atomic-threat-coverage/analytics.csv

tactic,technique,detection rule,category,platform,type,channel,provider,data needed,logging policy,enrichment,enrichment requirements,response playbook,response action
TA0002: Execution,T1047: Windows Management Instrumentation,WMI Persistence - Script Event Consumer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,-,,-,-
TA0002: Execution,T1047: Windows Management Instrumentation,WMI Persistence - Script Event Consumer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0002: Execution,T1047: Windows Management Instrumentation,WMI Persistence - Script Event Consumer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,-,,-,-
TA0002: Execution,T1047: Windows Management Instrumentation,WMI Persistence - Script Event Consumer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,-,,-,-
TA0002: Execution,T1047: Windows Management Instrumentation,WMI Persistence - Script Event Consumer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0002: Execution,T1047: Windows Management Instrumentation,WMI Persistence - Script Event Consumer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,-,,-,-
TA0002: Execution,T1047: Windows Management Instrumentation,WMI Persistence - Script Event Consumer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,-,,-,-
TA0002: Execution,T1047: Windows Management Instrumentation,WMI Persistence - Script Event Consumer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0002: Execution,T1047: Windows Management Instrumentation,WMI Persistence - Script Event Consumer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,-,,-,-
TA0003: Persistence,T1047: Windows Management Instrumentation,WMI Persistence - Script Event Consumer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,-,,-,-
TA0003: Persistence,T1047: Windows Management Instrumentation,WMI Persistence - Script Event Consumer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0003: Persistence,T1047: Windows Management Instrumentation,WMI Persistence - Script Event Consumer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,-,,-,-
TA0003: Persistence,T1047: Windows Management Instrumentation,WMI Persistence - Script Event Consumer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,-,,-,-
TA0003: Persistence,T1047: Windows Management Instrumentation,WMI Persistence - Script Event Consumer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0003: Persistence,T1047: Windows Management Instrumentation,WMI Persistence - Script Event Consumer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,-,,-,-
TA0003: Persistence,T1047: Windows Management Instrumentation,WMI Persistence - Script Event Consumer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,-,,-,-
TA0003: Persistence,T1047: Windows Management Instrumentation,WMI Persistence - Script Event Consumer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0003: Persistence,T1047: Windows Management Instrumentation,WMI Persistence - Script Event Consumer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,-,,-,-
TA0007: Discovery,T1087: Account Discovery,Reconnaissance Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0027_windows_audit_directory_service_access,-,,-,-
TA0007: Discovery,T1087: Account Discovery,Reconnaissance Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0028_windows_audit_sam,-,,-,-
TA0007: Discovery,T1087: Account Discovery,Reconnaissance Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0027_windows_audit_directory_service_access,-,,-,-
TA0007: Discovery,T1087: Account Discovery,Reconnaissance Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0028_windows_audit_sam,-,,-,-
TA0007: Discovery,T1069: Permission Groups Discovery,Reconnaissance Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0027_windows_audit_directory_service_access,-,,-,-
TA0007: Discovery,T1069: Permission Groups Discovery,Reconnaissance Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0028_windows_audit_sam,-,,-,-
TA0007: Discovery,T1069: Permission Groups Discovery,Reconnaissance Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0027_windows_audit_directory_service_access,-,,-,-
TA0007: Discovery,T1069: Permission Groups Discovery,Reconnaissance Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0028_windows_audit_sam,-,,-,-
TA0004: Privilege Escalation,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,-,,-,-
TA0004: Privilege Escalation,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0004: Privilege Escalation,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,-,-,,-,-
TA0004: Privilege Escalation,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0003: Persistence,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,-,,-,-
TA0003: Persistence,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0003: Persistence,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,-,-,,-,-
TA0003: Persistence,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,-,,-,-
TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,-,-,,-,-
TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,-,-,,-,-
TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,-,-,,-,-
TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,-,,-,-
TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,-,-,,-,-
TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,-,-,,-,-
TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,-,-,,-,-
TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0006: Credential Access,T1208: Kerberoasting,Suspicious Kerberos RC4 Ticket Encryption,-,-,-,-,-,-,-,-,,-,-
TA0006: Credential Access,T1003: Credential Dumping,SAM Dump to AppData,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,-,-,,-,-
TA0002: Execution,T1047: Windows Management Instrumentation,Suspicious WMI execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0005: Defense Evasion,T1085: Rundll32,PowerShell Rundll32 Remote Thread Creation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,-,-,,-,-
TA0005: Defense Evasion,T1086: PowerShell,PowerShell Rundll32 Remote Thread Creation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,-,-,,-,-
TA0002: Execution,T1085: Rundll32,PowerShell Rundll32 Remote Thread Creation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,-,-,,-,-
