulation | T1134 | 4624 LT3 AnonymousLogon Localhost - JuicyPotato.evtx | ||||||||||||||||||||||
61 | Privilege Escalation | Access Token Manipulation | T1134 | Rotten Potato exploit to esc from service account to local system via impersonation (bits COM fetch RPC rogue server NTLM MITM)-> privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx | ||||||||||||||||||||||
62 | Privilege Escalation | Access Token Manipulation | T1134 | Invoke-BypassUACTokenManipulation and Invoke-TokenDuplication have a hardcoded default domain\user (o\l) within CreateProcessWithLogonW, which create an artifacts in event 4624 with logon type equal to 9 and Network Account Name: l, Network Account Domain: o | ||||||||||||||||||||||
63 | Credential Access | Input Prompt | T1141 | Phish_windows_credentials_powershell_scriptblockLog_4104.evtx | ||||||||||||||||||||||
64 | Credential Access | BruteForce | T1110 | MSSQL_multiple_failed_logon_EventID_18456.evtx | ||||||||||||||||||||||
65 | Privilege Escalation | Bypass User Account Control | T1088 | UAC Bypass via EventViewer (mscfile\shell\open set to a cmd) - Sysmon 13 and 1 -> Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx | ||||||||||||||||||||||
66 | Privilege Escalation | Bypass User Account Control | T1088 | UAC Bypass via hijacking the "IsolatedCommand" value in "shell\runas\command" - Sysmon 13 and 1 -> Sysmon_13_1_UACBypass_SDCLTBypass.evtx | ||||||||||||||||||||||
67 | Privilege Escalation | Bypass User Account Control | T1088 | UAC Bypass via rogue WScript.exe manifest -> sysmon_11_1_15_WScriptBypassUAC.evtx | ||||||||||||||||||||||
68 | Privilege Escalation | Bypass User Account Control | T1088 | UAC Bypass via App Path Control.exe Hijack -> sysmon_1_13_UACBypass_AppPath_Control.evtx | ||||||||||||||||||||||
69 | Privilege Escalation | Bypass User Account Control | T1088 | UAC Bypass using perfmon and registry key manipulation -> sysmon_13_1_12_11_perfmonUACBypass.evtx | ||||||||||||||||||||||
70 | Privilege Escalation | Bypass User Account Control | T1088 | UAC Bypass using compmgmtlauncher and registry key manip -> sysmon_13_1_compmgmtlauncherUACBypass.evtx | ||||||||||||||||||||||
71 | Privilege Escalation | Bypass User Account Control | T1088 | UAC Bypass using cliconfg (DLL - NTWDBLIB.dll) -> sysmon_11_1_7_uacbypass_cliconfg.evtx | ||||||||||||||||||||||
72 | Privilege Escalation | Bypass User Account Control | T1088 | UAC Bypass using using mcx2prov.exe (CRYPTBASE DLL) -> sysmon_1_7_11_mcx2prov_uacbypass.evtx | ||||||||||||||||||||||
73 | Privilege Escalation | Bypass User Account Control | T1088 | UAC Bypass using migwiz.exe (CRYPTBASE DLL) -> sysmon_1_7_11_migwiz.evtx | ||||||||||||||||||||||
74 | Privilege Escalation | Bypass User Account Control | T1088 | UAC Bypass using sysprep.exe (CRYPTBASE DLL) -> sysmon_1_7_11_sysprep_uacbypass.evtx | ||||||||||||||||||||||
75 | Privilege Escalation | Bypass User Account Control | T1088 | UAC Bypass using token manipulation -> security_4624_4673_token_manip.evtx (LT=9 and SeTcbPrivilege use) | ||||||||||||||||||||||
76 | Privilege Escalation | Bypass User Account Control | T1088 | UAC Bypass using using cmstp and ini file -> sysmon_1_13_11_cmstp_ini_uacbypass.evtx (dllhost.exe {3E5FC7F9-9A51-4367-9063-A120244FBEC7} hosting CMSTPLUA and spawning desired elevated process) | ||||||||||||||||||||||
77 | Privilege Escalation | Bypass User Account Control | T1088 | UAC Bypass via mocking Windows Trusted Folders -> sysmon_11_7_1_uacbypass_windirectory_mocking.evtx | ||||||||||||||||||||||
78 | Privilege Escalation | Bypass User Account Control | T1088 | UAC Bypass method 33 of UACME (registry \hms-settings\shell\open\command\) -> Stsmon_UACME_33.evtx [Big thanks to UACME folks] | ||||||||||||||||||||||
