Contents

ATT&CK DS Event Mappings

Data Source

Component

Source

Relationship

Target

EventID

Event Name

Log Provider

Log Channel

Audit Category

Audit Sub-Category

Enable Commands

GPO Audit Policy

DNS

dns query execution

process

executed

dns query

22

DNSEvent (DNS query).

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

DNSQuery

NA

<DNSQuery onmatch="exclude" />

NA

File

file context

driver

loaded

None

6

Driver loaded.

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

DriverLoad

NA

<DriverLoad onmatch="exclude" />

NA

File

file creation

process

created

file

11

FileCreate.

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

FileCreate

NA

<FileCreate onmatch="exclude" />

NA

File

file deletion

process

deleted

file

23

FileDelete (A file delete was detected).

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

FileDelete

NA

<FileDelete onmatch="exclude" />

NA

File

file deletion

process

deleted

file

4660

An object was deleted.

Microsoft-Windows-Security-Auditing

Security

Object Access

File System

auditpol /set /subcategory:"File System" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File System

File

file deletion

user

deleted

file

23

FileDelete (A file delete was detected).

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

FileDelete

NA

<FileDelete onmatch="exclude" />

NA

File

file deletion

user

deleted

file

4660

An object was deleted.

Microsoft-Windows-Security-Auditing

Security

Object Access

File System

auditpol /set /subcategory:"File System" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File System

File

file access

user

accessed

file

5145

A network share object was checked to see whether client can be granted desired access.

Microsoft-Windows-Security-Auditing

Security

Object Access

Detailed File Share

auditpol /set /subcategory:"Detailed File Share" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Detailed File Share

File

file access

user

accessed

file

4663

An attempt was made to access an object.

Microsoft-Windows-Security-Auditing

Security

Object Access

File System

auditpol /set /subcategory:"File System" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File System

File

file access

process

accessed

file

4663

An attempt was made to access an object.

Microsoft-Windows-Security-Auditing

Security

Object Access

File System

auditpol /set /subcategory:"File System" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File System

File

file access

user

requested access

file

4656

A handle to an object was requested.

Microsoft-Windows-Security-Auditing

Security

Object Access

File System

auditpol /set /subcategory:"File System" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File System

File

file access

user

requested access

file

4661

A handle to an object was requested.

Microsoft-Windows-Security-Auditing

Security

DS Access

Directory Service Access

auditpol /set /subcategory:"Directory Service Access" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> DS Access -> Audit Directory Service Access

File

file access

user

requested access

file

4661

A handle to an object was requested.

Microsoft-Windows-Security-Auditing

Security

Object Access

SAM

auditpol /set /subcategory:"SAM" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit SAM

File

file access

user

requested access

file

4692

Backup of data protection master key was attempted.

Microsoft-Windows-Security-Auditing

Security

Detailed Tracking

DPAPI Activity

auditpol /set /subcategory:"DPAPI Activity" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Detailed Tracking -> Audit DPAPI Activity

File

file access

process

requested access

file

4656

A handle to an object was requested.

Microsoft-Windows-Security-Auditing

Security

Object Access

File System

auditpol /set /subcategory:"File System" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File System

File

file access

process

requested access

file

4661

A handle to an object was requested.

Microsoft-Windows-Security-Auditing

Security

DS Access

Directory Service Access

auditpol /set /subcategory:"Directory Service Access" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> DS Access -> Audit Directory Service Access

File

file access

process

requested access

file

4661

A handle to an object was requested.

Microsoft-Windows-Security-Auditing

Security

Object Access

SAM

auditpol /set /subcategory:"SAM" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit SAM

File

file modification

process

modified

file

2

A process changed a file creation time.

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

FileCreateTime

NA

<FileCreateTime onmatch="exclude" />

NA

File

file modification

process

modified

file

11

FileCreate.

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

FileCreate

NA

<FileCreate onmatch="exclude" />

NA

File

file modification

process

modified

file

4670

Permissions on an object were changed.

Microsoft-Windows-Security-Auditing

Security

Object Access

File System

auditpol /set /subcategory:"File System" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File System

File

file modification

user

modified

file

4670

Permissions on an object were changed.

Microsoft-Windows-Security-Auditing

Security

Object Access

File System

auditpol /set /subcategory:"File System" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File System

File

file share creation

user

created

file share

5142

A network share object was added.