TA0002: Execution,T1086: PowerShell,PowerShell Rundll32 Remote Thread Creation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,-,-,,-,-
TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Detection LSASS Access,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Detection LSASS Access,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0005: Defense Evasion,T1086: PowerShell,PowerShell Downgrade Attack,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_windows_powershell_engine_lifecycle,-,-,,-,-
TA0002: Execution,T1086: PowerShell,PowerShell Downgrade Attack,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_windows_powershell_engine_lifecycle,-,-,,-,-
TA0002: Execution,T1086: PowerShell,Suspicious PowerShell Download,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,-,-,,-,-
TA0002: Execution,T1086: PowerShell,Suspicious PowerShell Download,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,-,-,,-,-
TA0002: Execution,T1035: Service Execution,PsExec Service Start,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,-,,-,-
TA0002: Execution,T1035: Service Execution,PsExec Service Start,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,-,,-,-
TA0002: Execution,T1035: Service Execution,PsExec Service Start,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,-,,-,-
TA0002: Execution,T1035: Service Execution,PsExec Service Start,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,-,,-,-
TA0005: Defense Evasion,T1088: Bypass User Account Control,CMSTP UAC Bypass via COM Object Access,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0005: Defense Evasion,T1191: CMSTP,CMSTP UAC Bypass via COM Object Access,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0004: Privilege Escalation,T1088: Bypass User Account Control,CMSTP UAC Bypass via COM Object Access,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0004: Privilege Escalation,T1191: CMSTP,CMSTP UAC Bypass via COM Object Access,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0002: Execution,T1088: Bypass User Account Control,CMSTP UAC Bypass via COM Object Access,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0002: Execution,T1191: CMSTP,CMSTP UAC Bypass via COM Object Access,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0006: Credential Access,T1003: Credential Dumping,Malicious Service Install,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,-,-,,-,-
TA0006: Credential Access,T1003: Credential Dumping,Malicious Service Install,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,-,-,,-,-
TA0003: Persistence,T1138: Application Shimming,Possible Shim Database Persistence via sdbinst.exe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0005: Defense Evasion,T1170: Mshta,MSHTA Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0002: Execution,T1170: Mshta,MSHTA Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Suspicious Certutil Command,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0004: Privilege Escalation,T1183: Image File Execution Options Injection,Registry Persistence Mechanisms,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,-,,-,-
TA0003: Persistence,T1183: Image File Execution Options Injection,Registry Persistence Mechanisms,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,-,,-,-
TA0005: Defense Evasion,T1183: Image File Execution Options Injection,Registry Persistence Mechanisms,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,-,,-,-
TA0005: Defense Evasion,T1117: Regsvr32,Regsvr32 Anomaly,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0002: Execution,T1117: Regsvr32,Regsvr32 Anomaly,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0002: Execution,T1086: PowerShell,PowerShell Network Connections,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0002: Execution,T1086: PowerShell,Malicious Base64 encoded PowerShell Keywords in command lines,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,-,,-,-
TA0002: Execution,T1086: PowerShell,Malicious Base64 encoded PowerShell Keywords in command lines,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,-,,-,-
TA0002: Execution,T1086: PowerShell,Malicious Base64 encoded PowerShell Keywords in command lines,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,-,,-,-
TA0002: Execution,T1086: PowerShell,Malicious Base64 encoded PowerShell Keywords in command lines,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,-,,-,-
TA0003: Persistence,T1078: Valid Accounts,Account Tampering - Suspicious Failed Logon Reasons,-,-,-,-,-,-,-,-,,-,-
TA0004: Privilege Escalation,T1078: Valid Accounts,Account Tampering - Suspicious Failed Logon Reasons,-,-,-,-,-,-,-,-,,-,-
TA0006: Credential Access,T1003: Credential Dumping,Mimikatz DC Sync,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0027_windows_audit_directory_service_access,-,,-,-
TA0005: Defense Evasion,T1070: Indicator Removal on Host,Eventlog Cleared Experimental,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,-,-,,-,-
TA0005: Defense Evasion,T1107: File Deletion,Secure Deletion with SDelete,-,-,-,-,-,-,-,-,,-,-
TA0005: Defense Evasion,T1116: Code Signing,Secure Deletion with SDelete,-,-,-,-,-,-,-,-,,-,-
TA0006: Credential Access,T1098: Account Manipulation,Active Directory User Backdoors,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,-,-,,-,-
TA0006: Credential Access,T1098: Account Manipulation,Active Directory User Backdoors,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0026_windows_audit_user_account_management,-,,-,-
TA0006: Credential Access,T1098: Account Manipulation,Active Directory User Backdoors,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,-,-,,-,-
TA0006: Credential Access,T1098: Account Manipulation,Active Directory User Backdoors,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0026_windows_audit_user_account_management,-,,-,-
TA0007: Discovery,T1087: Account Discovery,Hacktool Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0004_windows_audit_logon,-,,-,-
TA0007: Discovery,T1075: Pass the Hash,Hacktool Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0004_windows_audit_logon,-,,-,-
TA0007: Discovery,T1114: Email Collection,Hacktool Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0004_windows_audit_logon,-,,-,-
