Enriched rule names

10_process_access/include_debugging.xml

@@ -2,8 +2,8 @@
    <EventFiltering>
  <RuleGroup name="" groupRelation="or">
       <ProcessAccess onmatch="include">
-      	<CallTrace name="technique_id=T1003,technique_name=Credential Dumping" condition="contains">dbghelp.dll</CallTrace>
-      	<CallTrace name="technique_id=T1003,technique_name=Credential Dumping" condition="contains">dbgcore.dll</CallTrace>
+      	<CallTrace name="tactic_id=TA0006,tactic_name=Credential Access,technique_id=T1003,technique_name=Credential Dumping" condition="contains">dbghelp.dll</CallTrace>
+      	<CallTrace name="tactic_id=TA0006,tactic_name=Credential Access,technique_id=T1003,technique_name=Credential Dumping" condition="contains">dbgcore.dll</CallTrace>
       </ProcessAccess>
 </RuleGroup>
 </EventFiltering>

10_process_access/include_desktop.xml

@@ -1,9 +1,9 @@
-<Sysmon schemaversion="4.30">
-   <EventFiltering>
- <RuleGroup name="" groupRelation="or">
-      <ProcessAccess onmatch="include">
-			<TargetImage condition="contains">Desktop</TargetImage> <!--Files on the Desktop-->
-		</ProcessAccess>
-</RuleGroup>
-</EventFiltering>
+<Sysmon schemaversion="4.30">
+   <EventFiltering>
+ <RuleGroup name="" groupRelation="or">
+      <ProcessAccess onmatch="include">
+			<TargetImage condition="contains">Desktop</TargetImage> <!--Files on the Desktop-->
+		</ProcessAccess>
+</RuleGroup>
+</EventFiltering>
 </Sysmon>

10_process_access/include_dumphashes.xml

@@ -3,19 +3,19 @@
  <RuleGroup name="" groupRelation="or">
       <ProcessAccess onmatch="include">
          <Rule groupRelation="and">
-          <TargetImage name="technique_id=T1003,technique_name=Credential Dumping" condition="is">C:\Windows\system32\csrss.exe</TargetImage> <!--Mitre T1098--> <!--Mitre T1550.002--> <!--Mitre T1003--><!-- depending on what you're running on your host, this might be noisy-->
+          <TargetImage name="tactic_id=TA0006,tactic_name=Credential Access,technique_id=T1003,technique_name=Credential Dumping" condition="is">C:\Windows\system32\csrss.exe</TargetImage> <!--Mitre T1098--> <!--Mitre T1550.002--> <!--Mitre T1003--><!-- depending on what you're running on your host, this might be noisy-->
           <GrantedAccess>0x1F1FFF</GrantedAccess>
          </Rule>
          <Rule groupRelation="and">         
-          <TargetImage name="technique_id=T1003,technique_name=Credential Dumping" condition="is">C:\Windows\system32\wininit.exe</TargetImage> <!--Mitre T1098--> <!--Mitre T1550.002--> <!--Mitre T1003--><!-- depending on what you're running on your host, this might be noisy-->
+          <TargetImage name="tactic_id=TA0006,tactic_name=Credential Access,technique_id=T1003,technique_name=Credential Dumping" condition="is">C:\Windows\system32\wininit.exe</TargetImage> <!--Mitre T1098--> <!--Mitre T1550.002--> <!--Mitre T1003--><!-- depending on what you're running on your host, this might be noisy-->
           <GrantedAccess>0x1F1FFF</GrantedAccess>
          </Rule>            
          <Rule groupRelation="and">         
-          <TargetImage name="technique_id=T1003,technique_name=Credential Dumping" condition="is">C:\Windows\system32\winlogon.exe</TargetImage> <!--Mitre T1098--> <!--Mitre T1550.002--> <!--Mitre T1003--><!-- depending on what you're running on your host, this might be noisy-->
+          <TargetImage name="tactic_id=TA0006,tactic_name=Credential Access,technique_id=T1003,technique_name=Credential Dumping" condition="is">C:\Windows\system32\winlogon.exe</TargetImage> <!--Mitre T1098--> <!--Mitre T1550.002--> <!--Mitre T1003--><!-- depending on what you're running on your host, this might be noisy-->
           <GrantedAccess>0x1F1FFF</GrantedAccess>
          </Rule>            
          <Rule groupRelation="and">         
-          <TargetImage name="technique_id=T1003,technique_name=Credential Dumping" condition="is">C:\Windows\system32\services.exe</TargetImage> <!--Mitre T1098--> <!--Mitre T1550.002--> <!--Mitre T1003--><!-- depending on what you're running on your host, this might be noisy-->
+          <TargetImage name="tactic_id=TA0006,tactic_name=Credential Access,technique_id=T1003,technique_name=Credential Dumping" condition="is">C:\Windows\system32\services.exe</TargetImage> <!--Mitre T1098--> <!--Mitre T1550.002--> <!--Mitre T1003--><!-- depending on what you're running on your host, this might be noisy-->
           <GrantedAccess>0x1F1FFF</GrantedAccess>                              
          </Rule>          
       </ProcessAccess>