Microsoft-Windows-Security-Auditing

Security

Object Access

File Share

auditpol /set /subcategory:"File Share" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File Share

File

file share deletion

user

deleted

file share

5144

A network share object was deleted.

Microsoft-Windows-Security-Auditing

Security

Object Access

File Share

auditpol /set /subcategory:"File Share" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File Share

File

file share access

user

accessed

file share

5140

A network share object was accessed.

Microsoft-Windows-Security-Auditing

Security

Object Access

File Share

auditpol /set /subcategory:"File Share" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File Share

File

file share modification

user

modified

file share

5143

A network share object was modified.

Microsoft-Windows-Security-Auditing

Security

Object Access

File Share

auditpol /set /subcategory:"File Share" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File Share

Logon session

logon session context

logon session

modified

None

4672

Special privileges assigned to new logon.

Microsoft-Windows-Security-Auditing

Security

Logon/Logoff

Special Logon

auditpol /set /subcategory:"Special Logon" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Special Logon

Logon session

logon session creation

user

requested creation

logon session

4648

A logon was attempted using explicit credentials.

Microsoft-Windows-Security-Auditing

Security

Logon/Logoff

Logon

auditpol /set /subcategory:"Logon" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Logon

Logon session

logon session creation

user

requested logon session creation from

ip

4648

A logon was attempted using explicit credentials.

Microsoft-Windows-Security-Auditing

Security

Logon/Logoff

Logon

auditpol /set /subcategory:"Logon" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Logon

Logon session

logon session creation

user

requested logon session creation from

port

4648

A logon was attempted using explicit credentials.

Microsoft-Windows-Security-Auditing

Security

Logon/Logoff

Logon

auditpol /set /subcategory:"Logon" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Logon

Logon session

logon session creation

user

created

logon session

4624

An account was successfully logged on.

Microsoft-Windows-Security-Auditing

Security

Logon/Logoff

Logon

auditpol /set /subcategory:"Logon" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Logon

Logon session

logon session creation

user

created

logon session

4778

A session was reconnected to a Window Station.

Microsoft-Windows-Security-Auditing

Security

Logon/Logoff

Other Logon/Logoff Events

auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Other Logon/Logoff Events

Logon session

logon session creation

user

created

logon session

4964

Special groups have been assigned to a new logon.

Microsoft-Windows-Security-Auditing

Security

Logon/Logoff

Special Logon

auditpol /set /subcategory:"Special Logon" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Special Logon

Logon session

logon session creation

user

created logon session from

ip

4624

An account was successfully logged on.

Microsoft-Windows-Security-Auditing

Security

Logon/Logoff

Logon

auditpol /set /subcategory:"Logon" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Logon

Logon session

logon session creation

user

created logon session from

ip

4778

A session was reconnected to a Window Station.

Microsoft-Windows-Security-Auditing

Security

Logon/Logoff

Other Logon/Logoff Events

auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Other Logon/Logoff Events

Logon session

logon session creation

user

created logon session from

port

4624

An account was successfully logged on.

Microsoft-Windows-Security-Auditing

Security

Logon/Logoff

Logon

auditpol /set /subcategory:"Logon" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Logon

Logon session

logon session creation

user

failed creation

host

4625

An account failed to log on.

Microsoft-Windows-Security-Auditing

Security

Logon/Logoff

Logon

auditpol /set /subcategory:"Logon" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Logon

Logon session

logon session creation

user

failed creation

host

4625

An account failed to log on.

Microsoft-Windows-Security-Auditing

Security

Logon/Logoff

Account Lockout

auditpol /set /subcategory:"Account Lockout" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Account Lockout

Logon session

logon session creation

user

failed logon session creation from

ip

4625

An account failed to log on.

Microsoft-Windows-Security-Auditing

Security

Logon/Logoff

Logon

auditpol /set /subcategory:"Logon" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Logon

Logon session

logon session creation

user

failed logon session creation from

ip

4625

An account failed to log on.

Microsoft-Windows-Security-Auditing

Security

Logon/Logoff

Account Lockout

auditpol /set /subcategory:"Account Lockout" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Account Lockout

Logon session

logon session creation

user

failed logon session creation from

port

4625

An account failed to log on.

Microsoft-Windows-Security-Auditing

Security

Logon/Logoff

Logon

auditpol /set /subcategory:"Logon" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Logon

Logon session

logon session creation

user

failed logon session creation from

port

4625

An account failed to log on.