TA0007: Discovery,T1059: Command-Line Interface,Hacktool Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0004_windows_audit_logon,-,,-,-
TA0002: Execution,T1087: Account Discovery,Hacktool Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0004_windows_audit_logon,-,,-,-
TA0002: Execution,T1075: Pass the Hash,Hacktool Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0004_windows_audit_logon,-,,-,-
TA0002: Execution,T1114: Email Collection,Hacktool Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0004_windows_audit_logon,-,,-,-
TA0002: Execution,T1059: Command-Line Interface,Hacktool Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0004_windows_audit_logon,-,,-,-
TA0005: Defense Evasion,T1197: BITS Jobs,Bitsadmin Download,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0003: Persistence,T1197: BITS Jobs,Bitsadmin Download,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0002: Execution,T1086: PowerShell,Malicious PowerShell Commandlets,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,-,-,,-,-
TA0002: Execution,T1086: PowerShell,Malicious PowerShell Commandlets,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,-,-,,-,-
TA0002: Execution,T1086: PowerShell,Suspicious PowerShell Invocation based on Parent Process,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0004: Privilege Escalation,T1178: SID-History Injection,Addition of SID History to Active Directory Object,-,-,-,-,-,-,-,-,,-,-
TA0006: Credential Access,T1208: Kerberoasting,NTLM Logon,-,-,-,-,-,-,-,-,,-,-
TA0003: Persistence,T1084: Windows Management Instrumentation Event Subscription,WMI Persistence - Command Line Event Consumer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0006: Credential Access,T1003: Credential Dumping,Password Dumper Remote Thread in LSASS,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,-,-,,-,-
TA0008: Lateral Movement,T1078: Valid Accounts,Admin User Remote Logon,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0004_windows_audit_logon,-,,-,-
TA0005: Defense Evasion,T1096: NTFS File Attributes,NTFS Alternate Data Stream,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,-,-,,-,-
TA0005: Defense Evasion,T1096: NTFS File Attributes,NTFS Alternate Data Stream,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,-,-,,-,-
TA0002: Execution,T1086: PowerShell,Powershell AMSI Bypass via .NET Reflection,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Rare Schtasks Creations,-,-,-,-,-,-,-,-,,-,-
TA0004: Privilege Escalation,T1053: Scheduled Task,Rare Schtasks Creations,-,-,-,-,-,-,-,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Rare Schtasks Creations,-,-,-,-,-,-,-,-,,-,-
TA0008: Lateral Movement,T1075: Pass the Hash,Successful Overpass the Hash Attempt,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0004_windows_audit_logon,-,,-,-
TA0005: Defense Evasion,T1070: Indicator Removal on Host,Security Eventlog Cleared,-,-,-,-,-,-,-,-,,-,-
TA0006: Credential Access,T1003: Credential Dumping,Suspicious SYSVOL Domain Group Policy Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,-,,-,-
TA0006: Credential Access,T1003: Credential Dumping,Suspicious SYSVOL Domain Group Policy Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0006: Credential Access,T1003: Credential Dumping,Suspicious SYSVOL Domain Group Policy Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,-,,-,-
TA0006: Credential Access,T1003: Credential Dumping,Suspicious SYSVOL Domain Group Policy Access,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,-,,-,-
TA0006: Credential Access,T1003: Credential Dumping,Suspicious SYSVOL Domain Group Policy Access,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0006: Credential Access,T1003: Credential Dumping,Suspicious SYSVOL Domain Group Policy Access,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,-,,-,-
TA0006: Credential Access,T1003: Credential Dumping,Suspicious SYSVOL Domain Group Policy Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,-,,-,-
TA0006: Credential Access,T1003: Credential Dumping,Suspicious SYSVOL Domain Group Policy Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0006: Credential Access,T1003: Credential Dumping,Suspicious SYSVOL Domain Group Policy Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,-,,-,-
TA0002: Execution,T1035: Service Execution,PsExec Tool Execution,-,-,-,-,-,-,-,-,,-,-
TA0005: Defense Evasion,T1070: Indicator Removal on Host,Eventlog Cleared,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,-,-,,-,-
TA0007: Discovery,T1033: System Owner/User Discovery,Whoami Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,-,,-,-
TA0007: Discovery,T1033: System Owner/User Discovery,Whoami Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0007: Discovery,T1033: System Owner/User Discovery,Whoami Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,-,,-,-
TA0007: Discovery,T1033: System Owner/User Discovery,Whoami Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,-,,-,-
TA0007: Discovery,T1033: System Owner/User Discovery,Whoami Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0007: Discovery,T1033: System Owner/User Discovery,Whoami Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,-,,-,-
TA0007: Discovery,T1033: System Owner/User Discovery,Whoami Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,-,,-,-
TA0007: Discovery,T1033: System Owner/User Discovery,Whoami Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0007: Discovery,T1033: System Owner/User Discovery,Whoami Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,-,,-,-
TA0002: Execution,T1086: PowerShell,PowerShell Credential Prompt,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,-,-,,-,-
TA0006: Credential Access,T1086: PowerShell,PowerShell Credential Prompt,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,-,-,,-,-
TA0005: Defense Evasion,T1036: Masquerading,Suspicious Process Start Locations,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,-,,-,-
TA0005: Defense Evasion,T1036: Masquerading,Suspicious Process Start Locations,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0005: Defense Evasion,T1036: Masquerading,Suspicious Process Start Locations,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,-,,-,-
