mirror of
https://github.com/socfortress/Wazuh-Rules.git
synced 2025-11-03 05:13:16 +00:00
Create MITRE_TECHNIQUES_FROM_SYSMON_EVENT12.xml
This commit is contained in:
socfortress
GitHub
443
Windows_Sysmon/MITRE_TECHNIQUES_FROM_SYSMON_EVENT12.xml
Normal file
443
Windows_Sysmon/MITRE_TECHNIQUES_FROM_SYSMON_EVENT12.xml
Normal file
@@ -0,0 +1,443 @@
|
||||
<group name="windows,sysmon,">
|
||||
<!-- Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image) -->
|
||||
<rule id="111101" level="3">
|
||||
<if_sid>61614</if_sid>
|
||||
<field name="win.eventdata.RuleName">^technique_id=T1546.011,technique_name=Application Shimming$</field>
|
||||
<description>Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image)</description>
|
||||
<mitre>
|
||||
<id>T1546</id>
|
||||
</mitre>
|
||||
<options>no_full_log</options>
|
||||
<group>sysmon_event_12,</group>
|
||||
</rule>
|
||||
<!-- Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image) -->
|
||||
<rule id="111102" level="3">
|
||||
<if_sid>61614</if_sid>
|
||||
<field name="win.eventdata.RuleName">^technique_id=T1547.002,technique_name=Authentication Package$</field>
|
||||
<description>Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image)</description>
|
||||
<mitre>
|
||||
<id>T1547</id>
|
||||
</mitre>
|
||||
<options>no_full_log</options>
|
||||
<group>sysmon_event_12,</group>
|
||||
</rule>
|
||||
<!-- Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image) -->
|
||||
<rule id="111103" level="3">
|
||||
<if_sid>61614</if_sid>
|
||||
<field name="win.eventdata.RuleName">^technique_id=T1547.001,technique_name=Registry Run Keys / Start Folder$</field>
|
||||
<description>Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image)</description>
|
||||
<mitre>
|
||||
<id>T1547</id>
|
||||
</mitre>
|
||||
<options>no_full_log</options>
|
||||
<group>sysmon_event_12,</group>
|
||||
</rule>
|
||||
<!-- Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image) -->
|
||||
<rule id="111104" level="3">
|
||||
<if_sid>61614</if_sid>
|
||||
<field name="win.eventdata.RuleName">^technique_id=T1037,technique_name=Boot or Logon Initialization Scripts$</field>
|
||||
<description>Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image)</description>
|
||||
<mitre>
|
||||
<id>T1037</id>
|
||||
</mitre>
|
||||
<options>no_full_log</options>
|
||||
<group>sysmon_event_12,</group>
|
||||
</rule>
|
||||
<!-- Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image) -->
|
||||
<rule id="111105" level="3">
|
||||
<if_sid>61614</if_sid>
|
||||
<field name="win.eventdata.RuleName">^technique_id=T1547.004,technique_name=Winlogon Helper DLL$</field>
|
||||
<description>Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image)</description>
|
||||
<mitre>
|
||||
<id>T1547</id>
|
||||
</mitre>
|
||||
<options>no_full_log</options>
|
||||
<group>sysmon_event_12,</group>
|
||||
</rule>
|
||||
<!-- Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image) -->
|
||||
<rule id="111106" level="3">
|
||||
<if_sid>61614</if_sid>
|
||||
<field name="win.eventdata.RuleName">^technique_id=T1546.001,technique_name=Change Default File Association$</field>
|
||||
<description>Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image)</description>
|
||||
<mitre>
|
||||
<id>T1546</id>
|
||||
</mitre>
|
||||
<options>no_full_log</options>
|
||||
<group>sysmon_event_12,</group>
|
||||
</rule>
|
||||
<!-- Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image) -->
|
||||
<rule id="111107" level="3">
|
||||
<if_sid>61614</if_sid>
|
||||
<field name="win.eventdata.RuleName">^technique_id=T1548.002,technique_name=Bypass User Access Control$</field>
|
||||
<description>Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image)</description>
|
||||
<mitre>
|
||||
<id>T1548</id>
|
||||
</mitre>
|
||||
<options>no_full_log</options>
|
||||
<group>sysmon_event_12,</group>
|
||||
</rule>
|
||||
<!-- Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image) -->
|
||||
<rule id="111108" level="3">
|
||||
<if_sid>61614</if_sid>
|
||||