10_process_access/include_hook_check.xml

@@ -2,7 +2,7 @@
    <EventFiltering>
  <RuleGroup name="" groupRelation="or">
       <ProcessAccess onmatch="include">
-         <GrantedAccess name="technique_id=T1093,technique_name=Process Hollowing">0x21410</GrantedAccess> <!-- misc::detours in Mimikatz, thanks @Carlos_Perez -->
+         <GrantedAccess name="tactic_id=TA0005,TA0004,tactic_name=Defense Evasion, Privilege Escalation,technique_id=T1055,technique_name=Process Injection,subtechnique_id=T1055.012,subtechnique_name=Process Hollowing">0x21410</GrantedAccess> <!-- misc::detours in Mimikatz, thanks @Carlos_Perez -->
       </ProcessAccess>
 </RuleGroup>
 </EventFiltering>

10_process_access/include_lsass_access.xml

@@ -4,19 +4,19 @@
       <ProcessAccess onmatch="include">
         <!-- In some environments this causes HIGH CPU usage by sysmon, remove this module when that occurs -->
          <Rule groupRelation="and">
-          <TargetImage name="technique_id=T1003,technique_name=Credential Dumping" condition="is">C:\Windows\system32\lsass.exe</TargetImage> <!--Mitre T1098--> <!--Mitre T1550.002--> <!--Mitre T1003--><!-- depending on what you're running on your host, this might be noisy-->
+          <TargetImage name="tactic_id=TA0006,tactic_name=Credential Access,technique_id=T1003,technique_name=Credential Dumping" condition="is">C:\Windows\system32\lsass.exe</TargetImage> <!--Mitre T1098--> <!--Mitre T1550.002--> <!--Mitre T1003--><!-- depending on what you're running on your host, this might be noisy-->
           <GrantedAccess>0x1FFFFF</GrantedAccess><!--Expect EDRs/AVs to also trigger this-->
          </Rule> 
          <Rule groupRelation="and">
-          <TargetImage name="technique_id=T1003,technique_name=Credential Dumping" condition="is">C:\Windows\system32\lsass.exe</TargetImage> <!--Mitre T1098--> <!--Mitre T1550.002--> <!--Mitre T1003--><!-- depending on what you're running on your host, this might be noisy-->
+          <TargetImage name="tactic_id=TA0006,tactic_name=Credential Access,technique_id=T1003,technique_name=Credential Dumping" condition="is">C:\Windows\system32\lsass.exe</TargetImage> <!--Mitre T1098--> <!--Mitre T1550.002--> <!--Mitre T1003--><!-- depending on what you're running on your host, this might be noisy-->
           <GrantedAccess>0x1F1FFF</GrantedAccess>
          </Rule>          
          <Rule groupRelation="and">
-          <TargetImage name="technique_id=T1003,technique_name=Credential Dumping" condition="is">C:\Windows\system32\lsass.exe</TargetImage> <!--Mitre T1098--> <!--Mitre T1550.002--> <!--Mitre T1003--><!-- depending on what you're running on your host, this might be noisy-->
+          <TargetImage name="tactic_id=TA0006,tactic_name=Credential Access,technique_id=T1003,technique_name=Credential Dumping" condition="is">C:\Windows\system32\lsass.exe</TargetImage> <!--Mitre T1098--> <!--Mitre T1550.002--> <!--Mitre T1003--><!-- depending on what you're running on your host, this might be noisy-->
           <GrantedAccess>0x1010</GrantedAccess>
          </Rule>          
          <Rule groupRelation="and">
-          <TargetImage name="technique_id=T1003,technique_name=Credential Dumping" condition="is">C:\Windows\system32\lsass.exe</TargetImage> <!--Mitre T1098--> <!--Mitre T1550.002--> <!--Mitre T1003--><!-- depending on what you're running on your host, this might be noisy-->
+          <TargetImage name="tactic_id=TA0006,tactic_name=Credential Access,technique_id=T1003,technique_name=Credential Dumping" condition="is">C:\Windows\system32\lsass.exe</TargetImage> <!--Mitre T1098--> <!--Mitre T1550.002--> <!--Mitre T1003--><!-- depending on what you're running on your host, this might be noisy-->
           <GrantedAccess>0x143A</GrantedAccess>
          </Rule>          
       </ProcessAccess>