TA0005: Defense Evasion,T1036: Masquerading,Suspicious Process Start Locations,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,-,,-,-
TA0005: Defense Evasion,T1036: Masquerading,Suspicious Process Start Locations,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0005: Defense Evasion,T1036: Masquerading,Suspicious Process Start Locations,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,-,,-,-
TA0005: Defense Evasion,T1036: Masquerading,Suspicious Process Start Locations,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,-,,-,-
TA0005: Defense Evasion,T1036: Masquerading,Suspicious Process Start Locations,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0005: Defense Evasion,T1036: Masquerading,Suspicious Process Start Locations,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,-,,-,-
TA0005: Defense Evasion,T1047: Windows Management Instrumentation,SquiblyTwo,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0008: Lateral Movement,T1077: Windows Admin Shares,smbexec.py Service Installation,-,-,-,-,-,-,-,-,,-,-
TA0008: Lateral Movement,T1035: Service Execution,smbexec.py Service Installation,-,-,-,-,-,-,-,-,,-,-
TA0002: Execution,T1077: Windows Admin Shares,smbexec.py Service Installation,-,-,-,-,-,-,-,-,,-,-
TA0002: Execution,T1035: Service Execution,smbexec.py Service Installation,-,-,-,-,-,-,-,-,,-,-
TA0006: Credential Access,T1003: Credential Dumping,Activity Related to NTDS.dit Domain Hash Retrieval,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0004: Privilege Escalation,T1100: Web Shell,Webshell Detection With Command Line Keywords,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0003: Persistence,T1100: Web Shell,Webshell Detection With Command Line Keywords,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0005: Defense Evasion,T1086: PowerShell,PowerShell called from an Executable Version Mismatch,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_windows_powershell_engine_lifecycle,-,-,,-,-
TA0002: Execution,T1086: PowerShell,PowerShell called from an Executable Version Mismatch,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_windows_powershell_engine_lifecycle,-,-,,-,-
TA0007: Discovery,T1073: DLL Side-Loading,Reconnaissance Activity with Net Command,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,-,,-,-
TA0007: Discovery,T1073: DLL Side-Loading,Reconnaissance Activity with Net Command,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0007: Discovery,T1073: DLL Side-Loading,Reconnaissance Activity with Net Command,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,-,,-,-
TA0007: Discovery,T1073: DLL Side-Loading,Reconnaissance Activity with Net Command,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,-,,-,-
TA0007: Discovery,T1073: DLL Side-Loading,Reconnaissance Activity with Net Command,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0007: Discovery,T1073: DLL Side-Loading,Reconnaissance Activity with Net Command,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,-,,-,-
TA0007: Discovery,T1073: DLL Side-Loading,Reconnaissance Activity with Net Command,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,-,,-,-
TA0007: Discovery,T1073: DLL Side-Loading,Reconnaissance Activity with Net Command,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0007: Discovery,T1073: DLL Side-Loading,Reconnaissance Activity with Net Command,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,-,,-,-
TA0007: Discovery,T1012: Query Registry,Reconnaissance Activity with Net Command,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,-,,-,-
TA0007: Discovery,T1012: Query Registry,Reconnaissance Activity with Net Command,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0007: Discovery,T1012: Query Registry,Reconnaissance Activity with Net Command,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,-,,-,-
TA0007: Discovery,T1012: Query Registry,Reconnaissance Activity with Net Command,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,-,,-,-
TA0007: Discovery,T1012: Query Registry,Reconnaissance Activity with Net Command,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0007: Discovery,T1012: Query Registry,Reconnaissance Activity with Net Command,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,-,,-,-
TA0007: Discovery,T1012: Query Registry,Reconnaissance Activity with Net Command,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,-,,-,-
TA0007: Discovery,T1012: Query Registry,Reconnaissance Activity with Net Command,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0007: Discovery,T1012: Query Registry,Reconnaissance Activity with Net Command,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,-,,-,-
TA0003: Persistence,T1050: New Service,Malicious Service Installations,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,-,-,,-,-
TA0004: Privilege Escalation,T1050: New Service,Malicious Service Installations,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,-,-,,-,-
TA0005: Defense Evasion,T1027: Obfuscated Files or Information,Executable in ADS,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,-,-,,-,-
TA0002: Execution,T1086: PowerShell,Suspicious PowerShell Invocations - Generic,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,-,-,,-,-
TA0002: Execution,T1086: PowerShell,Suspicious PowerShell Invocations - Generic,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,-,-,,-,-
TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,-,-,-,-,-,-,-,-,,-,-
TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,-,-,-,-,-,-,-,-,,-,-
TA0004: Privilege Escalation,T1078: Valid Accounts,Enabled User Right in AD to Control User Objects,-,-,-,-,-,-,-,-,,-,-
TA0005: Defense Evasion,T1158: Hidden Files and Directories,Hiding files with attrib.exe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0003: Persistence,T1158: Hidden Files and Directories,Hiding files with attrib.exe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0005: Defense Evasion,T1036: Masquerading,PowerShell Base64 Encoded Shellcode,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,-,,-,-
