Automated Mapping Method for Sysmon Logs to ATT&CK Techniques by Leveraging Atomic Red Team

As cyber-attacks escalate in frequency and complexity, the world’s most widely used operating system, Windows, is often targeted. Sysmon, a monitoring tool for Windows, collects a lot of system activity logs including process creation and network connections. Also, it has a possibility to log adversaries’s malicious actions and its data is valuable and useful for cyber attack analysis. However, manually analyzing this huge amount and complex attack data, and moreover considering effective countermeasures against the attack is difficult for analysts. Addressing this problem, this paper proposes a method that automates maps Sysmon logs to MITRE ATT&CK techniques. Our method leverages Atomic Red Team’s attack-simulating dataset, and is based on executed command lines, and it maps log to an ATT&CK technique. MITER ATT&CK is linked to specific mitigation and detection methods. Hence, by automating this mapping, it is possible to correlate cyber attack mitigation and detection from Sysmon logs efficiently. An evaluation of our method’s mapping accuracy revealed that out of 36 test command lines based on real-world attack scenarios, 34 were accurately mapped, marking a success rate of 96%.