Microsoft-Windows-Security-Auditing

Security

Logon/Logoff

Account Lockout

auditpol /set /subcategory:"Account Lockout" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Account Lockout

Logon session

logon session termination

user

requested termination

logon session

4647

User initiated logoff.

Microsoft-Windows-Security-Auditing

Security

Logon/Logoff

Logoff

auditpol /set /subcategory:"Logoff" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Logoff

Logon session

logon session termination

user

terminated

logon session

4634

An account was logged off.

Microsoft-Windows-Security-Auditing

Security

Logon/Logoff

Logoff

auditpol /set /subcategory:"Logoff" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Logoff

Module

module load

process

loaded

dll

7

Image loaded.

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

ImageLoad

NA

<ImageLoad onmatch="exclude" />

NA

Module

module load

process

loaded

executable

7

Image loaded.

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

ImageLoad

NA

<ImageLoad onmatch="exclude" />

NA

Named pipe

named pipe creation

process

created

pipe

17

PipeEvent (Pipe Created).

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

PipeEvent

NA

<PipeEvent onmatch="exclude" />

NA

Named pipe

named pipe connection

process

connected to

pipe

18

PipeEvent (Pipe Connected).

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

PipeEvent

NA

<PipeEvent onmatch="exclude" />

NA

Powershell log

powershell context

application host

started

None

400

Engine state is changed from None to Available.

PowerShell

Windows PowerShell

Engine Lifecycle

NA

NA

NA

Powershell log

powershell context

application domain

started

None

53504

Windows PowerShell has started an IPC listening thread on a process in AppDomain.

Microsoft-Windows-PowerShell

Microsoft-Windows-PowerShell/Operational

PowerShell Named Pipe IPC

NA

NA

NA

Powershell log

powershell execution

user

started

application host

4103

Module logging.

Microsoft-Windows-PowerShell

Microsoft-Windows-PowerShell/Operational

Executing Pipeline

NA

NA

NA

Powershell log

powershell execution

process

executed

command

4103

Module logging.

Microsoft-Windows-PowerShell

Microsoft-Windows-PowerShell/Operational

Executing Pipeline

NA

NA

NA

Powershell log

powershell execution

process

executed

command

4104

Script Block Logging.

Microsoft-Windows-PowerShell

Microsoft-Windows-PowerShell/Operational

Execute a Remote Command

NA

NA

NA

Process

process context

process

terminated

None

5

Process terminated.

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

ProcessTerminate

NA

<ProcessTerminate onmatch="exclude" />

NA

Process

process creation

user

created

process

4688

A new process has been created.

Microsoft-Windows-Security-Auditing

Security

Detailed Tracking

Process Creation

auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Detailed Tracking -> Audit Process Creation

Process

process creation

user

created

process

1

Process Creation.

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

ProcessCreate

NA

<ProcessCreate onmatch="exclude" />

NA

Process

process creation

process

created

process

4688

A new process has been created.

Microsoft-Windows-Security-Auditing

Security

Detailed Tracking

Process Creation

auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Detailed Tracking -> Audit Process Creation

Process

process creation

process

created

process

1

Process Creation.

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

ProcessCreate

NA

<ProcessCreate onmatch="exclude" />

NA

Process

process creation

process

created

thread

8

CreateRemoteThread.

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

CreateRemoteThread

NA

<CreateRemoteThread onmatch="exclude" />

NA

Process

process termination

user

terminated

process

4689

A process has exited.

Microsoft-Windows-Security-Auditing

Security

Detailed Tracking

Process Termination

auditpol /set /subcategory:"Process Termination" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Detailed Tracking -> Audit Process Termination

Process

process access

process

accessed

process

4663

An attempt was made to access an object.

Microsoft-Windows-Security-Auditing

Security

Object Access

Kernel Object

auditpol /set /subcategory:"Kernel Object" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Kernel Object

Process

process access

process

accessed

process

10

ProcessAccess.

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

ProcessAccess

NA

<ProcessAccess onmatch="exclude" />

NA

Process

process access

process

requested access

process

4656

A handle to an object was requested.

Microsoft-Windows-Security-Auditing

Security

Object Access

Kernel Object

auditpol /set /subcategory:"Kernel Object" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Kernel Object

Process

process network connection

process

connected to

port

5156

The Windows Filtering Platform has permitted a connection.

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

Process

process network connection

process

connected to

port

3

Network connection.