<field name="win.eventdata.RuleName">^technique_id=T1546.015,technique_name=Component Object Model Hijacking$</field>
|
||||
<description>Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image)</description>
|
||||
<mitre>
|
||||
<id>T1546</id>
|
||||
</mitre>
|
||||
<options>no_full_log</options>
|
||||
<group>sysmon_event_12,</group>
|
||||
</rule>
|
||||
<!-- Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image) -->
|
||||
<rule id="111109" level="3">
|
||||
<if_sid>61614</if_sid>
|
||||
<field name="win.eventdata.RuleName">^technique_id=T1003.002,technique_name=Security Account Manager$</field>
|
||||
<description>Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image)</description>
|
||||
<mitre>
|
||||
<id>T1003</id>
|
||||
</mitre>
|
||||
<options>no_full_log</options>
|
||||
<group>sysmon_event_12,</group>
|
||||
</rule>
|
||||
<!-- Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image) -->
|
||||
<rule id="111110" level="3">
|
||||
<if_sid>61614</if_sid>
|
||||
<field name="win.eventdata.RuleName">^technique_id=T1098,technique_name=Account Manipulation$</field>
|
||||
<description>Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image)</description>
|
||||
<mitre>
|
||||
<id>T1098</id>
|
||||
</mitre>
|
||||
<options>no_full_log</options>
|
||||
<group>sysmon_event_12,</group>
|
||||
</rule>
|
||||
<!-- Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image) -->
|
||||
<rule id="111111" level="3">
|
||||
<if_sid>61614</if_sid>
|
||||
<field name="win.eventdata.RuleName">^technique_id=T1546.010,technique_name=Appinit DLLs$</field>
|
||||
<description>Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image)</description>
|
||||
<mitre>
|
||||
<id>T1546</id>
|
||||
</mitre>
|
||||
<options>no_full_log</options>
|
||||
<group>sysmon_event_12,</group>
|
||||
</rule>
|
||||
<!-- Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image) -->
|
||||
<rule id="111112" level="3">
|
||||
<if_sid>61614</if_sid>
|
||||
<field name="win.eventdata.RuleName">^technique_id=T1562.006,technique_name=Impair Defenses - Indicator Blocking$</field>
|
||||
<description>Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image)</description>
|
||||
<mitre>
|
||||
<id>T1562</id>
|
||||
</mitre>
|
||||
<options>no_full_log</options>
|
||||
<group>sysmon_event_12,</group>
|
||||
</rule>
|
||||
<!-- Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image) -->
|
||||
<rule id="111113" level="3">
|
||||
<if_sid>61614</if_sid>
|
||||
<field name="win.eventdata.RuleName">^technique_id=T1015,technique_name=Accessibility Features$</field>
|
||||
<description>Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image)</description>
|
||||
<mitre>
|
||||
<id>T1015</id>
|
||||
</mitre>
|
||||
<options>no_full_log</options>
|
||||
<group>sysmon_event_12,</group>
|
||||
</rule>
|
||||
<!-- Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image) -->
|
||||
<rule id="111114" level="3">
|
||||
<if_sid>61614</if_sid>
|
||||
<field name="win.eventdata.RuleName">^technique_id=T1562.002,technique_name=Disable Windows Event Logging$</field>
|
||||
<description>Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image)</description>
|
||||
<mitre>
|
||||
<id>T1562</id>
|
||||
</mitre>
|
||||
<options>no_full_log</options>
|
||||
<group>sysmon_event_12,</group>
|
||||
</rule>
|
||||
<!-- Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image) -->
|
||||
<rule id="111115" level="3">
|
||||
<if_sid>61614</if_sid>
|
||||
<field name="win.eventdata.RuleName">^technique_id=T1546.012,technique_name=Image File Execution Options Injection$</field>
|
||||
<description>Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image)</description>
|
||||
<mitre>
|
||||
<id>T1546</id>
|
||||
</mitre>
|
||||
<options>no_full_log</options>
|
||||
<group>sysmon_event_12,</group>
|
||||
</rule>
|
||||
<!-- Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image) -->
|
||||
<rule id="111116" level="3">
|
||||
<if_sid>61614</if_sid>
|
||||
<field name="win.eventdata.RuleName">^technique_id=T1546.007,technique_name=Netsh Helper DLL$</field>
|
||||
