Written
on
Threat Hunting with MITRE ATT&CK Framework and Windows Event Logs
(I hope)
Introduction
What is MITRE?
MITRE is a non-profit organization that supports government and industry in research and development, focusing on national security, healthcare, and cybersecurity. They are known for creating frameworks like ATT&CK to enhance threat detection and defense strategies.
What is ATT&CK?
ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a globally accessible framework by MITRE that details adversary tactics and techniques based on real-world observations. It helps organizations understand and improve their cybersecurity defenses against various threats.
What is TTP?
TTP stands for Tactics, Techniques, and Procedures, which describe the behavior and methods used by adversaries during cyberattacks. It helps analysts understand and identify patterns of malicious activity to better defend against threats.
What is Windows Event Log?
Windows Event Log is a system in Microsoft Windows that records significant events like system notifications, errors, and security-related activities. It is used for monitoring and analyzing system behavior, aiding in the detection of security incidents.
Overview of MITRE ATT&CK Framework
Mapping Windows Event Log with MITRE ATT&CK Framework
It is important to note that it’s not 1=1 with Windows Event logs and MITRE ATT&CK Framework. Windows Event IDs can be linked with multiple tactics and techniques.
When investigating a possible attack it is always worthy to establish the context of the analysis.
For example, the ‘T1078 Valid Accounts’ exists under Initial Access, Persistence, Privilege Escalation tactics. So using the Event IDs: 4624, 4625, 4672, 4648, 4768, 4749, 4634, we can track which credentials were used then we can identify the context of the data enough to determine where its at in the framework. All I’m yapping about is that, these IDs are not a sure-fire way to get you the answer that you need. It’s still you, the analyst, whom will pin-down the answer that you’re looking for ;) you can do this.
TID | Technique Name | Related Windows Event ID |
|---|---|---|
| T1001 | Data Obfuscation | (4688, 4104) |
| T1003 | OS Credential Dumping | (4688, 4663, 4624) |
| T1005 | Data from Local System | (4663, 4690) |
| T1006 | Direct Volume Access | (4697, 4698) |
| T1007 | System Service Discovery | (7045, 4688) |
| T1008 | Fallback Channels | (5156, 4688) |
| T1010 | Application Window Discovery | (4688) |
| T1011 | Exfiltration Over Other Network Medium | (5156, 4663, 4688) |
| T1012 | Query Registry | (4657, 4663) |
| T1014 | Rootkit | NA |
| T1016 | System Network Configuration Discovery | (4688, 4656) |
| T1018 | Remote System Discovery | (5140, 5156) |
| T1020 | Automated Exfiltration | (5156, 4688) |
| T1021 | Remote Services | (4624) |
| T1025 | Data from Removable Media | (4663, 4624) |
| T1027 | Obfuscated Files or Information | NA |
| T1029 | Scheduled Transfer | (4698, 4699, 4688) |
| T1030 | Data Transfer Size Limits | (5156, 5152, 4688) |
| T1033 | System Owner/User Discovery | (4698, 4699, 4688) |
| T1036 | Masquerading | (4688) |
| T1037 | Boot or Logon Initialization Scripts | (4688) |
| T1039 | Data from Network Shared Drive | (5140, 4663) |
| T1040 | Network Sniffing | (5158, 5156) |
| T1041 | Exfiltration Over C2 Channel | (5156, 4688) |
| T1046 | Network Service Discovery | (5156, 5140) |
| T1047 | Windows Management Instrumentation | (4688, 4104) |
| T1048 | Exfiltration Over Alternative Protocol | (5156, 5152) |
| T1049 | System Network Connections Discovery | (5156, 5158) |
| T1052 | Exfiltration Over Physical Medium | (4663, 4624) |
| T1053 | Scheduled Task/Job | (4698, 4702, 4699) |
| T1055 | Process Injection | (4688) |
| T1056 | Input Capture | (4688, 4657) |
| T1057 | Process Discovery | (4688, 4656) |
| T1059 | Command and Scripting Interpreter | (4688, 4104, 4103) |
| T1068 | Exploitation for Privilege Escalation | (4624, 4672) |
| T1069 | Permission Groups Discovery | (4798, 4799) |
