Files
Anthropic-Cybersecurity-Skills/skills/building-threat-hunt-hypothesis-framework/references/standards.md
T

1.6 KiB

Standards and References - Building Threat Hunt Hypothesis Framework

MITRE ATT&CK Mappings

Technique Name Description
TA0001 Initial Access See attack.mitre.org/techniques/TA0001
TA0003 Persistence See attack.mitre.org/techniques/TA0003
TA0008 Lateral Movement See attack.mitre.org/techniques/TA0008
TA0010 Exfiltration See attack.mitre.org/techniques/TA0010

Detection Data Sources

Source Event ID Purpose
Sysmon 1 Process creation with command line
Sysmon 3 Network connection initiated
Sysmon 7 Image loaded (DLL)
Sysmon 10 Process access (LSASS)
Sysmon 11 File creation
Sysmon 12/13 Registry create/set
Sysmon 22 DNS query
Sysmon 25 Process tampering
Windows Security 4624 Successful logon
Windows Security 4625 Failed logon
Windows Security 4648 Explicit credential logon
Windows Security 4672 Special privileges assigned
Windows Security 4688 Process creation
Windows Security 4697 Service installed
Windows Security 4698 Scheduled task created
Windows Security 4769 Kerberos TGS requested
Windows Security 5140 Network share accessed

References