10_process_access/include_office_process_injection.xml

@@ -2,7 +2,7 @@
    <EventFiltering>
  <RuleGroup name="" groupRelation="or">
       <ProcessAccess onmatch="include"><!-- Credit to @Antonlovesdnb https://blog.pwntario.com/team-posts/antons-posts/hunting-malicious-macros-->
-        <Rule groupRelation="and" name="technique_id=T1055,technique_name=Process Injection">
+        <Rule groupRelation="and" name="tactic_id=TA0005,TA0004,tactic_name=Defense Evasion, Privilege Escalation,technique_id=T1055,technique_name=Process Injection">
             <SourceImage condition="contains all">C:\Program Files;\Microsoft Office\Root\Office</SourceImage>
             <CallTrace condition="contains">\Microsoft Shared\VBA</CallTrace>
         </Rule>

10_process_access/include_process_discovery.xml

@@ -2,7 +2,7 @@
    <EventFiltering>
  <RuleGroup name="" groupRelation="or">
       <ProcessAccess onmatch="include">
-          <!--<GrantedAccess name="technique_id=T1057,technique_name=Process Discovery">0x1410</GrantedAccess>  Disabled, quite noisy --><!--Experimental: when a process accesses a lot of other processes this is process discovery through meterpreter for example-->   
+          <!--<GrantedAccess name="tactic_id=TA0007,tactic_name=Discovery,technique_id=T1057,technique_name=Process Discovery">0x1410</GrantedAccess>  Disabled, quite noisy --><!--Experimental: when a process accesses a lot of other processes this is process discovery through meterpreter for example-->   
       </ProcessAccess>
 </RuleGroup>
 </EventFiltering>

10_process_access/include_process_suspend_resume.xml

@@ -2,12 +2,12 @@
    <EventFiltering>
  <RuleGroup name="" groupRelation="or">
       <ProcessAccess onmatch="include">
-         <GrantedAccess name="technique_id=T1093,technique_name=Process Hollowing">0x0800</GrantedAccess> <!-- PROCESS_SUSPEND_RESUME -->
-         <GrantedAccess name="technique_id=T1003,technique_name=Credential Dumping">0x0810</GrantedAccess> <!-- PROCESS_SUSPEND_RESUME + PROCESS_VM_READ - possible memory dump to extract sensitive information -->
-         <GrantedAccess name="technique_id=T1055,technique_name=Process Injection">0x0820</GrantedAccess> <!-- PROCESS_SUSPEND_RESUME + PROCESS_VM_WRITE - possible memory injection -->
-         <GrantedAccess name="technique_id=T1093,technique_name=Process Hollowing">0x800</GrantedAccess> <!-- PROCESS_SUSPEND_RESUME -->
-         <GrantedAccess name="technique_id=T1003,technique_name=Credential Dumping">0x810</GrantedAccess> <!-- PROCESS_SUSPEND_RESUME + PROCESS_VM_READ - possible memory dump to extract sensitive information -->
-         <GrantedAccess name="technique_id=T1055,technique_name=Process Injection">0x820</GrantedAccess> <!-- PROCESS_SUSPEND_RESUME + PROCESS_VM_WRITE - possible memory injection -->
+         <GrantedAccess name="tactic_id=TA0005,TA0004,tactic_name=Defense Evasion, Privilege Escalation,technique_id=T1055,technique_name=Process Injection,subtechnique_id=T1055.012,subtechnique_name=Process Hollowing">0x0800</GrantedAccess> <!-- PROCESS_SUSPEND_RESUME -->
+         <GrantedAccess name="tactic_id=TA0006,tactic_name=Credential Access,technique_id=T1003,technique_name=Credential Dumping">0x0810</GrantedAccess> <!-- PROCESS_SUSPEND_RESUME + PROCESS_VM_READ - possible memory dump to extract sensitive information -->
+         <GrantedAccess name="tactic_id=TA0005,TA0004,tactic_name=Defense Evasion, Privilege Escalation,technique_id=T1055,technique_name=Process Injection">0x0820</GrantedAccess> <!-- PROCESS_SUSPEND_RESUME + PROCESS_VM_WRITE - possible memory injection -->
+         <GrantedAccess name="tactic_id=TA0005,TA0004,tactic_name=Defense Evasion, Privilege Escalation,technique_id=T1055,technique_name=Process Injection,subtechnique_id=T1055.012,subtechnique_name=Process Hollowing">0x800</GrantedAccess> <!-- PROCESS_SUSPEND_RESUME -->
+         <GrantedAccess name="tactic_id=TA0006,tactic_name=Credential Access,technique_id=T1003,technique_name=Credential Dumping">0x810</GrantedAccess> <!-- PROCESS_SUSPEND_RESUME + PROCESS_VM_READ - possible memory dump to extract sensitive information -->
+         <GrantedAccess name="tactic_id=TA0005,TA0004,tactic_name=Defense Evasion, Privilege Escalation,technique_id=T1055,technique_name=Process Injection">0x820</GrantedAccess> <!-- PROCESS_SUSPEND_RESUME + PROCESS_VM_WRITE - possible memory injection -->
       </ProcessAccess>
 </RuleGroup>
 </EventFiltering>