TA0005: Defense Evasion,T1036: Masquerading,PowerShell Base64 Encoded Shellcode,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0005: Defense Evasion,T1036: Masquerading,PowerShell Base64 Encoded Shellcode,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,-,,-,-
TA0005: Defense Evasion,T1036: Masquerading,PowerShell Base64 Encoded Shellcode,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,-,,-,-
TA0005: Defense Evasion,T1036: Masquerading,PowerShell Base64 Encoded Shellcode,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0005: Defense Evasion,T1036: Masquerading,PowerShell Base64 Encoded Shellcode,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,-,,-,-
TA0005: Defense Evasion,T1036: Masquerading,PowerShell Base64 Encoded Shellcode,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,-,,-,-
TA0005: Defense Evasion,T1036: Masquerading,PowerShell Base64 Encoded Shellcode,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0005: Defense Evasion,T1036: Masquerading,PowerShell Base64 Encoded Shellcode,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,-,,-,-
TA0002: Execution,T1085: Rundll32,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0002: Execution,T1070: Indicator Removal on Host,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0002: Execution,T1003: Credential Dumping,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0006: Credential Access,T1085: Rundll32,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0006: Credential Access,T1070: Indicator Removal on Host,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0006: Credential Access,T1003: Credential Dumping,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0005: Defense Evasion,T1085: Rundll32,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0005: Defense Evasion,T1070: Indicator Removal on Host,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0005: Defense Evasion,T1003: Credential Dumping,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0005: Defense Evasion,T1054: Indicator Blocking,Disabling Windows Event Auditing,-,-,-,-,-,-,-,-,,-,-
TA0004: Privilege Escalation,T1100: Web Shell,Shells Spawned by Web Servers,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0003: Persistence,T1100: Web Shell,Shells Spawned by Web Servers,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0002: Execution,T1086: PowerShell,PowerShell Download from URL,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0005: Defense Evasion,T1088: Bypass User Account Control,UAC Bypass via sdclt,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,-,,-,-
TA0004: Privilege Escalation,T1088: Bypass User Account Control,UAC Bypass via sdclt,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,-,,-,-
TA0002: Execution,T1086: PowerShell,Malicious PowerShell Keywords,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,-,-,,-,-
TA0002: Execution,T1086: PowerShell,Malicious PowerShell Keywords,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,-,-,,-,-
TA0003: Persistence,T1050: New Service,Rare Service Installs,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,-,-,,-,-
TA0004: Privilege Escalation,T1050: New Service,Rare Service Installs,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,-,-,,-,-
TA0008: Lateral Movement,T1078: Valid Accounts,Interactive Logon to Server Systems,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0004_windows_audit_logon,-,,-,-
TA0002: Execution,T1059: Command-Line Interface,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0005: Defense Evasion,T1059: Command-Line Interface,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0006: Credential Access,T1212: Exploitation for Credential Access,NetNTLM Downgrade Attack,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,-,,-,-
TA0005: Defense Evasion,T1089: Disabling Security Tools,Microsoft Malware Protection Engine Crash,-,-,-,-,-,-,-,-,,-,-
TA0005: Defense Evasion,T1211: Exploitation for Defense Evasion,Microsoft Malware Protection Engine Crash,-,-,-,-,-,-,-,-,,-,-
TA0006: Credential Access,T1003: Credential Dumping,WCE wceaux.dll Access,-,-,-,-,-,-,-,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0002: Execution,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0010_windows_sysmon_WmiEvent,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0007_windows_sysmon_ProcessAccess,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0006_windows_sysmon_image_loaded,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0003: Persistence,T1086: PowerShell,Default PowerSploit Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0005: Defense Evasion,T1036: Masquerading,Suspicious Use of Procdump,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,-,,-,-
TA0005: Defense Evasion,T1036: Masquerading,Suspicious Use of Procdump,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0005: Defense Evasion,T1036: Masquerading,Suspicious Use of Procdump,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,-,,-,-
TA0005: Defense Evasion,T1036: Masquerading,Suspicious Use of Procdump,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,-,,-,-
TA0005: Defense Evasion,T1036: Masquerading,Suspicious Use of Procdump,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0005: Defense Evasion,T1036: Masquerading,Suspicious Use of Procdump,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,-,,-,-
TA0005: Defense Evasion,T1036: Masquerading,Suspicious Use of Procdump,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,-,,-,-
TA0005: Defense Evasion,T1036: Masquerading,Suspicious Use of Procdump,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0005: Defense Evasion,T1036: Masquerading,Suspicious Use of Procdump,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,-,,-,-
TA0005: Defense Evasion,T1003: Credential Dumping,Suspicious Use of Procdump,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,-,,-,-
TA0005: Defense Evasion,T1003: Credential Dumping,Suspicious Use of Procdump,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0005: Defense Evasion,T1003: Credential Dumping,Suspicious Use of Procdump,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,-,,-,-
TA0005: Defense Evasion,T1003: Credential Dumping,Suspicious Use of Procdump,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,-,,-,-