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

NetworkConnect

NA

<NetworkConnect onmatch="exclude" />

NA

Process

process network connection

process

connected to

ip

5156

The Windows Filtering Platform has permitted a connection.

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

Process

process network connection

process

connected to

ip

3

Network connection.

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

NetworkConnect

NA

<NetworkConnect onmatch="exclude" />

NA

Process

process network connection

process

connected to

host

3

Network connection.

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

NetworkConnect

NA

<NetworkConnect onmatch="exclude" />

NA

Process

process network connection

process

connected from

port

5156

The Windows Filtering Platform has permitted a connection.

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

Process

process network connection

process

connected from

port

3

Network connection.

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

NetworkConnect

NA

<NetworkConnect onmatch="exclude" />

NA

Process

process network connection

process

connected from

ip

5156

The Windows Filtering Platform has permitted a connection.

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

Process

process network connection

process

connected from

ip

3

Network connection.

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

NetworkConnect

NA

<NetworkConnect onmatch="exclude" />

NA

Process

process network connection

process

connected from

host

3

Network connection.

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

NetworkConnect

NA

<NetworkConnect onmatch="exclude" />

NA

Process

process network connection

user

connected to

port

3

Network connection.

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

NetworkConnect

NA

<NetworkConnect onmatch="exclude" />

NA

Process

process network connection

user

connected to

ip

3

Network connection.

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

NetworkConnect

NA

<NetworkConnect onmatch="exclude" />

NA

Process

process network connection

user

connected to

host

3

Network connection.

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

NetworkConnect

NA

<NetworkConnect onmatch="exclude" />

NA

Process

process network connection

user

connected from

port

3

Network connection.

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

NetworkConnect

NA

<NetworkConnect onmatch="exclude" />

NA

Process

process network connection

user

connected from

ip

3

Network connection.

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

NetworkConnect

NA

<NetworkConnect onmatch="exclude" />

NA

Process

process network connection

user

connected from

host

3

Network connection.

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

NetworkConnect

NA

<NetworkConnect onmatch="exclude" />

NA

Process

process network connection

host

blocked connection on

process

5031

The Windows Firewall Service blocked an application from accepting incoming connections on the network.

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

Process

process network connection

host

blocked connection to

process

5157

The Windows Filtering Platform has blocked a connection.

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

Process

process network connection

host

blocked connection to

ip

5157

The Windows Filtering Platform has blocked a connection.

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

Process

process network connection

host

blocked connection to

port

5157

The Windows Filtering Platform has blocked a connection.

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

Process

process network connection

host

blocked connection from

process

5157

The Windows Filtering Platform has blocked a connection.

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

Process

process network connection

host

blocked connection from

ip

5157

The Windows Filtering Platform has blocked a connection.

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

Process

process network connection

host

blocked connection from

port

5157

The Windows Filtering Platform has blocked a connection.

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

Process

process network connection

process

attempted connection to

ip

5157

The Windows Filtering Platform has blocked a connection.

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

Process

process network connection

process

attempted connection to

port

5157

The Windows Filtering Platform has blocked a connection.

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

Process

process network connection

process

attempted connection from

ip

5157

The Windows Filtering Platform has blocked a connection.

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

Process

process network connection

process

attempted connection from

port

5157

The Windows Filtering Platform has blocked a connection.

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

Process

process network connection

host

permitted listener on

process

5154

The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

Process

process network connection

host

permitted listener on

ip

5154

The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

Process

process network connection

host

permitted listener on

port

5154

The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

Process

process network connection

process

listened on

port

5154

The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

Process

process network connection

host

blocked listener on

process

5155

The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

Process

process network connection

host

blocked listener on

ip

5155

The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

Process

process network connection

host

blocked listener on

port

5155

The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

Process

process network connection

process

attempted to listen on

port

5155

The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

Process

process network connection

host

permitted local port bind on

process

5158

The Windows Filtering Platform has permitted a bind to a local port.

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

Process

process network connection

host

permitted local port bind on

ip

5158

The Windows Filtering Platform has permitted a bind to a local port.

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

Process

process network connection

host

permitted local port bind on

port

5158

The Windows Filtering Platform has permitted a bind to a local port.

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

Process

process network connection

process

bound to

port

5158

The Windows Filtering Platform has permitted a bind to a local port.

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

Process

process network connection

host

blocked local port bind on

process

5159

The Windows Filtering Platform has blocked a bind to a local port.

