paulmataruso/main
1
0
Fork 0
mirror of https://github.com/socfortress/Wazuh-Rules.git synced 2025-10-23 00:02:11 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
b8b2c759f81c92ceb46d6f23b3c3b070238078b9
main/Windows_Sysmon/113101-MITRE_TECHNIQUES_FROM_SYSMON_EVENT14.xml
taylor_socfortress b8b2c759f8 Update 113101-MITRE_TECHNIQUES_FROM_SYSMON_EVENT14.xml
2025-08-06 11:01:55 -05:00

455 lines
20 KiB
XML
Raw Blame History

<group name="windows,sysmon,">
<!-- Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image) -->
<rule id="113101" level="3">
<if_sid>61616</if_sid>
<field name="win.eventdata.RuleName">^technique_id=T1546.011,technique_name=Application Shimming$</field>
<description>Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image)</description>
<mitre>
<id>T1546</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event_14,</group>
</rule>
<!-- Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image) -->
<rule id="113102" level="3">
<if_sid>61616</if_sid>
<field name="win.eventdata.RuleName">^technique_id=T1547.002,technique_name=Authentication Package$</field>
<description>Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image)</description>
<mitre>
<id>T1547</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event_14,</group>
</rule>
<!-- Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image) -->
<rule id="113103" level="3">
<if_sid>61616</if_sid>
<field name="win.eventdata.RuleName">^technique_id=T1547.001,technique_name=Registry Run Keys / Start Folder$</field>
<description>Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image)</description>
<mitre>
<id>T1547</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event_14,</group>
</rule>
<!-- Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image) -->
<rule id="113104" level="3">
<if_sid>61616</if_sid>
<field name="win.eventdata.RuleName">^technique_id=T1037,technique_name=Boot or Logon Initialization Scripts$</field>
<description>Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image)</description>
<mitre>
<id>T1037</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event_14,</group>
</rule>
<!-- Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image) -->
<rule id="113105" level="3">
<if_sid>61616</if_sid>
<field name="win.eventdata.RuleName">^technique_id=T1547.004,technique_name=Winlogon Helper DLL$</field>
<description>Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image)</description>
<mitre>
<id>T1547</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event_14,</group>
</rule>
<!-- Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image) -->
<rule id="113106" level="3">
<if_sid>61616</if_sid>
<field name="win.eventdata.RuleName">^technique_id=T1546.001,technique_name=Change Default File Association$</field>
<description>Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image)</description>
<mitre>
<id>T1546</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event_14,</group>
</rule>
<!-- Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image) -->
<rule id="113107" level="3">
<if_sid>61616</if_sid>
<field name="win.eventdata.RuleName">^technique_id=T1548.002,technique_name=Bypass User Access Control$</field>
<description>Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image)</description>
<mitre>
<id>T1548</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event_14,</group>
</rule>
<!-- Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image) -->
<rule id="113108" level="3">
<if_sid>61616</if_sid>
<field name="win.eventdata.RuleName">^technique_id=T1546.015,technique_name=Component Object Model Hijacking$</field>
<description>Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image)</description>
<mitre>
<id>T1546</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event_14,</group>
</rule>
<!-- Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image) -->
<rule id="113109" level="3">
<if_sid>61616</if_sid>
<field name="win.eventdata.RuleName">^technique_id=T1003.002,technique_name=Security Account Manager$</field>
<description>Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image)</description>
<mitre>
<id>T1003</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event_14,</group>
</rule>
<!-- Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image) -->
<rule id="113110" level="3">
<if_sid>61616</if_sid>
<field name="win.eventdata.RuleName">^technique_id=T1098,technique_name=Account Manipulation$</field>
<description>Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image)</description>
<mitre>
<id>T1098</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event_14,</group>
</rule>
<!-- Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image) -->
<rule id="113111" level="3">
<if_sid>61616</if_sid>
<field name="win.eventdata.RuleName">^technique_id=T1546.010,technique_name=Appinit DLLs$</field>
<description>Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image)</description>
<mitre>
<id>T1546</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event_14,</group>
</rule>
<!-- Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image) -->
<rule id="113112" level="3">
<if_sid>61616</if_sid>
<field name="win.eventdata.RuleName">^technique_id=T1562.006,technique_name=Impair Defenses - Indicator Blocking$</field>
<description>Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image)</description>
<mitre>
<id>T1562</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event_14,</group>
</rule>
<!-- Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image) -->
<rule id="113113" level="3">
<if_sid>61616</if_sid>
<field name="win.eventdata.RuleName">^technique_id=T1015,technique_name=Accessibility Features$</field>
<description>Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image)</description>
<mitre>
<id>T1015</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event_14,</group>