TA0005: Defense Evasion,T1003: Credential Dumping,Suspicious Use of Procdump,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0005: Defense Evasion,T1003: Credential Dumping,Suspicious Use of Procdump,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,-,,-,-
TA0005: Defense Evasion,T1003: Credential Dumping,Suspicious Use of Procdump,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,-,,-,-
TA0005: Defense Evasion,T1003: Credential Dumping,Suspicious Use of Procdump,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0005: Defense Evasion,T1003: Credential Dumping,Suspicious Use of Procdump,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,-,,-,-
TA0006: Credential Access,T1036: Masquerading,Suspicious Use of Procdump,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,-,,-,-
TA0006: Credential Access,T1036: Masquerading,Suspicious Use of Procdump,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0006: Credential Access,T1036: Masquerading,Suspicious Use of Procdump,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,-,,-,-
TA0006: Credential Access,T1036: Masquerading,Suspicious Use of Procdump,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,-,,-,-
TA0006: Credential Access,T1036: Masquerading,Suspicious Use of Procdump,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0006: Credential Access,T1036: Masquerading,Suspicious Use of Procdump,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,-,,-,-
TA0006: Credential Access,T1036: Masquerading,Suspicious Use of Procdump,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,-,,-,-
TA0006: Credential Access,T1036: Masquerading,Suspicious Use of Procdump,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0006: Credential Access,T1036: Masquerading,Suspicious Use of Procdump,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,-,,-,-
TA0006: Credential Access,T1003: Credential Dumping,Suspicious Use of Procdump,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,-,,-,-
TA0006: Credential Access,T1003: Credential Dumping,Suspicious Use of Procdump,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0006: Credential Access,T1003: Credential Dumping,Suspicious Use of Procdump,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,-,,-,-
TA0006: Credential Access,T1003: Credential Dumping,Suspicious Use of Procdump,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,-,,-,-
TA0006: Credential Access,T1003: Credential Dumping,Suspicious Use of Procdump,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0006: Credential Access,T1003: Credential Dumping,Suspicious Use of Procdump,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,-,,-,-
TA0006: Credential Access,T1003: Credential Dumping,Suspicious Use of Procdump,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,-,,-,-
TA0006: Credential Access,T1003: Credential Dumping,Suspicious Use of Procdump,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0006: Credential Access,T1003: Credential Dumping,Suspicious Use of Procdump,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,-,,-,-
TA0005: Defense Evasion,T1107: File Deletion,Backup Catalog Deleted,-,-,-,-,-,-,-,-,,-,-
TA0006: Credential Access,T1212: Exploitation for Credential Access,Kerberos Manipulation,-,-,-,-,-,-,-,-,,-,-
TA0003: Persistence,T1100: Web Shell,Antivirus Web Shell Detection,-,-,-,-,-,-,-,-,,-,-
TA0003: Persistence,T1084: Windows Management Instrumentation Event Subscription,WMI Persistence - Script Event Consumer File Write,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0005: Defense Evasion,T1085: Rundll32,Rundll32 Internet Connection,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0002: Execution,T1085: Rundll32,Rundll32 Internet Connection,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0005_windows_sysmon_network_connection,-,,-,-
TA0003: Persistence,T1100: Web Shell,IIS Native-Code Module Command Line Installation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,-,,-,-
TA0003: Persistence,T1100: Web Shell,IIS Native-Code Module Command Line Installation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0003: Persistence,T1100: Web Shell,IIS Native-Code Module Command Line Installation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,-,,-,-
TA0003: Persistence,T1100: Web Shell,IIS Native-Code Module Command Line Installation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,-,,-,-
TA0003: Persistence,T1100: Web Shell,IIS Native-Code Module Command Line Installation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0003: Persistence,T1100: Web Shell,IIS Native-Code Module Command Line Installation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,-,,-,-
TA0003: Persistence,T1100: Web Shell,IIS Native-Code Module Command Line Installation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,-,,-,-
TA0003: Persistence,T1100: Web Shell,IIS Native-Code Module Command Line Installation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0003: Persistence,T1100: Web Shell,IIS Native-Code Module Command Line Installation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,-,,-,-
TA0002: Execution,T1203: Exploitation for Client Execution,Antivirus Exploitation Framework Detection,-,-,-,-,-,-,-,-,,-,-
TA0002: Execution,T1219: Remote Access Tools,Antivirus Exploitation Framework Detection,-,-,-,-,-,-,-,-,,-,-
TA0011: Command and Control,T1203: Exploitation for Client Execution,Antivirus Exploitation Framework Detection,-,-,-,-,-,-,-,-,,-,-
TA0011: Command and Control,T1219: Remote Access Tools,Antivirus Exploitation Framework Detection,-,-,-,-,-,-,-,-,,-,-
TA0005: Defense Evasion,T1055: Process Injection,Malicious Named Pipe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0005: Defense Evasion,T1055: Process Injection,Malicious Named Pipe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0009_windows_sysmon_PipeEvent,-,,-,-
TA0003: Persistence,T1060: Registry Run Keys / Startup Folder,Registry Persistence via Explorer Run Key,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,-,,-,-
TA0006: Credential Access,T1212: Exploitation for Credential Access,Possible Remote Password Change Through SAMR,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0029_windows_audit_detailed_file_share,-,,-,-