<description>Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image)</description>
|
||||
<mitre>
|
||||
<id>T1546</id>
|
||||
</mitre>
|
||||
<options>no_full_log</options>
|
||||
<group>sysmon_event_12,</group>
|
||||
</rule>
|
||||
<!-- Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image) -->
|
||||
<rule id="111117" level="3">
|
||||
<if_sid>61614</if_sid>
|
||||
<field name="win.eventdata.RuleName">^technique_id=T1137.006,technique_name=Office Add-ins$</field>
|
||||
<description>Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image)</description>
|
||||
<mitre>
|
||||
<id>T1137</id>
|
||||
</mitre>
|
||||
<options>no_full_log</options>
|
||||
<group>sysmon_event_12,</group>
|
||||
</rule>
|
||||
<!-- Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image) -->
|
||||
<rule id="111118" level="3">
|
||||
<if_sid>61614</if_sid>
|
||||
<field name="win.eventdata.RuleName">^technique_id=T1137.004,technique_name=Outlook Home Page$</field>
|
||||
<description>Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image)</description>
|
||||
<mitre>
|
||||
<id>T1137</id>
|
||||
</mitre>
|
||||
<options>no_full_log</options>
|
||||
<group>sysmon_event_12,</group>
|
||||
</rule>
|
||||
<!-- Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image) -->
|
||||
<rule id="111119" level="3">
|
||||
<if_sid>61614</if_sid>
|
||||
<field name="win.eventdata.RuleName">^technique_id=T1021.001,technique_name=Remote Desktop Protocol$</field>
|
||||
<description>Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image)</description>
|
||||
<mitre>
|
||||
<id>T1021</id>
|
||||
</mitre>
|
||||
<options>no_full_log</options>
|
||||
<group>sysmon_event_12,</group>
|
||||
</rule>
|
||||
<!-- Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image) -->
|
||||
<rule id="111120" level="3">
|
||||
<if_sid>61614</if_sid>
|
||||
<field name="win.eventdata.RuleName">^technique_id=T1053,technique_name=Scheduled Task$</field>
|
||||
<description>Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image)</description>
|
||||
<mitre>
|
||||
<id>T1053</id>
|
||||
</mitre>
|
||||
<options>no_full_log</options>
|
||||
<group>sysmon_event_12,</group>
|
||||
</rule>
|
||||
<!-- Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image) -->
|
||||
<rule id="111121" level="3">
|
||||
<if_sid>61614</if_sid>
|
||||
<field name="win.eventdata.RuleName">^technique_id=T1547.005,technique_name=Security Support Provider$</field>
|
||||
<description>Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image)</description>
|
||||
<mitre>
|
||||
<id>T1547</id>
|
||||
</mitre>
|
||||
<options>no_full_log</options>
|
||||
<group>sysmon_event_12,</group>
|
||||
</rule>
|
||||
<!-- Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image) -->
|
||||
<rule id="111122" level="3">
|
||||
<if_sid>61614</if_sid>
|
||||
<field name="win.eventdata.RuleName">^technique_id=T1543,technique_name=Service Creation$</field>
|
||||
<description>Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image)</description>
|
||||
<mitre>
|
||||
<id>T1543</id>
|
||||
</mitre>
|
||||
<options>no_full_log</options>
|
||||
<group>sysmon_event_12,</group>
|
||||
</rule>
|
||||
<!-- Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image) -->
|
||||
<rule id="111123" level="3">
|
||||
<if_sid>61614</if_sid>
|
||||
<field name="win.eventdata.RuleName">^technique_id=T1553.003,technique_name=SIP and Trust Provider Hijacking$</field>
|
||||
<description>Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image)</description>
|
||||
<mitre>
|
||||
<id>T1553</id>
|
||||
</mitre>
|
||||
<options>no_full_log</options>
|
||||
<group>sysmon_event_12,</group>
|
||||
</rule>
|
||||
<!-- Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image) -->
|
||||
<rule id="111124" level="3">
|
||||
<if_sid>61614</if_sid>
|
||||
<field name="win.eventdata.RuleName">^technique_id=T1569.002,technique_name=Service Execution$</field>
|
||||
<description>Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image)</description>
|
||||
<mitre>
|
||||
<id>T1569</id>
|
||||