</rule>
<!-- Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image) -->
<rule id="113114" level="3">
<if_sid>61616</if_sid>
<field name="win.eventdata.RuleName">^technique_id=T1562.002,technique_name=Disable Windows Event Logging$</field>
<description>Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image)</description>
<mitre>
<id>T1562</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event_14,</group>
</rule>
<!-- Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image) -->
<rule id="113115" level="3">
<if_sid>61616</if_sid>
<field name="win.eventdata.RuleName">^technique_id=T1546.012,technique_name=Image File Execution Options Injection$</field>
<description>Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image)</description>
<mitre>
<id>T1546</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event_14,</group>
</rule>
<!-- Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image) -->
<rule id="113116" level="3">
<if_sid>61616</if_sid>
<field name="win.eventdata.RuleName">^technique_id=T1546.007,technique_name=Netsh Helper DLL$</field>
<description>Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image)</description>
<mitre>
<id>T1546</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event_14,</group>
</rule>
<!-- Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image) -->
<rule id="113117" level="3">
<if_sid>61616</if_sid>
<field name="win.eventdata.RuleName">^technique_id=T1137.006,technique_name=Office Add-ins$</field>
<description>Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image)</description>
<mitre>
<id>T1137</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event_14,</group>
</rule>
<!-- Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image) -->
<rule id="113118" level="3">
<if_sid>61616</if_sid>
<field name="win.eventdata.RuleName">^technique_id=T1137.004,technique_name=Outlook Home Page$</field>
<description>Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image)</description>
<mitre>
<id>T1137</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event_14,</group>
</rule>
<!-- Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image) -->
<rule id="113119" level="3">
<if_sid>61616</if_sid>
<field name="win.eventdata.RuleName">^technique_id=T1021.001,technique_name=Remote Desktop Protocol$</field>
<description>Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image)</description>
<mitre>
<id>T1021</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event_14,</group>
</rule>
<!-- Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image) -->
<rule id="113120" level="3">
<if_sid>61616</if_sid>
<field name="win.eventdata.RuleName">^technique_id=T1053,technique_name=Scheduled Task$</field>
<description>Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image)</description>
<mitre>
<id>T1053</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event_14,</group>
</rule>
<!-- Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image) -->
<rule id="113121" level="3">
<if_sid>61616</if_sid>
<field name="win.eventdata.RuleName">^technique_id=T1547.005,technique_name=Security Support Provider$</field>
<description>Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image)</description>
<mitre>
<id>T1547</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event_14,</group>
</rule>
<!-- Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image) -->
<rule id="113122" level="3">
<if_sid>61616</if_sid>
<field name="win.eventdata.RuleName">^technique_id=T1543,technique_name=Service Creation$</field>
<description>Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image)</description>
<mitre>
<id>T1543</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event_14,</group>
</rule>
<!-- Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image) -->
<rule id="113123" level="3">
<if_sid>61616</if_sid>
<field name="win.eventdata.RuleName">^technique_id=T1553.003,technique_name=SIP and Trust Provider Hijacking$</field>
<description>Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image)</description>
<mitre>
<id>T1553</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event_14,</group>
</rule>
<!-- Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image) -->
<rule id="113124" level="3">
<if_sid>61616</if_sid>
<field name="win.eventdata.RuleName">^technique_id=T1569.002,technique_name=Service Execution$</field>
<description>Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image)</description>
<mitre>
<id>T1569</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event_14,</group>
</rule>
<!-- Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image) -->
<rule id="113125" level="3">
<if_sid>61616</if_sid>
<field name="win.eventdata.RuleName">^technique_id=T1105,technique_name=Ingress Tool Transfer$</field>
<description>Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image)</description>
<mitre>
<id>T1105</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event_14,</group>
</rule>
<!-- Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image) -->
<rule id="113126" level="3">
<if_sid>61616</if_sid>
<field name="win.eventdata.RuleName">^technique_id=T1033,technique_name=System Owner/User Discovery$</field>
<description>Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image)</description>
<mitre>
<id>T1033</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event_14,</group>
</rule>
<!-- Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image) -->
<rule id="113127" level="3">
<if_sid>61616</if_sid>
<field name="win.eventdata.RuleName">^technique_id=T1057,technique_name=Process Discovery$</field>
<description>Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image)</description>
<mitre>
<id>T1057</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event_14,</group>
</rule>