TA0006: Credential Access,T1212: Exploitation for Credential Access,Possible Remote Password Change Through SAMR,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0026_windows_audit_user_account_management,-,,-,-
TA0006: Credential Access,T1212: Exploitation for Credential Access,Possible Remote Password Change Through SAMR,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0029_windows_audit_detailed_file_share,-,,-,-
TA0006: Credential Access,T1212: Exploitation for Credential Access,Possible Remote Password Change Through SAMR,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0026_windows_audit_user_account_management,-,,-,-
TA0006: Credential Access,T1003: Credential Dumping,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,-,,-,-
TA0006: Credential Access,T1003: Credential Dumping,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0006: Credential Access,T1003: Credential Dumping,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,-,,-,-
TA0006: Credential Access,T1003: Credential Dumping,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,-,,-,-
TA0006: Credential Access,T1003: Credential Dumping,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0006: Credential Access,T1003: Credential Dumping,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,-,,-,-
TA0006: Credential Access,T1003: Credential Dumping,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,-,,-,-
TA0006: Credential Access,T1003: Credential Dumping,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0006: Credential Access,T1003: Credential Dumping,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,-,,-,-
TA0006: Credential Access,T1003: Credential Dumping,Antivirus Password Dumper Detection,-,-,-,-,-,-,-,-,,-,-
TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Suspicious Commandline Escape,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,-,,-,-
TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Suspicious Commandline Escape,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Suspicious Commandline Escape,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,-,,-,-
TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Suspicious Commandline Escape,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,-,,-,-
TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Suspicious Commandline Escape,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Suspicious Commandline Escape,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,-,,-,-
TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Suspicious Commandline Escape,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,-,,-,-
TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Suspicious Commandline Escape,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Suspicious Commandline Escape,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,-,,-,-
TA0002: Execution,T1086: PowerShell,Detection of PowerShell Execution via DLL,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0002: Execution,T1086: PowerShell,PowerShell PSAttack,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,-,-,,-,-
TA0002: Execution,T1086: PowerShell,Suspicious PowerShell Invocations - Specific,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,-,-,,-,-
TA0002: Execution,T1086: PowerShell,Suspicious PowerShell Invocations - Specific,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,-,-,,-,-
TA0008: Lateral Movement,T1075: Pass the Hash,Pass the Hash Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0004_windows_audit_logon,-,,-,-
TA0008: Lateral Movement,T1077: Windows Admin Shares,Access to ADMIN$ Share,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0030_windows_audit_file_share,-,,-,-
TA0002: Execution,T1086: PowerShell,Malicious PowerShell Commandlet Names,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0008_windows_sysmon_FileCreate,-,,-,-
TA0002: Execution,T1086: PowerShell,Suspicious PowerShell Parameter Substring,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0005: Defense Evasion,T1088: Bypass User Account Control,UAC Bypass via Event Viewer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,-,,-,-
TA0005: Defense Evasion,T1088: Bypass User Account Control,UAC Bypass via Event Viewer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0005: Defense Evasion,T1088: Bypass User Account Control,UAC Bypass via Event Viewer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,-,-,,-,-
TA0005: Defense Evasion,T1088: Bypass User Account Control,UAC Bypass via Event Viewer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0004: Privilege Escalation,T1088: Bypass User Account Control,UAC Bypass via Event Viewer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,-,,-,-
TA0004: Privilege Escalation,T1088: Bypass User Account Control,UAC Bypass via Event Viewer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0004: Privilege Escalation,T1088: Bypass User Account Control,UAC Bypass via Event Viewer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,-,-,,-,-
TA0004: Privilege Escalation,T1088: Bypass User Account Control,UAC Bypass via Event Viewer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0006: Credential Access,T1003: Credential Dumping,Password Dumper Activity on LSASS,-,-,-,-,-,-,-,-,,-,-
TA0003: Persistence,T1060: Registry Run Keys / Startup Folder,New RUN Key Pointing to Suspicious Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,-,,-,-
TA0002: Execution,T1047: Windows Management Instrumentation,WMI Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,-,-,,-,-
TA0002: Execution,T1047: Windows Management Instrumentation,WMI Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,-,-,,-,-
TA0003: Persistence,T1047: Windows Management Instrumentation,WMI Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,-,-,,-,-
TA0003: Persistence,T1047: Windows Management Instrumentation,WMI Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,-,-,,-,-
TA0006: Credential Access,T1003: Credential Dumping,LSASS Access Detected via Attack Surface Reduction,-,-,-,-,-,-,-,-,,-,-