79 | Privilege Escalation | Bypass User Account Control | T1088 | UAC Bypass method 34 of UACME (Environment variable expansion windir and hijac\exec of default scheduled task silentcleanup) -> Sysmon_UACME_34.evtx. | ||||||||||||||||||||||
80 | Privilege Escalation | Bypass User Account Control | T1088 | UAC Bypass method 30 of UACME (DLL hijack wow64log.dll) -> Sysmon_UACME_30.evtx | ||||||||||||||||||||||
81 | Privilege Escalation | Bypass User Account Control | T1088 | UAC Bypass method 32 of UACME (DLL hijack: duser.dll or osksupport.dll) -> Sysmon_UACME_32.evtx [not stable] | ||||||||||||||||||||||
82 | Privilege Escalation | Bypass User Account Control | T1088 | UAC Bypass method 22 of UACME (DLL hijack: comctl32.dll ParentProc consent.exe) -> Sysmon_UACME_22.evtx | ||||||||||||||||||||||
83 | Privilege Escalation | Bypass User Account Control | T1088 | UAC Bypass method 23 (DLL hijck: DismCore.dll ParentProc Dism.exe) -> Sysmon_UACME_23.evtx | ||||||||||||||||||||||
84 | Privilege Escalation | Bypass User Account Control | T1088 | UAC Bypass 36 and 37 of UACME failed but left FileCreation artifact tied to DLL hijack (MsCoree.dll GdiPlus.dll) both tested on [Version 10.0.17763.615] | ||||||||||||||||||||||
85 | Privilege Escalation | Bypass User Account Control | T1088 | UAC Bypass 38 of UACME parent process is mmc.exe and .msc file creation -> Sysmon_UACME_38.evtx | ||||||||||||||||||||||
86 | Privilege Escalation | Bypass User Account Control | T1088 | UAC Bypass method 39 of UACME (Dll hijack pe386.dll loaded by mmc.exe) -> Sysmon_UACME_39.evtx | ||||||||||||||||||||||
87 | Privilege Escalation | Bypass User Account Control | T1088 | UAC Bypass method 41 of UACME (parent process dllhost.exe with CMSTPLUA COM CLSID in the cmdline) -> Sysmon_UACME_41.evtx | ||||||||||||||||||||||
88 | Privilege Escalation | Bypass User Account Control | T1088 | UAC Bypass method 43 of UACME (parent process dllhost.exe with Color Management COM CLSID in the cmdline) -> Sysmon_UACME_43.evtx | ||||||||||||||||||||||
89 | Privilege Escalation | Bypass User Account Control | T1088 | UAC Bypass method 45 of UACME (registry change) -> Sysmon_UACME_45.evtx | ||||||||||||||||||||||
90 | Privilege Escalation | Bypass User Account Control | T1088 | UAC Bypass method 53 of UACME (reg change, control.exe parent proc of elevated payload) -> Sysmon_UACME_53.evtx | ||||||||||||||||||||||
91 | Privilege Escalation | Bypass User Account Control | T1088 | UAC Bypass method 56 of UACME (reg change, WSReset.exe as parent process) -> Sysmon_UACME_56.evtx | ||||||||||||||||||||||
92 | Privilege Escalation | Bypass User Account Control | T1088 | Sysmon_uacme_58.evtx | ||||||||||||||||||||||
93 | Privilege Escalation | Bypass User Account Control | T1088 | UACME_61_Changepk.evtx | ||||||||||||||||||||||
94 | Privilege Escalation | Exploitation | T1068 | CVE-2020-0796_SMBV3Ghost_LocalPrivEsc_Sysmon_3_1_10.evtx | ||||||||||||||||||||||
95 | Privilege Escalation | Exploitation | T1068 | PrivEsc_CVE-2020-1313_Sysmon_13_UScheduler_Cmdline.evtx | ||||||||||||||||||||||
96 | Privilege Escalation | Exploitation | T1068 | RogueWinRM.evtx | ||||||||||||||||||||||
97 | Privilege Escalation | Access Token Manipulation | T1134 | PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx | ||||||||||||||||||||||
98 | Privilege Escalation | Access Token Manipulation | T1134 | PrivEsc_NetSvc_SessionToken_Retrival_via_localSMB_Auth_5145.evtx | ||||||||||||||||||||||
99 | Privilege Escalation | Access Token Manipulation | T1134 | privesc_roguepotato_sysmon_17_18.evtx | ||||||||||||||||||||||
100 | Privilege Escalation | Access Token Manipulation | T1134 | privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx | ||||||||||||||||||||||
101 | Privilege Escalation | Hijack Execution Flow | T1574 | privesc_unquoted_svc_sysmon_1_11.evtx |