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

Process

process network connection

host

blocked local port bind on

ip

5159

The Windows Filtering Platform has blocked a bind to a local port.

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

Process

process network connection

host

blocked local port bind on

port

5159

The Windows Filtering Platform has blocked a bind to a local port.

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

Process

process network connection

process

attempted to bind on

port

5159

The Windows Filtering Platform has blocked a bind to a local port.

Microsoft-Windows-Security-Auditing

Security

Object Access

Filtering Platform Connection

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Filtering Platform Connection

Schedule Task

schedule task creation

user

created

schedule task

4698

A scheduled task was created.

Microsoft-Windows-Security-Auditing

Security

Object Access

Other Object Access Events

auditpol /set /subcategory:"Other Object Access Events" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Other Object Access Events

Schedule Task

schedule task deletion

user

deleted

schedule task

4699

A scheduled task was deleted.

Microsoft-Windows-Security-Auditing

Security

Object Access

Other Object Access Events

auditpol /set /subcategory:"Other Object Access Events" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Other Object Access Events

Schedule Task

schedule task enable

user

enabled

schedule task

4700

A scheduled task was enabled.

Microsoft-Windows-Security-Auditing

Security

Object Access

Other Object Access Events

auditpol /set /subcategory:"Other Object Access Events" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Other Object Access Events

Schedule Task

schedule task disable

user

disabled

schedule task

4701

A scheduled task was disabled.

Microsoft-Windows-Security-Auditing

Security

Object Access

Other Object Access Events

auditpol /set /subcategory:"Other Object Access Events" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Other Object Access Events

Schedule Task

schedule task modification

user

modified

schedule task

4702

A scheduled task was updated.

Microsoft-Windows-Security-Auditing

Security

Object Access

Other Object Access Events

auditpol /set /subcategory:"Other Object Access Events" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Other Object Access Events

Service

service context

service

started

None

4

Sysmon service state changed.

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

ServiceStateChange

NA

<ServiceStateChange onmatch="exclude" />

NA

Service

service context

service

started

None

5024

The Windows Firewall Service has started successfully.

Microsoft-Windows-Security-Auditing

Security

System

Other System Events

auditpol /set /subcategory:"Other System Events" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> System -> Audit Other System Events

Service

service context

service

stopped

None

4

Sysmon service state changed.

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

ServiceStateChange

NA

<ServiceStateChange onmatch="exclude" />

NA

Service

service context

service

stopped

None

5025

The Windows Firewall Service has been stopped.

Microsoft-Windows-Security-Auditing

Security

System

Other System Events

auditpol /set /subcategory:"Other System Events" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> System -> Audit Other System Events

Service

service creation

user

created

service

4697

A service was installed in the system.

Microsoft-Windows-Security-Auditing

Security

System

Security System Extension

auditpol /set /subcategory:"Security System Extension" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> System -> Audit Security System Extension

Service

service creation

user

created

service

7045

A new service was installed in the system.

Service Control Manager

System

NA

NA

NA

NA

Service

service access

user

requested access

service

4656

A handle to an object was requested.

Microsoft-Windows-Security-Auditing

Security

Object Access

Other Object Access Events

auditpol /set /subcategory:"Other Object Access Events" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Other Object Access Events

User Account

user account creation

user

created

user

4720

A user account was created.

Microsoft-Windows-Security-Auditing

Security

Account Management

User Account Management

auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management

User Account

user account deletion

user

deleted

user

4726

A user account was deleted.

Microsoft-Windows-Security-Auditing

Security

Account Management

User Account Management

auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management

User Account

user account enable

user

enabled

user

4722

A user account was enabled.

Microsoft-Windows-Security-Auditing

Security

Account Management

User Account Management

auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management

User Account

user account disable

user

disabled

user

4725

A user account was disabled.

Microsoft-Windows-Security-Auditing

Security

Account Management

User Account Management

auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management

User Account

user account lock

user

locked

user

4740

A user account was locked out.

Microsoft-Windows-Security-Auditing

Security

Account Management

User Account Management

auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management

User Account

user account unlock

user

unlocked

user

4767

A user account was unlocked.

Microsoft-Windows-Security-Auditing

Security

Account Management

User Account Management

auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management

User Account

user account modification

user

requested modification

user

4723

An attempt was made to change an account’s password.

Microsoft-Windows-Security-Auditing

Security

Account Management

User Account Management

auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management

User Account

user account modification

user

requested modification

user

4724

An attempt was made to reset an account’s password.