10_process_access/include_suspicious_locations.xml

@@ -2,24 +2,24 @@
    <EventFiltering>
  <RuleGroup name="" groupRelation="or">
       <ProcessAccess onmatch="include">
-          <SourceImage name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\PerfLogs\</SourceImage>
-          <SourceImage name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\$Recycle.bin\</SourceImage>
-          <SourceImage name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Intel\Logs\</SourceImage>
-          <SourceImage name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Users\Default\</SourceImage>
-          <SourceImage name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Users\Public\</SourceImage>
-          <SourceImage name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Users\NetworkService\</SourceImage>
-          <SourceImage name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Windows\Fonts\</SourceImage>
-          <SourceImage name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Windows\Debug\</SourceImage>
-          <SourceImage name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Windows\Media\</SourceImage>
-          <SourceImage name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Windows\Help\</SourceImage>
-          <SourceImage name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Windows\addins\</SourceImage>
-          <SourceImage name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Windows\repair\</SourceImage>
-          <SourceImage name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Windows\security\</SourceImage>
-          <SourceImage name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Windows\system32\config\systemprofile\</SourceImage>
-          <SourceImage name="technique_id=T1036,technique_name=Masquerading" condition="contains">VolumeShadowCopy</SourceImage>
-          <SourceImage name="technique_id=T1036,technique_name=Masquerading" condition="contains">\htdocs\</SourceImage>
-          <SourceImage name="technique_id=T1036,technique_name=Masquerading" condition="contains">\wwwroot\</SourceImage>
-          <SourceImage name="technique_id=T1036,technique_name=Masquerading" condition="contains">\Temp\</SourceImage>
+          <SourceImage name="tactic_id=TA0005,tactic_name=Defense Evasion,technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\PerfLogs\</SourceImage>
+          <SourceImage name="tactic_id=TA0005,tactic_name=Defense Evasion,technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\$Recycle.bin\</SourceImage>
+          <SourceImage name="tactic_id=TA0005,tactic_name=Defense Evasion,technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Intel\Logs\</SourceImage>
+          <SourceImage name="tactic_id=TA0005,tactic_name=Defense Evasion,technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Users\Default\</SourceImage>
+          <SourceImage name="tactic_id=TA0005,tactic_name=Defense Evasion,technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Users\Public\</SourceImage>
+          <SourceImage name="tactic_id=TA0005,tactic_name=Defense Evasion,technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Users\NetworkService\</SourceImage>
+          <SourceImage name="tactic_id=TA0005,tactic_name=Defense Evasion,technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Windows\Fonts\</SourceImage>
+          <SourceImage name="tactic_id=TA0005,tactic_name=Defense Evasion,technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Windows\Debug\</SourceImage>
+          <SourceImage name="tactic_id=TA0005,tactic_name=Defense Evasion,technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Windows\Media\</SourceImage>
+          <SourceImage name="tactic_id=TA0005,tactic_name=Defense Evasion,technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Windows\Help\</SourceImage>
+          <SourceImage name="tactic_id=TA0005,tactic_name=Defense Evasion,technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Windows\addins\</SourceImage>
+          <SourceImage name="tactic_id=TA0005,tactic_name=Defense Evasion,technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Windows\repair\</SourceImage>
+          <SourceImage name="tactic_id=TA0005,tactic_name=Defense Evasion,technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Windows\security\</SourceImage>
+          <SourceImage name="tactic_id=TA0005,tactic_name=Defense Evasion,technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Windows\system32\config\systemprofile\</SourceImage>
+          <SourceImage name="tactic_id=TA0005,tactic_name=Defense Evasion,technique_id=T1036,technique_name=Masquerading" condition="contains">VolumeShadowCopy</SourceImage>
+          <SourceImage name="tactic_id=TA0005,tactic_name=Defense Evasion,technique_id=T1036,technique_name=Masquerading" condition="contains">\htdocs\</SourceImage>
+          <SourceImage name="tactic_id=TA0005,tactic_name=Defense Evasion,technique_id=T1036,technique_name=Masquerading" condition="contains">\wwwroot\</SourceImage>
+          <SourceImage name="tactic_id=TA0005,tactic_name=Defense Evasion,technique_id=T1036,technique_name=Masquerading" condition="contains">\Temp\</SourceImage>
       </ProcessAccess>
 </RuleGroup>
 </EventFiltering>

