Add for_sysmon.md

2025-01-14 20:04:01 -05:00
parent 8a2ce3645c
commit 264ca53a5d
1 changed files with 104 additions and 0 deletions
--- a/for_sysmon.md
+++ b/for_sysmon.md
@ -0,0 +1,104 @@
+-	125728
+DLL	62394
+technique_id=T1574.010,technique_name=Services File Permissions Weakness	50850
+technique_id=T1571,technique_name=Non-Standard Port	19230
+Usermode	18863
+T1183,IFEO	16672
+InvDB-Pub	10734
+T1122	7695
+EXE	7086
+T1099	6151
+T1089	5654
+InvDB-CompileTimeClaim	5611
+InvDB-Path	5602
+InvDB-Ver	5476
+T1101	4664
+T1089,Tamper-Defender	3509
+T1031,T1050	2824
+Context,DeviceConnectedOrUpdated	2483
+T1042	2028
+T1088	1662
+T1053	1300
+InvDB-DriverVer	1244
+technique_id=T1036,technique_name=Masquerading	1220
+T1562,Tamper-Defender	1161
+technique_id=T1553.004,technique_name=Install Root Certificate	1133
+technique_id=T1055,technique_name=Process Injection	972
+technique_id=T1546.015,technique_name=Component Object Model Hijacking	889
+SSH	837
+T1165	768
+RDP	752
+technique_id=T1053,technique_name=Scheduled Task	700
+technique_id=T1059.007,technique_name=JavaScript	656
+T1023	638
+technique_id=T1021,technique_name=Remote Services	565
+technique_id=T1562.001,technique_name=Disable or Modify Tools	556
+InvDB	452
+OutlookAttachment	429
+T1060,RunKey	411
+technique_id=T1047,technique_name=Windows Management Instrumentation	382
+technique_id=T1059.001,technique_name=PowerShell	357
+T1176	306
+SMTP	282
+technique_id=T1099,technique_name=Timestomp	248
+Suspicious,ImageBeginWithBackslash	216
+technique_id=T1055.001,technique_name=Dynamic-link Library Injection	212
+Context,ProcessAccessedPrivateResource	200
+Downloads	169
+technique_id=T1574.002,technique_name=DLL Side-Loading	167
+technique_id=T1083,technique_name=File and Directory Discovery	157
+Tamper-Winlogon	132
+
+
+
+
+RuleName	count
+DLL	231493
+T1183,IFEO	108853
+technique_id=T1574.010,technique_name=Services File Permissions Weakness	73628
+technique_id=T1571,technique_name=Non-Standard Port	60142
+Usermode	53034
+InvDB-Pub	42338
+T1122	40195
+EXE	26750
+T1089	25222
+T1099	22219
+InvDB-CompileTimeClaim	20691
+InvDB-Path	20678
+InvDB-Ver	20236
+T1101	19945
+T1089,Tamper-Defender	15550
+Context,DeviceConnectedOrUpdated	11046
+T1042	11038
+T1031,T1050	10246
+technique_id=T1003,technique_name=Credential Dumping	10143
+technique_id=T1059.007,technique_name=JavaScript	7482
+T1088	7142
+technique_id=T1036,technique_name=Masquerading	6536
+InvDB-DriverVer	5612
+T1562,Tamper-Defender	5139
+technique_id=T1055,technique_name=Process Injection	3722
+technique_id=T1553.004,technique_name=Install Root Certificate	3468
+T1165	3210
+technique_id=T1053,technique_name=Scheduled Task	2691
+RDP	2674
+T1053	2568
+T1023	2305
+technique_id=T1546.015,technique_name=Component Object Model Hijacking	2171
+technique_id=T1562.001,technique_name=Disable or Modify Tools	1719
+technique_id=T1047,technique_name=Windows Management Instrumentation	1674
+technique_id=T1099,technique_name=Timestomp	1584
+technique_id=T1059.001,technique_name=PowerShell	1425
+technique_id=T1021,technique_name=Remote Services	1416
+SMTP	1413
+T1060,RunKey	1393
+InvDB	1378
+T1176	1299
+technique_id=T1574.002,technique_name=DLL Side-Loading	1206
+SSH	1003
+technique_id=T1055.001,technique_name=Dynamic-link Library Injection	997
+OutlookAttachment	960
+Context,ProcessAccessedPrivateResource	760
+Suspicious,ImageBeginWithBackslash	747
+technique_id=T1083,technique_name=File and Directory Discovery	602
+technique_name=Outlook Server 95/98 Identity Keys	592