Detection

Mitigation

Response

Note: This table is currently under progress and subject to changes. The detectable techniques listed are based on my current experience and observations.

Log Source Mapping for MITRE ATT&CK TTPs

Event Category Event ID Description Event Log Volume Default Setting Detectable Techniques
Process Management Events 4688 Process Creation High Disabled Initial Access, Execution, Persistence, Privilege Escalation, Discovery, Credential Access, Lateral Movement, Defense Evasion, Impact, Privilege Escalation, Credential Access. Disocvery
  4689 Process Termination High Disabled  
Authentication Events 4624 Successful Login High Enabled Initial Access, Persistence, Privilege Escalation,
  4625 Failed Login Attempt Medium Enabled Initial Access, Credential Access, Discovery
  4634 Logoff Event High Enabled Credential Access, Discovery, Impact
  4648 Explicit Credential Use Low Disabled Credential Access, Lateral Movement, Privilege Escalation
System Changes Events 4657 Registry Key or Value Modification Medium Disabled Persistence, Privilege Escalation, Defense Evasion, Impact, Credential Access,
  4660 Object Deletion Low Disabled Defense Evasion, Impact,
File Access Events 4663 File or Object Access Attempt High Disabled Lateral Movement, Exfiltration, Credential Access
  5140 Access to Shared Files High Disabled Lateral Movement, Exfiltration, Credential Access
  5145 File Access over SMB High Disabled Lateral Movement, Command and Control, Exfiltration, Discovery
Permissions Events 4670 Permission Change on an Object Low Disabled Privilege Escalation, Defense Evasion, Lateral Movement
Account Management Events 4672 Privileged Account Usage Medium Enabled Privilege Escalation, Discovery, Lateral Movement, Execution
  4673 Privilege Use Attempt Medium Disabled Privilege Escalation, Discovery, Lateral Movement, Execution
System Changes Events 4697 Service Installation Low Disabled Persistence, Privilege Escalation, Execution
Task Management Events 4698 Scheduled Task Creation Low Disabled Persistence, Privilege Escalation, Execution,
  4699 Scheduled Task Modification Low Disabled Persistence, Privilege Escalation, Execution,
Policy Changes Events 4715 Audit Policy Subcategory Changes Very Low Enabled Defense Evasion, Impact
  4719 System Audit Policy Changes Very Low Enabled Defense Evasion, Impact
Account Management Events 4720 User Account Creation Low Enabled Initial Access, Persistence, Privilege Escalation, Credential Access etc
  4722 Account Enabled Low Enabled Persistence, Privilege Escalation,
  4723 Password Change Attempt Medium Enabled Credential Access, Privilege Escalation,
  4724 Password Reset Low Enabled  
  4725 Account Disabled Low Enabled  
  4726 Account Deletion Low Enabled Defense Evasion, Impact, Persistence
  4735 Security Group Membership Change Low Enabled Privilege Escalation, Lateral Movement
  4740 Account Lockout Medium Enabled  
  4767 Account Unlock Low Enabled  
Authentication Events 4768 Kerberos Ticket Request High Enabled Credential Access, Lateral Movement
  4776 NTLM Authentication Failure Medium Enabled Credential Access, Lateral Movement
Security Events 4797 Certificate Validation Failure Low Disabled  
Network Security Events 4907 Network Policy Changes Very Low Disabled Defense Evasion, Impact
  4846 Firewall Rule Added Low Disabled  
  4947 Firewall Rule Deleted Low Disabled  
  5156 Allowed Network Connection Very High Disabled  
  5157 Blocked Network Connection High Disabled  
System Changes Events 7040 Service Configuration Change Low Disabled Persistence, Privilege Escalation, Execution
  7045 New Service Installed Low Disabled  
Security Events 1102 Audit Log Cleared Very Low Enabled  
  4104 PowerShell Script Block Logging Medium Disabled  
  1116 Windows Defender Detected Malware Low Enabled  
Directory Services Events 5136 Active Directory Object Changes Medium Disabled Privilege Escalation, Discovery, Lateral Movement, Persistence

Table of contents