</mitre>
|
||||
<options>no_full_log</options>
|
||||
<group>sysmon_event_12,</group>
|
||||
</rule>
|
||||
<!-- Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image) -->
|
||||
<rule id="111125" level="3">
|
||||
<if_sid>61614</if_sid>
|
||||
<field name="win.eventdata.RuleName">^technique_id=T1105,technique_name=Ingress Tool Transfer$</field>
|
||||
<description>Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image)</description>
|
||||
<mitre>
|
||||
<id>T1105</id>
|
||||
</mitre>
|
||||
<options>no_full_log</options>
|
||||
<group>sysmon_event_12,</group>
|
||||
</rule>
|
||||
<!-- Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image) -->
|
||||
<rule id="111126" level="3">
|
||||
<if_sid>61614</if_sid>
|
||||
<field name="win.eventdata.RuleName">^technique_id=T1033,technique_name=System Owner/User Discovery$</field>
|
||||
<description>Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image)</description>
|
||||
<mitre>
|
||||
<id>T1033</id>
|
||||
</mitre>
|
||||
<options>no_full_log</options>
|
||||
<group>sysmon_event_12,</group>
|
||||
</rule>
|
||||
<!-- Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image) -->
|
||||
<rule id="111127" level="3">
|
||||
<if_sid>61614</if_sid>
|
||||
<field name="win.eventdata.RuleName">^technique_id=T1057,technique_name=Process Discovery$</field>
|
||||
<description>Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image)</description>
|
||||
<mitre>
|
||||
<id>T1057</id>
|
||||
</mitre>
|
||||
<options>no_full_log</options>
|
||||
<group>sysmon_event_12,</group>
|
||||
</rule>
|
||||
<!-- Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image) -->
|
||||
<rule id="111128" level="3">
|
||||
<if_sid>61614</if_sid>
|
||||
<field name="win.eventdata.RuleName">^technique_id=T1089,technique_name=Disabling Security Tools$</field>
|
||||
<description>Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image)</description>
|
||||
<mitre>
|
||||
<id>T1089</id>
|
||||
</mitre>
|
||||
<options>no_full_log</options>
|
||||
<group>sysmon_event_12,</group>
|
||||
</rule>
|
||||
<!-- Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image) -->
|
||||
<rule id="111129" level="3">
|
||||
<if_sid>61614</if_sid>
|
||||
<field name="win.eventdata.RuleName">^technique_id=T1547.003,technique_name=Time Providers$</field>
|
||||
<description>Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image)</description>
|
||||
<mitre>
|
||||
<id>T1547</id>
|
||||
</mitre>
|
||||
<options>no_full_log</options>
|
||||
<group>sysmon_event_12,</group>
|
||||
</rule>
|
||||
<!-- Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image) -->
|
||||
<rule id="111130" level="3">
|
||||
<if_sid>61614</if_sid>
|
||||
<field name="win.eventdata.RuleName">^technique_id=T1218,technique_name=Signed Binary Proxy Execution$</field>
|
||||
<description>Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image)</description>
|
||||
<mitre>
|
||||
<id>T1218</id>
|
||||
</mitre>
|
||||
<options>no_full_log</options>
|
||||
<group>sysmon_event_12,</group>
|
||||
</rule>
|
||||
<!-- Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image) -->
|
||||
<rule id="111131" level="3">
|
||||
<if_sid>61614</if_sid>
|
||||
<field name="win.eventdata.RuleName">^technique_id=T1546.009,technique_name=AppCert DLLs$</field>
|
||||
<description>Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image)</description>
|
||||
<mitre>
|
||||
<id>T1546</id>
|
||||
</mitre>
|
||||
<options>no_full_log</options>
|
||||
<group>sysmon_event_12,</group>
|
||||
</rule>
|
||||
<!-- Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image) -->
|
||||
<rule id="111132" level="3">
|
||||
<if_sid>61614</if_sid>
|
||||
<field name="win.eventdata.RuleName">^technique_id=T1125,technique_name=Video Capture$</field>
|
||||
<description>Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image)</description>
|
||||
<mitre>
|
||||
<id>T1125</id>
|
||||
</mitre>
|
||||
<options>no_full_log</options>
|
||||
<group>sysmon_event_12,</group>
|
||||
</rule>
|
||||
<!-- Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image) -->