Microsoft-Windows-Security-Auditing

Security

Account Management

User Account Management

auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management

User Account

user account modification

user

modified

user

4738

A user account was changed.

Microsoft-Windows-Security-Auditing

Security

Account Management

User Account Management

auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management

User Account

user account modification

user

modified

user

4781

The name of an account was changed.

Microsoft-Windows-Security-Auditing

Security

Account Management

User Account Management

auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management

User Account

user account modification

user

granted access

user

4717

System security access was granted to an account.

Microsoft-Windows-Security-Auditing

Security

Policy Change

Authentication Policy Change

auditpol /set /subcategory:"Authentication Policy Change" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Policy Change -> Audit Authentication Policy Change

User Account

user account modification

user

removed access

user

4718

System security access was removed from an account.

Microsoft-Windows-Security-Auditing

Security

Policy Change

Authentication Policy Change

auditpol /set /subcategory:"Authentication Policy Change" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Policy Change -> Audit Authentication Policy Change

Windows active directory

active directory service creation

user

created

ad object

5137

A directory service object was created.

Microsoft-Windows-Security-Auditing

Security

DS Access

Directory Service Changes

auditpol /set /subcategory:"Directory Service Changes" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> DS Access -> Audit Directory Service Changes

Windows active directory

active directory service deletion

user

deleted

ad object

5141

A directory service object was deleted.

Microsoft-Windows-Security-Auditing

Security

DS Access

Directory Service Changes

auditpol /set /subcategory:"Directory Service Changes" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> DS Access -> Audit Directory Service Changes

Windows active directory

active directory service deletion

user

undeleted

ad object

5138

A directory service object was undeleted.

Microsoft-Windows-Security-Auditing

Security

DS Access

Directory Service Changes

auditpol /set /subcategory:"Directory Service Changes" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> DS Access -> Audit Directory Service Changes

Windows active directory

active directory service access

process

requested access

ad object

4661

A handle to an object was requested.

Microsoft-Windows-Security-Auditing

Security

DS Access

Directory Service Access

auditpol /set /subcategory:"Directory Service Access" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> DS Access -> Audit Directory Service Access

Windows active directory

active directory service access

user

requested access

ad object

4661

A handle to an object was requested.

Microsoft-Windows-Security-Auditing

Security

DS Access

Directory Service Access

auditpol /set /subcategory:"Directory Service Access" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> DS Access -> Audit Directory Service Access

Windows active directory

active directory service access

user

accessed

ad object

4662

An operation was performed on an object.

Microsoft-Windows-Security-Auditing

Security

DS Access

Directory Service Access

auditpol /set /subcategory:"Directory Service Access" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> DS Access -> Audit Directory Service Access

Windows active directory

active directory service modification

user

modified

ad object

5136

A directory service object was modified.

Microsoft-Windows-Security-Auditing

Security

DS Access

Directory Service Changes

auditpol /set /subcategory:"Directory Service Changes" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> DS Access -> Audit Directory Service Changes

Windows active directory

active directory service modification

user

modified

ad object

5139

A directory service object was moved.

Microsoft-Windows-Security-Auditing

Security

DS Access

Directory Service Changes

auditpol /set /subcategory:"Directory Service Changes" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> DS Access -> Audit Directory Service Changes

Windows registry

windows registry key creation

process

created

windows registry key

12

RegistryEvent (Object create and delete).

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

RegistryEvent

NA

<RegistryEvent onmatch="exclude" />

NA

Windows registry

windows registry key creation

process

created

windows registry key value

12

RegistryEvent (Object create and delete).

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

RegistryEvent

NA

<RegistryEvent onmatch="exclude" />

NA

Windows registry

windows registry key deletion

user

deleted

windows registry key

4660

An object was deleted.

Microsoft-Windows-Security-Auditing

Security

Object Access

Registry

auditpol /set /subcategory:"Registry" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Registry

Windows registry

windows registry key deletion

process

deleted

windows registry key

12

RegistryEvent (Object create and delete).

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

RegistryEvent

NA

<RegistryEvent onmatch="exclude" />

NA

Windows registry

windows registry key deletion

process

deleted

windows registry key

4660

An object was deleted.

Microsoft-Windows-Security-Auditing

Security

Object Access

Registry

auditpol /set /subcategory:"Registry" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Registry

Windows registry

windows registry key deletion

process

deleted

windows registry key value

12

RegistryEvent (Object create and delete).