<!-- Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image) -->
<rule id="113128" level="3">
<if_sid>61616</if_sid>
<field name="win.eventdata.RuleName">^technique_id=T1089,technique_name=Disabling Security Tools$</field>
<description>Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image)</description>
<mitre>
<id>T1089</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event_14,</group>
</rule>
<!-- Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image) -->
<rule id="113129" level="3">
<if_sid>61616</if_sid>
<field name="win.eventdata.RuleName">^technique_id=T1547.003,technique_name=Time Providers$</field>
<description>Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image)</description>
<mitre>
<id>T1547</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event_14,</group>
</rule>
<!-- Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image) -->
<rule id="113130" level="3">
<if_sid>61616</if_sid>
<field name="win.eventdata.RuleName">^technique_id=T1218,technique_name=Signed Binary Proxy Execution$</field>
<description>Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image)</description>
<mitre>
<id>T1218</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event_14,</group>
</rule>
<!-- Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image) -->
<rule id="113131" level="3">
<if_sid>61616</if_sid>
<field name="win.eventdata.RuleName">^technique_id=T1546.009,technique_name=AppCert DLLs$</field>
<description>Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image)</description>
<mitre>
<id>T1546</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event_14,</group>
</rule>
<!-- Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image) -->
<rule id="113132" level="3">
<if_sid>61616</if_sid>
<field name="win.eventdata.RuleName">^technique_id=T1125,technique_name=Video Capture$</field>
<description>Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image)</description>
<mitre>
<id>T1125</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event_14,</group>
</rule>
<!-- Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image) -->
<rule id="113133" level="3">
<if_sid>61616</if_sid>
<field name="win.eventdata.RuleName">^technique_id=T1123,technique_name=Audio Capture$</field>
<description>Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image)</description>
<mitre>
<id>T1123</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event_14,</group>
</rule>
<!-- Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image) -->
<rule id="113134" level="3">
<if_sid>61616</if_sid>
<field name="win.eventdata.RuleName">^technique_id=T1005,technique_name=Data from Local System$</field>
<description>Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image)</description>
<mitre>
<id>T1005</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event_14,</group>
</rule>
<!-- Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image) -->
<rule id="113135" level="3">
<if_sid>61616</if_sid>
<field name="win.eventdata.RuleName">^technique_id=T1056.001,technique_name=Input Capture - Keylogging$</field>
<description>Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image)</description>
<mitre>
<id>T1056</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event_14,</group>
</rule>
<!-- Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image) -->
<rule id="113136" level="3">
<if_sid>61616</if_sid>
<field name="win.eventdata.RuleName">^technique_id=T1003,technique_name=Credential Dumping$</field>
<description>Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image)</description>
<mitre>
<id>T1003</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event_14,</group>
</rule>
<!-- Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image) -->
<rule id="113137" level="3">
<if_sid>61616</if_sid>
<field name="win.eventdata.RuleName">^technique_id=T1547.010,technique_name=Boot or Logon Autostart Execution - Port Monitors$</field>
<description>Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image)</description>
<mitre>
<id>T1547</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event_14,</group>
</rule>
<!-- Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image) -->
<rule id="113138" level="3">
<if_sid>61616</if_sid>
<field name="win.eventdata.RuleName">^technique_id=T1130,technique_name=Install Root Certificate$</field>
<description>Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image)</description>
<mitre>
<id>T1130</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event_14,</group>
</rule>
<!-- Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image) -->
<rule id="113139" level="3">
<if_sid>61616</if_sid>
<field name="win.eventdata.RuleName">^technique_id=T1210,technique_name=Exploitation of Remote Services$</field>
<description>Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image)</description>
<mitre>
<id>T1210</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event_14,</group>
</rule>
<!-- Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image) -->
<rule id="113140" level="3">
<if_sid>61616</if_sid>
<field name="win.eventdata.RuleName">^technique_id=T1047,technique_name=Windows Management Instrumentation$</field>
<description>Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image)</description>
<mitre>
<id>T1047</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event_14,</group>
</rule>
<!-- Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image) -->
<rule id="113141" level="10">
<if_sid>61616</if_sid>
<field name="win.eventdata.RuleName">^technique_id=T1113,technique_name=Recall Enabled via Registry Delete$</field>
<description>Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image)</description>
<mitre>
<id>T1113</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event_14,</group>
</rule>
</group>
Reference in New Issue View Git Blame Copy Permalink