10_process_access/include_suspicious_powershell.xml

@@ -3,7 +3,7 @@
  <RuleGroup name="" groupRelation="or">
       <ProcessAccess onmatch="include">
         <Rule groupRelation="and">
-          <CallTrace name="technique_id=T1059.001,technique_name=PowerShell" condition="contains">System.Management.Automation.ni.dll</CallTrace>
+          <CallTrace name="tactic_id=TA0002,tactic_name=Execution,technique_id=T1059,technique_name=Command and Scripting Interpreter,subtechnique_id=T1059.001,subtechnique_name=PowerShell" condition="contains">System.Management.Automation.ni.dll</CallTrace>
           <SourceImage condition="is not">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</SourceImage>
         </Rule>
       </ProcessAccess>

11_file_create/include_appc_shim.xml

@@ -2,7 +2,7 @@
    <EventFiltering>
  <RuleGroup name="" groupRelation="or">
       <FileCreate onmatch="include">
-          <TargetFilename name="technique_id=T1546.011,technique_name=Application Shimming" condition="contains">C:\Windows\AppPatch\Custom</TargetFilename>
+          <TargetFilename name="tactic_id=TA0004,TA0003,tactic_name=Privilege Escalation, Persistence,technique_id=T1546,technique_name=Event Triggered Execution,subtechnique_id=T1546.011,subtechnique_name=Application Shimming" condition="contains">C:\Windows\AppPatch\Custom</TargetFilename>
       </FileCreate>
 </RuleGroup>
 </EventFiltering>

11_file_create/include_batch_files.xml

@@ -1,10 +1,10 @@
-<Sysmon schemaversion="4.30">
-   <EventFiltering>
- <RuleGroup name="" groupRelation="or">
-      <FileCreate onmatch="include">
-			<TargetFilename condition="end with">.bat</TargetFilename> <!--Batch scripting-->
-			<TargetFilename condition="end with">.cmd</TargetFilename> <!--Batch scripting: Batch scripts can also use the .cmd extension | Credit: @mmazanec -->
-		</FileCreate>
-</RuleGroup>
-</EventFiltering>
+<Sysmon schemaversion="4.30">
+   <EventFiltering>
+ <RuleGroup name="" groupRelation="or">
+      <FileCreate onmatch="include">
+			<TargetFilename condition="end with">.bat</TargetFilename> <!--Batch scripting-->
+			<TargetFilename condition="end with">.cmd</TargetFilename> <!--Batch scripting: Batch scripts can also use the .cmd extension | Credit: @mmazanec -->
+		</FileCreate>
+</RuleGroup>
+</EventFiltering>
 </Sysmon>