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

RegistryEvent

NA

<RegistryEvent onmatch="exclude" />

NA

Windows registry

windows registry key modification

process

modified

windows registry key

13

RegistryEvent (Value Set).

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

RegistryEvent

NA

<RegistryEvent onmatch="exclude" />

NA

Windows registry

windows registry key modification

process

modified

windows registry key

14

RegistryEvent (Key and Value Rename).

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

RegistryEvent

NA

<RegistryEvent onmatch="exclude" />

NA

Windows registry

windows registry key modification

process

modified

windows registry key

4670

Permissions on an object were changed.

Microsoft-Windows-Security-Auditing

Security

Object Access

Registry

auditpol /set /subcategory:"Registry" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Registry

Windows registry

windows registry key modification

process

modified

windows registry key value

13

RegistryEvent (Value Set).

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

RegistryEvent

NA

<RegistryEvent onmatch="exclude" />

NA

Windows registry

windows registry key modification

process

modified

windows registry key value

14

RegistryEvent (Key and Value Rename).

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

RegistryEvent

NA

<RegistryEvent onmatch="exclude" />

NA

Windows registry

windows registry key modification

process

modified

windows registry key value

4657

A registry value was modified.

Microsoft-Windows-Security-Auditing

Security

Object Access

Registry

auditpol /set /subcategory:"Registry" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Registry

Windows registry

windows registry key modification

user

modified

windows registry key

4670

Permissions on an object were changed.

Microsoft-Windows-Security-Auditing

Security

Object Access

Registry

auditpol /set /subcategory:"Registry" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Registry

Windows registry

windows registry key modification

user

modified

windows registry key value

4657

A registry value was modified.

Microsoft-Windows-Security-Auditing

Security

Object Access

Registry

auditpol /set /subcategory:"Registry" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Registry

Windows registry

Windows registry key access

process

accessed

windows registry key

4663

An attempt was made to access an object.

Microsoft-Windows-Security-Auditing

Security

Object Access

Registry

auditpol /set /subcategory:"Registry" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Registry

Windows registry

Windows registry key access

user

accessed

windows registry key

4663

An attempt was made to access an object.

Microsoft-Windows-Security-Auditing

Security

Object Access

Registry

auditpol /set /subcategory:"Registry" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Registry

Windows registry

Windows registry key access

process

requested access

windows registry key

4656

A handle to an object was requested.

Microsoft-Windows-Security-Auditing

Security

Object Access

Registry

auditpol /set /subcategory:"Registry" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Registry

Windows registry

Windows registry key access

user

requested access

windows registry key

4656

A handle to an object was requested.

Microsoft-Windows-Security-Auditing

Security

Object Access

Registry

auditpol /set /subcategory:"Registry" /success:enable /failure:enable

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Registry

WMI object

wmi object context

wmi subscription

created

None

5861

WMI permanent event created.

Microsoft-Windows-WMI-Activity

Microsoft-Windows-WMI-Activity/Operational

NA

NA

NA

NA

WMI object

wmi object creation

user

created

wmi filter

19

WmiEvent (WmiEventFilter activity detected).

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

WmiEvent

NA

<WmiEvent onmatch="exclude" />

NA

WMI object

wmi object creation

user

created

wmi consumer

20

WmiEvent (WmiEventConsumer activity detected).

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

WmiEvent

NA

<WmiEvent onmatch="exclude" />

NA

WMI object

wmi object creation

user

created

wmi subscription

21

WmiEvent (WmiEventConsumerToFilter activity detected).

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

WmiEvent

NA

<WmiEvent onmatch="exclude" />

NA

WMI object

wmi object deletion

user

deleted

wmi filter

19

WmiEvent (WmiEventFilter activity detected).

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

WmiEvent

NA

<WmiEvent onmatch="exclude" />

NA

WMI object

wmi object deletion

user

deleted

wmi consumer

20

WmiEvent (WmiEventConsumer activity detected).

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

WmiEvent

NA

<WmiEvent onmatch="exclude" />

NA

WMI object

wmi object deletion

user

deleted

wmi subscription

21

WmiEvent (WmiEventConsumerToFilter activity detected).

Microsoft-Windows-Sysmon

Microsoft-Windows-Sysmon/Operational

WmiEvent

NA

<WmiEvent onmatch="exclude" />

NA
ATT&CK Data Sources Data Model Relationships