A few days ago I learned it's possible to modify Window's Sysmon to enable tailored Windows Event Tracing. By simply providing Sysmon with an XML ruleset, we can generate custom alerts and automatically filter for and tag particular events. For example, the following rule would alert us of proxy code execution using .NET's C# compiler, csc.exe: <!-- MITRE ATT&CK TECHNIQUE: Obfuscated Files or Information: Compile After Delivery --> <Rule name="Attack= T1127.001,Technique=Trusted Developer Utilities Proxy Execution ,Tactic=Defnse Evasion,DS=Process: Process Creation,Level=4,Alert=CSC Suspicious Location,Risk=60" groupRelation="and"> <Image condition="image">csc.exe</Image> <CommandLine condition="contains any">\AppData\;\Windows\Temp\</CommandLine> The above is a snippet from the default template published by @SwiftOnSecurity . But various orgs have made their own forks. And it can be furth...