| T1070 | Indicator Removal | (1102, 104, 4726) |
| T1071 | Application Layer Protocol | (5156, 4688) |
| T1072 | Software Deployment Tools | (4688) |
| T1074 | Data Staged | (4663, 5140) |
| T1078 | Valid Accounts | (4624, 4625, 4672, 4648, 4768, 4749, 4634) |
| T1080 | Taint Shared Content | (5140) |
| T1082 | System Information Discovery | (4688, 4656) |
| T1083 | File and Directory Discovery | (4663, 4656) |
| T1087 | Account Discovery | (4798, 4799, 4648) |
| T1090 | Proxy | (5156, 4624) |
| T1091 | Replication Through Removable Media | (20001 (USBStor), 4688, 4663) |
| T1092 | Communication Through Removable Media | (4663, 4624) |
| T1095 | Non-Application Layer Protocol | (5156, 4688) |
| T1098 | Account Manipulation | (4720, 4722, 4726, 4725, 4738) |
| T1102 | Web Service | (5156, 4624) |
| T1104 | Multi-Stage Channels | (5156, 4688) |
| T1105 | Ingress Tool Transfer | (4663, 5156) |
| T1106 | Native API | (4688) |
| T1110 | Brute Force | (4625, 4771, 4648) |
| T1111 | Multi-Factor Authentication Interception | (4624, 4776) |
| T1112 | Modify Registry | (4657) |
| T1113 | Screen Capture | (4688, 4656) |
| T1114 | Email Collection | (4663, 4624) |
| T1115 | Clipboard Data | (4663, 4688) |
| T1119 | Automated Collection | (4688, 4698) |
| T1120 | Peripheral Device Discovery | (4656, 4688) |
| T1123 | Audio Capture | (4698, 4688) |
| T1124 | System Time Discovery | (4688, 4656) |
| T1125 | Video Capture | (4688, 4698) |
| T1127 | Trusted Developer Utilities Proxy Execution | (4688) |
| T1129 | Shared Modules | (4688, 4657, 7045) |
| T1132 | Data Encoding | (4688, 5156) |
| T1133 | External Remote Services | (4624, 4625, 4778, 4779, 4648) |
| T1134 | Access Token Manipulation | (4648, 4672) |
| T1135 | Network Share Discovery | (5140, 4656) |
| T1136 | Create Account | (4720) |
| T1137 | Office Application Startup | (4688, 4104) |
| T1140 | Deobfuscate/Decode Files or Information | NA |
| T1176 | Browser Extensions | (4688) |
| T1185 | Browser Session Hijacking | (4624, 4688) |
| T1187 | Forced Authentication | (4648, 4672) |
| T1189 | Drive-by Compromise | (4688, 4104, 4697, 7045, 4720, 4776) |
| T1190 | Exploit Public-Facing Application | (4688, 4624, 4625, 4697, 7045, 5156, 1102) |
| T1195 | Supply Chain Compromise | (4688, 7045) |
| T1197 | BITS Jobs | (4690, 4691, 4697) |
| T1199 | Trusted Relationship | (4624, 4672, 4776) |
| T1200 | Hardware Additions | (20001 (USBStor), 6416) |
| T1201 | Password Policy Discovery | (4673, 4688) |
| T1202 | Indirect Command Execution | (4688) |
| T1203 | Exploitation for Client Execution | (4688, 4104) |
| T1204 | User Execution | (4688, 4104) |
| T1205 | Traffic Signaling | (5156, 5157, 5152) |
| T1207 | Rogue Domain Controller | (4713) |
| T1210 | Exploitation of Remote Services | (4624) |
| T1211 | Exploitation for Defense Evasion | NA |
| T1212 | Exploitation for Credential Access | (4673, 4688) |
| T1213 | Data from Information Repositories | (4663, 4688) |
| T1216 | System Script Proxy Execution | (4688) |
| T1217 | Browser Information Discovery | (4663, 4688) |
| T1218 | System Binary Proxy Execution | (4688) |
| T1219 | Remote Access Software | (5156, 4688) |
| T1220 | XSL Script Processing | (4688) |
| T1221 | Template Injection | NA |
| T1222 | File and Directory Permissions Modification | (4670, 4660, 4663) |
| T1480 | Execution Guardrails | NA |
| T1482 | Domain Trust Discovery | (4769, 4739) |
| T1484 | Domain or Tenant Policy Modification | (4670, 4739) |
| T1485 | Data Destruction | (4660, 4663) |
| T1486 | Data Encrypted for Impact | (5156, 4670) |
| T1489 | Service Stop | (7036) |
| T1490 | Inhibit System Recovery | (4698, 4699) |
| T1491 | Defacement | (5156, 4688) |
| T1495 | Firmware Corruption | (4688) |
| T1496 | Resource Hijacking | (5156, 4688) |
| T1497 | Virtualization/Sandbox Evasion | (4688, 4656) |
| T1498 | Network Denial of Service | (5156, 5152) |
| T1499 | Endpoint Denial of Service | (5156) |
| T1505 | Server Software Component | (7045, 4697, 4688) |
| T1518 | Software Discovery | (4688, 4656) |