TA0002: Execution,T1053: Scheduled Task,Scheduled Task Creation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0003: Persistence,T1053: Scheduled Task,Scheduled Task Creation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0003: Persistence,T1078: Valid Accounts,Multiple Failed Logins with Different Accounts from Single Source System,-,-,-,-,-,-,-,-,,-,-
TA0004: Privilege Escalation,T1078: Valid Accounts,Multiple Failed Logins with Different Accounts from Single Source System,-,-,-,-,-,-,-,-,,-,-
TA0005: Defense Evasion,T1085: Rundll32,Suspicious Rundll32 Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,-,,-,-
TA0005: Defense Evasion,T1085: Rundll32,Suspicious Rundll32 Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0005: Defense Evasion,T1085: Rundll32,Suspicious Rundll32 Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,-,,-,-
TA0005: Defense Evasion,T1085: Rundll32,Suspicious Rundll32 Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,-,,-,-
TA0005: Defense Evasion,T1085: Rundll32,Suspicious Rundll32 Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0005: Defense Evasion,T1085: Rundll32,Suspicious Rundll32 Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,-,,-,-
TA0005: Defense Evasion,T1085: Rundll32,Suspicious Rundll32 Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,-,,-,-
TA0005: Defense Evasion,T1085: Rundll32,Suspicious Rundll32 Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0005: Defense Evasion,T1085: Rundll32,Suspicious Rundll32 Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,-,,-,-
TA0002: Execution,T1085: Rundll32,Suspicious Rundll32 Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,-,,-,-
TA0002: Execution,T1085: Rundll32,Suspicious Rundll32 Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0002: Execution,T1085: Rundll32,Suspicious Rundll32 Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,-,,-,-
TA0002: Execution,T1085: Rundll32,Suspicious Rundll32 Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,-,,-,-
TA0002: Execution,T1085: Rundll32,Suspicious Rundll32 Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0002: Execution,T1085: Rundll32,Suspicious Rundll32 Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,-,,-,-
TA0002: Execution,T1085: Rundll32,Suspicious Rundll32 Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,-,,-,-
TA0002: Execution,T1085: Rundll32,Suspicious Rundll32 Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,-,,-,-
TA0002: Execution,T1085: Rundll32,Suspicious Rundll32 Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,-,,-,-
TA0001: Initial Access,T1193: Spearphishing Attachment,-,-,-,-,-,-,-,-,-,RP_0001_phishing_email,RA_0001_identification_get_original_email
TA0001: Initial Access,T1193: Spearphishing Attachment,-,-,-,-,-,-,-,-,-,RP_0001_phishing_email,RA_0002_identification_extract_observables_from_email
TA0001: Initial Access,T1193: Spearphishing Attachment,-,-,-,-,-,-,-,-,-,RP_0001_phishing_email,RA_0003_identification_make_sure_email_is_a_phising
TA0001: Initial Access,T1193: Spearphishing Attachment,-,-,-,-,-,-,-,-,-,RP_0001_phishing_email,RA_0004_identification_analyse_obtained_indicators_of_compromise
TA0001: Initial Access,T1193: Spearphishing Attachment,-,-,-,-,-,-,-,-,-,RP_0001_phishing_email,RA_0005_identification_find_all_phising_attack_victims
TA0001: Initial Access,T1193: Spearphishing Attachment,-,-,-,-,-,-,-,-,-,RP_0001_phishing_email,RA_0040_identification_put_on_monitoring_compromised_accounts
TA0001: Initial Access,T1193: Spearphishing Attachment,-,-,-,-,-,-,-,-,-,RP_0001_phishing_email,RA_0006_containment_block_domain_on_email
TA0001: Initial Access,T1193: Spearphishing Attachment,-,-,-,-,-,-,-,-,-,RP_0001_phishing_email,RA_0028_containment_block_threat_on_network_level
TA0001: Initial Access,T1193: Spearphishing Attachment,-,-,-,-,-,-,-,-,-,RP_0001_phishing_email,RA_0010_eradication_delete_malicious_emails
TA0001: Initial Access,T1193: Spearphishing Attachment,-,-,-,-,-,-,-,-,-,RP_0001_phishing_email,RA_0011_eradication_revoke_compromised_credentials
TA0001: Initial Access,T1193: Spearphishing Attachment,-,-,-,-,-,-,-,-,-,RP_0001_phishing_email,RA_0012_eradication_report_phishing_attack_to_external_companies
TA0001: Initial Access,T1193: Spearphishing Attachment,-,-,-,-,-,-,-,-,-,RP_0001_phishing_email,RA_0013_lessons_learned_develop_incident_report
TA0001: Initial Access,T1193: Spearphishing Attachment,-,-,-,-,-,-,-,-,-,RP_0001_phishing_email,RA_0014_lessons_learned_conduct_lessons_learned_exercise
TA0001: Initial Access,T1192: Spearphishing Link,-,-,-,-,-,-,-,-,-,RP_0001_phishing_email,RA_0001_identification_get_original_email
TA0001: Initial Access,T1192: Spearphishing Link,-,-,-,-,-,-,-,-,-,RP_0001_phishing_email,RA_0002_identification_extract_observables_from_email
TA0001: Initial Access,T1192: Spearphishing Link,-,-,-,-,-,-,-,-,-,RP_0001_phishing_email,RA_0003_identification_make_sure_email_is_a_phising
TA0001: Initial Access,T1192: Spearphishing Link,-,-,-,-,-,-,-,-,-,RP_0001_phishing_email,RA_0004_identification_analyse_obtained_indicators_of_compromise
TA0001: Initial Access,T1192: Spearphishing Link,-,-,-,-,-,-,-,-,-,RP_0001_phishing_email,RA_0005_identification_find_all_phising_attack_victims
TA0001: Initial Access,T1192: Spearphishing Link,-,-,-,-,-,-,-,-,-,RP_0001_phishing_email,RA_0040_identification_put_on_monitoring_compromised_accounts
TA0001: Initial Access,T1192: Spearphishing Link,-,-,-,-,-,-,-,-,-,RP_0001_phishing_email,RA_0006_containment_block_domain_on_email
TA0001: Initial Access,T1192: Spearphishing Link,-,-,-,-,-,-,-,-,-,RP_0001_phishing_email,RA_0028_containment_block_threat_on_network_level
TA0001: Initial Access,T1192: Spearphishing Link,-,-,-,-,-,-,-,-,-,RP_0001_phishing_email,RA_0010_eradication_delete_malicious_emails
TA0001: Initial Access,T1192: Spearphishing Link,-,-,-,-,-,-,-,-,-,RP_0001_phishing_email,RA_0011_eradication_revoke_compromised_credentials
TA0001: Initial Access,T1192: Spearphishing Link,-,-,-,-,-,-,-,-,-,RP_0001_phishing_email,RA_0012_eradication_report_phishing_attack_to_external_companies
TA0001: Initial Access,T1192: Spearphishing Link,-,-,-,-,-,-,-,-,-,RP_0001_phishing_email,RA_0013_lessons_learned_develop_incident_report
TA0001: Initial Access,T1192: Spearphishing Link,-,-,-,-,-,-,-,-,-,RP_0001_phishing_email,RA_0014_lessons_learned_conduct_lessons_learned_exercise