|
||||
<rule id="111133" level="3">
|
||||
<if_sid>61614</if_sid>
|
||||
<field name="win.eventdata.RuleName">^technique_id=T1123,technique_name=Audio Capture$</field>
|
||||
<description>Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image)</description>
|
||||
<mitre>
|
||||
<id>T1123</id>
|
||||
</mitre>
|
||||
<options>no_full_log</options>
|
||||
<group>sysmon_event_12,</group>
|
||||
</rule>
|
||||
<!-- Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image) -->
|
||||
<rule id="111134" level="3">
|
||||
<if_sid>61614</if_sid>
|
||||
<field name="win.eventdata.RuleName">^technique_id=T1005,technique_name=Data from Local System$</field>
|
||||
<description>Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image)</description>
|
||||
<mitre>
|
||||
<id>T1005</id>
|
||||
</mitre>
|
||||
<options>no_full_log</options>
|
||||
<group>sysmon_event_12,</group>
|
||||
</rule>
|
||||
<!-- Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image) -->
|
||||
<rule id="111135" level="3">
|
||||
<if_sid>61614</if_sid>
|
||||
<field name="win.eventdata.RuleName">^technique_id=T1056.001,technique_name=Input Capture - Keylogging$</field>
|
||||
<description>Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image)</description>
|
||||
<mitre>
|
||||
<id>T1056</id>
|
||||
</mitre>
|
||||
<options>no_full_log</options>
|
||||
<group>sysmon_event_12,</group>
|
||||
</rule>
|
||||
<!-- Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image) -->
|
||||
<rule id="111136" level="3">
|
||||
<if_sid>61614</if_sid>
|
||||
<field name="win.eventdata.RuleName">^technique_id=T1003,technique_name=Credential Dumping$</field>
|
||||
<description>Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image)</description>
|
||||
<mitre>
|
||||
<id>T1003</id>
|
||||
</mitre>
|
||||
<options>no_full_log</options>
|
||||
<group>sysmon_event_12,</group>
|
||||
</rule>
|
||||
<!-- Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image) -->
|
||||
<rule id="111137" level="3">
|
||||
<if_sid>61614</if_sid>
|
||||
<field name="win.eventdata.RuleName">^technique_id=T1547.010,technique_name=Boot or Logon Autostart Execution - Port Monitors$</field>
|
||||
<description>Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image)</description>
|
||||
<mitre>
|
||||
<id>T1547</id>
|
||||
</mitre>
|
||||
<options>no_full_log</options>
|
||||
<group>sysmon_event_12,</group>
|
||||
</rule>
|
||||
<!-- Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image) -->
|
||||
<rule id="111138" level="3">
|
||||
<if_sid>61614</if_sid>
|
||||
<field name="win.eventdata.RuleName">^technique_id=T1130,technique_name=Install Root Certificate$</field>
|
||||
<description>Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image)</description>
|
||||
<mitre>
|
||||
<id>T1130</id>
|
||||
</mitre>
|
||||
<options>no_full_log</options>
|
||||
<group>sysmon_event_12,</group>
|
||||
</rule>
|
||||
<!-- Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image) -->
|
||||
<rule id="111139" level="3">
|
||||
<if_sid>61614</if_sid>
|
||||
<field name="win.eventdata.RuleName">^technique_id=T1210,technique_name=Exploitation of Remote Services$</field>
|
||||
<description>Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image)</description>
|
||||
<mitre>
|
||||
<id>T1210</id>
|
||||
</mitre>
|
||||
<options>no_full_log</options>
|
||||
<group>sysmon_event_12,</group>
|
||||
</rule>
|
||||
<!-- Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image) -->
|
||||
<rule id="111140" level="3">
|
||||
<if_sid>61614</if_sid>
|
||||
<field name="win.eventdata.RuleName">^technique_id=T1047,technique_name=Windows Management Instrumentation$</field>
|
||||
<description>Sysmon - Event 12: RegistryEvent (Object create and delete) by $(win.eventdata.image)</description>
|
||||
<mitre>
|
||||
<id>T1047</id>
|
||||
</mitre>
|
||||
<options>no_full_log</options>
|
||||
<group>sysmon_event_12,</group>
|
||||
</rule>
|
||||
<!-- Sysmon - Event 12: Exceptions -->
|
||||
</group>
|
||||
Reference in New Issue
Block a user