| T1525 | Implant Internal Image | (4688) |
| T1526 | Cloud Service Discovery | (4624, 4688) |
| T1528 | Steal Application Access Token | (4769, 4648) |
| T1529 | System Shutdown/Reboot | (1074, 6008) |
| T1530 | Data from Cloud Storage | (4624, 4663) |
| T1531 | Account Access Removal | (4726, 4720) |
| T1534 | Internal Spearphishing | (4688) |
| T1535 | Unused/Unsupported Cloud Regions | NA |
| T1537 | Transfer Data to Cloud Account | (5156, 4663, 4688) |
| T1538 | Cloud Service Dashboard | (4624, 4663) |
| T1539 | Steal Web Session Cookie | (4624, 4688) |
| T1542 | Pre-OS Boot | (12, 1, 13) |
| T1543 | Create or Modify System Process | (7045, 4697, 4688) |
| T1546 | Event Triggered Execution | (4698, 4697) |
| T1547 | Boot or Logon Autostart Execution | (7045, 4697, 4688) |
| T1548 | Abuse Elevation Control Mechanism | (4673) |
| T1550 | Use Alternate Authentication Material | (4648) |
| T1552 | Unsecured Credentials | (4663, 4624) |
| T1553 | Subvert Trust Controls | (4691) |
| T1554 | Compromise Host Software Binary | (4688, 4657, 7045) |
| T1555 | Credentials from Password Stores | (4624, 4663) |
| T1556 | Modify Authentication Process | (4673, 4688, 4657, 4776) |
| T1557 | Adversary-in-the-Middle | (5156, 5157, 4648) |
| T1558 | Steal or Forge Kerberos Tickets | (4769, 4770, 4768) |
| T1559 | Inter-Process Communication | (4688) |
| T1560 | Archive Collected Data | (4688, 4104) |
| T1561 | Disk Wipe | (4663, 4688) |
| T1562 | Impair Defenses | (7036, 7040) |
| T1563 | Remote Service Session Hijacking | (4648) |
| T1564 | Hide Artifacts | (4660, 4663) |
| T1565 | Data Manipulation | (4663) |
| T1566 | Phishing | (4688, 4104, 4625) |
| T1567 | Exfiltration Over Web Service | (5156, 4624, 4688) |
| T1568 | Dynamic Resolution | (5156, 4688) |
| T1569 | System Services | (7045, 4697, 4688) |
| T1570 | Lateral Tool Transfer | (4688) |
| T1571 | Non-Standard Port | (5156, 5152) |
| T1572 | Protocol Tunneling | (5156, 4688) |
| T1573 | Encrypted Channel | (5156, 4624) |
| T1574 | Hijack Execution Flow | (7045, 4657, 4688) |
| T1578 | Modify Cloud Compute Infrastructure | NA |
| T1580 | Cloud Infrastructure Discovery | (4624, 4648) |
| T1583 | Acquire Infrastructure | (5156, 4688) |
| T1584 | Compromise Infrastructure | (5156, 4688) |
| T1585 | Establish Accounts | (4720, 4726) |
| T1586 | Compromise Accounts | (4720, 4722, 4725, 4726, 5156, 4688) |
| T1587 | Develop Capabilities | (4688, 4697) |
| T1588 | Obtain Capabilities | (4690, 4691) |
| T1589 | Gather Victim Identity Information | (4624, 4625, 4672, 4648, 4768, 4769, 4964, 4798, 4799) |
| T1590 | Gather Victim Network Information | (4624, 4648, 4672, 5145, 5156, 5157, 4662, 4776) |
| T1591 | Gather Victim Org Information | (4662, 4661, 4768, 4769, 4798, 4799, 5145) |
| T1592 | Gather Victim Host Information | (4624, 4688, 4648, 4672, 5145, 4769, 4663) |
| T1593 | Search Open Websites/Domains | (4688, 4104, 4624, 4625, 4656, 5145) |
| T1595 | Active Scanning | (5156, 5157, 4662, 4663, 4776) |
| T1596 | Search Open Techical Databases | (4688, 4104, 4624, 4625, 4656, 5145) |
| T1597 | Search Closed Sources | (4624, 4625, 4688, 4662, 4104, 5145) |
| T1598 | Phishing for Information | (4688, 4104, 4624, 4625, 4720, 4698) |
| T1599 | Network Boundary Bridging | NA |
| T1600 | Weaken Encryption | NA |
| T1601 | Modify System Image | NA |
| T1602 | Data from Configuration Repository | (4663, 4670) |
| T1606 | Forge Web Credentials | (4624, 4648) |
| T1608 | Stage Capabilities | (4688, 5156) |
| T1609 | Container Administration Command | (4688) |
| T1610 | Deploy Container | (4688) |
| T1611 | Escape to Host | (4624) |
| T1612 | Build Image on Host | NA |
| T1613 | Container and Resource Discovery | (4688, 4624) |
| T1614 | System Location Discovery | (4656, 4688) |
| T1615 | Group Policy Discovery | (4663, 4688) |
| T1619 | Cloud Storage Object Discovery | (4663, 4624) |
| T1620 | Reflective Code Loading | NA |
| T1621 | Multi-Factor Authentication Request Generation | (4624, 4625) |
| T1622 | Debugger Evasion | (4688) |
| T1647 | Plist File Modification | NA |
| T1648 | Serverless Execution | (4688) |
| T1649 | Steal or Forge Authentication Certificates | (4663, 4692, 4786) |
| T1650 | Acquire Access | (4624, 4625, 4672) |
| T1651 | Cloud Administration Command | (4688) |
| T1652 | Device Driver Discovery | (4657, 4688) |
| T1653 | Power Settings | (4688, 4657) |
| T1654 | Log Enumeration | (4688, 4663) |
| T1656 | Impersonation | (4648) |
| T1657 | Financial Theft | (5156, 4688) |
| T1659 | Content Injection | (4663, 4670, 4698, 7036, 4104, 4688) |
| T1665 | Hide Infrastructure | (5156, 4688) |
| T1908 | Account Manipulation | (4720, 4722, 4725, 4726, 4738) |
And here the Windows Event Log description:
| Windows Event ID | Windows Event Log Description |
|---|---|
| 104 | The log was cleared |
| 600 | Scheduled tasks or startup scripts |
| 800 | Windows Event Log records script execution at startup |
| 1074 | The system has been shut down by a process/user |
| 1101 | Audit events have been dropped by the transport |
| 1102 | The audit log was cleared |
| 4104 | Powershell script block logging |
| 4104 | PowerShell command line execution |
| 4624 | An account was successfully logged on |
| 4625 | An account failed to log on |
| 4634 | Logoff |
| 4648 | A logon was attempted using explicit credentials |
| 4656 | A handle to an object was requested |
| 4657 | A registry value was modified |
| 4660 | An object was deleted |
| 4661 | A handle to an object was requested |
| 4662 | An operation was performed on an object |
| 4663 | An attempt was made to access an object |
| 4670 | Permissions on an object were changed |
| 4672 | Special privileges assigned to new logon |
| 4673 | A privileged service was called |
| 4688 | A new process has been created |
| 4690 | Object handle granted access |
| 4691 | Indirect access to an object was requested |
| 4692 | Backup of data protection master key |
| 4697 | A service was installed on the system |
| 4698 | A scheduled task was created |
| 4699 | A scheduled task was deleted |
| 4700 | A scheduled task was enabled |
| 4702 | A scheduled task was updated |
| 4713 | Kerberos policy was changed |
| 4720 | A user account was created |
| 4722 | A user account was enabled |
| 4725 | A user account was disabled |
| 4726 | A user account was deleted |
| 4738 | A user account was changed |
| 4739 | Domain Policy was changed |
| 4768 | A Kerberos authentication ticket (TGT) was requested |
| 4769 | A Kerberos service ticket was requested |
| 4770 | A Kerberos service ticket was renewed |
| 4771 | Kerberos pre-authentication failed (for Kerberos brute force) |
| 4776 | The computer attempted to validate the credentials for an account |
| 4778 | A session was reconnected to a Window Station |
| 4779 | A session was disconnected from a Window Station |
| 4786 | Credential roaming store load |
| 4798 | A user’s local group membership was enumerated |
| 4799 | A security-enabled local group membership was enumerated |
| 4964 | Special groups have been assigned to a new logon |
| 5140 | A network share object was accessed |
| 5145 | A network share object was accessed |
| 5152 | The Windows Filtering Platform has blocked a connection |
| 5156 | Windows Filtering Platform has permitted a connection |
| 5157 | Windows Filtering Platform has blocked a connection |
| 5158 | The Windows Filtering Platform permitted a bind to a local port |
| 6008 | The previous system shutdown was unexpected |
| 6416 | A new external device was recognized by the system |
| 7036 | The service has entered the running state |
| 7040 | A service startup type was changed |
| 7045 | A service was installed in the system |
| 20001 (USBStor) | A USB device was connected |
Personal thoughts
Hmm. Not really sure if these were accurate enough, haven’t tested it yet in an SIEM or log viewer. Definitely will test these. But FWIW, here’s Ultimate Windows Security and MITRE. Also, this project called DeTTECT looks cool. Worth to check out.